SQL injection scheme

Folks -- A few weeks ago at our security sig meeting, a
simple and
cleverly nasty little trick was demonstrated to crack into
common mysql
applications.  Does anyone recall exactly how that was done?
 I'm
currently looking at an application that someone wants to
put up on one of
our systems, and while looking at his code, it seems to me
he takes no
precaution against this kind of attack.  If I could
demonstrate that to
him, I'd be able to get him to take more care with his
code.  But it all
went by so fast during the presentation, I wasn't able to
write it all
down.  Could someone remind me of how it was done?  

--dk


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

The presenter for that section was Ryan Means from the Law
School.

The basic problem is combining authentication, validation,
and data 
retrieval in the SQL statement. If the processes are broken
down into 
stages, and the validation done with the scripting language
it is far 
harder(*) to crack the database.

As a general principle I treat the database as a repository,
not a 
security tool. SQL was never designed with that in mind.

Graham

(*) Of course the scripting language environment may not be
secure 
--
Graham Patterson, System Administration
Dept. of Economics, UC Berkeley (510)643-5397

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

On Tue, April 4, 2006 10:25, David Kalins wrote:
> Folks -- A few weeks ago at our security sig meeting, a
simple and
> cleverly nasty little trick was demonstrated to crack
into common mysql
> applications.  Does anyone recall exactly how that was
done?

  This is not specific to the technique(s) shown at the
recent security
SIG meeting, but typing 'sql injection' into any major
Internet search
engine will uncover a large number of tutorials.

  This looks like one good introduction to the topic:

  "Steve Friedl's Unixwiz.net Tech Tips
  SQL Injection Attacks by Example"
  ht
tp://www.unixwiz.net/techtips/sql-injection.html

and its recommendations seem to be in accord with those seen
in other
articles, including those in this Microsoft developer
magazine article
<http://msdn.microsoft.com/msdnmag/issues/04/09/
SQLInjection/>.

Aron Roberts
Workstation Software Support Group


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

David,

See the links at http://www.owasp.org

In particular,
http://www.spidynamics.com/papers/SQLInjectionWhiteP
aper.pdf

Regards,
Bill Boyd
Astronomy Department



On Apr 4, 2006, at 10:25 AM, David Kalins wrote:

> Folks -- A few weeks ago at our security sig meeting, a
simple and
> cleverly nasty little trick was demonstrated to crack
into common  
> mysql
> applications.  Does anyone recall exactly how that was
done?  I'm
> currently looking at an application that someone wants
to put up on  
> one of
> our systems, and while looking at his code, it seems to
me he takes no
> precaution against this kind of attack.  If I could
demonstrate  
> that to
> him, I'd be able to get him to take more care with his
code.  But  
> it all
> went by so fast during the presentation, I wasn't able
to write it all
> down.  Could someone remind me of how it was done?
>
> --dk
>
>
>
------------------------------------------------------------
---------- 
> --
> The following was automatically added to this message
by the list  
> server:
>
> For information about Micronet, including subscribing
to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web
site:
> <http://micronet.be
rkeley.edu/>.


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Also remember that one of the easiest ways for the developer
to fix
such problems is to use prepared statements.  Instead of
building the
sql query string manually you have question marks in it
where the
parameters go and the db server substitutes them with your
supplied
parameters.

   Date: Tue, 4 Apr 2006 10:25:45 -0700 (PDT)
   From: David Kalins <dkalinslibrary.berkeley.edu>
   To: micronet-listlists.berkeley.edu
   Subject: [Micronet] SQL injection scheme

   Folks -- A few weeks ago at our security sig meeting, a
simple and
   cleverly nasty little trick was demonstrated to crack
into common mysql
   applications.  Does anyone recall exactly how that was
done?  I'm
   currently looking at an application that someone wants to
put up on one of
   our systems, and while looking at his code, it seems to
me he takes no
   precaution against this kind of attack.  If I could
demonstrate that to
   him, I'd be able to get him to take more care with his
code.  But it all
   went by so fast during the presentation, I wasn't able
to write it all
   down.  Could someone remind me of how it was done?  

   --dk

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

David Kalins wrote:
> Folks -- A few weeks ago at our security sig meeting, a

> simple and cleverly nasty little trick was demonstrated
to 
> crack into common mysql applications.  Does anyone
recall 
> exactly how that was done?  I'm currently looking at
an 
> application that someone wants to put up on one of our 
> systems, and while looking at his code, it seems to me
he 
> takes no precaution against this kind of attack.  If I
could 
> demonstrate that to him, I'd be able to get him to
take more 
> care with his code.  But it all went by so fast during
the 
> presentation, I wasn't able to write it all down. 
Could 
> someone remind me of how it was done?

David,

I was the presenter for that demonstration. If you would
like to send me the code sample that you are looking at,
I'd be happy to evaluate it for you. That goes for anyone
else too, within reason... ;) 

Ryan 

--
Ryan L. Means
Chief Technical Officer
Boalt Hall - School of Law
University of California, Berkeley 



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

David,

This is addressed in a web security tutorial I wrote a few
years ago:

 	
http://socrates.Berkeley.EDU:7309/web_sec/index.html

See slides 60-62.  It is too bad that the problems the
tutorial
discusses mostly still exist.  There are many SQL injection
tutorials;
try google and find one you like.

 	- Jerry


On Tue, 4 Apr 2006, David Kalins wrote:

> Folks -- A few weeks ago at our security sig meeting, a
simple and
> cleverly nasty little trick was demonstrated to crack
into common mysql
> applications.  Does anyone recall exactly how that was
done?  I'm
> currently looking at an application that someone wants
to put up on one of
> our systems, and while looking at his code, it seems to
me he takes no
> precaution against this kind of attack.  If I could
demonstrate that to
> him, I'd be able to get him to take more care with his
code.  But it all
> went by so fast during the presentation, I wasn't able
to write it all
> down.  Could someone remind me of how it was done?
>
> --dk
>
>
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
>
> For information about Micronet, including subscribing
to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web
site:
> <http://micronet.be
rkeley.edu/>.
>

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

What Rusty said is the bottom line for checking your code
for this kind of
vulnerability.  Putting his point a different way: if the
program is
building a SQL string to submit to the database and it
concatenates user
input onto that string, then the code is probably
vulnerable.  The code
should always use prepared statements and bind variables to
sanitize user
input.  

Besides being a good security practice, you'll get
performance gains as well
for most RDBMSes (MySQL included, for the original poster).

Regards,
Paul

---
Paul Rivers
IST-CCS Database Administration



-----Original Message-----
From: owner-micronet-listlists.berkeley.edu
[mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of
rustygrunt.berkeley.edu
Sent: Tuesday, April 04, 2006 11:00 AM
To: dkalinslibrary.berkeley.edu
Cc: micronet-listlists.berkeley.edu
Subject: Re: [Micronet] SQL injection scheme

Also remember that one of the easiest ways for the developer
to fix
such problems is to use prepared statements.  Instead of
building the
sql query string manually you have question marks in it
where the
parameters go and the db server substitutes them with your
supplied
parameters.

   Date: Tue, 4 Apr 2006 10:25:45 -0700 (PDT)
   From: David Kalins <dkalinslibrary.berkeley.edu>
   To: micronet-listlists.berkeley.edu
   Subject: [Micronet] SQL injection scheme

   Folks -- A few weeks ago at our security sig meeting, a
simple and
   cleverly nasty little trick was demonstrated to crack
into common mysql
   applications.  Does anyone recall exactly how that was
done?  I'm
   currently looking at an application that someone wants to
put up on one
of
   our systems, and while looking at his code, it seems to
me he takes no
   precaution against this kind of attack.  If I could
demonstrate that to
   him, I'd be able to get him to take more care with his
code.  But it all
   went by so fast during the presentation, I wasn't able
to write it all
   down.  Could someone remind me of how it was done?  

   --dk

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.