SQL Injection Attacks and Defense

Author: Clarke-Salt, Justin

Publishers: Elsevier Science

Publishing year: 2009

ISBN: 9781597499736

Subject: [TP311.1 程序设计]

Language: ENG

Introduction

SQL Injection Attacks and Defense, First Edition: Winner of the Best Book Bejtlich Read Award

"SQL injection is probably the number one problem for any server-side application, and this book unequaled in its coverage." –Richard Bejtlich, Tao Security blog

SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information available for penetration testers, IT security consultants and practitioners, and web/software developers to turn to for help.

SQL Injection Attacks and Defense, Second Edition is the only book devoted exclusively to this long-established but recently growing threat. This is the definitive resource for understanding, finding, exploiting, and defending against this increasingly popular and particularly destructive type of Internet-based attack.

SQL Injection Attacks and Defense, Second Edition includes all the currently known information about these attacks and significant insight from its team of SQL injection experts, who tell you about:

  • Understanding SQL Injection – Understand what it is and how it works
  • Find, confirm and automate SQL injection discovery
  • Tips and tricks for finding SQL injection within code
  • Create exploits for using SQL injection
  • Design apps to avoid the dangers these attacks
  • SQL injecti

Chapter

  • SQL Injection Attacks and Defense

  • Copyright

  • Acknowledgements

  • Dedication

  • Contributing Authors

  • Lead Author and Technical Editor

  • Table of Contents

  • Introduction to the 2nd Edition

  • 1 What Is SQL Injection?

  • Introduction

  • Understanding How Web Applications Work

  • A Simple Application Architecture

  • A More Complex Architecture

  • Understanding SQL Injection

  • High-Profile Examples

  • Understanding How It Happens

  • Dynamic String Building

  • Incorrectly Handled Escape Characters

  • Incorrectly Handled Types

  • Incorrectly Handled Query Assembly

  • Incorrectly Handled Errors

  • Incorrectly Handled Multiple Submissions

  • Insecure Database Configuration

  • Summary

  • Solutions Fast Track

  • Understanding How Web Applications Work

  • Understanding SQL Injection

  • Understanding How It Happens

  • Frequently Asked Questions

  • 2 Testing for SQL Injection

  • Introduction

  • Finding SQL Injection

  • Testing by Inference

  • Identifying Data Entry

  • GET Requests

  • POST Requests

  • Other Injectable Data

  • Manipulating Parameters

  • Information Workflow

  • Database Errors

  • Commonly Displayed SQL Errors

  • Microsoft SQL Server Errors

  • MySQL Errors

  • Oracle Errors

  • PostgreSQL Errors

  • Application Response

  • Generic Errors

  • HTTP Code Errors

  • Different Response Sizes

  • Blind Injection Detection

  • Confirming SQL Injection

  • Differentiating Numbers and Strings

  • Inline SQL Injection

  • Injecting Strings Inline

  • Injecting Numeric Values Inline

  • Terminating SQL Injection

  • Database Comment Syntax

  • Using Comments

  • Executing Multiple Statements

  • Time Delays

  • Automating SQL Injection Discovery

  • Tools for Automatically Finding SQL Injection

  • HP WebInspect

  • IBM Rational AppScan

  • HP Scrawlr

  • SQLiX

  • Paros Proxy/Zed Attack Proxy

  • Summary

  • Solutions Fast Track

  • Finding SQL Injection

  • Confirming SQL Injection

  • Automating SQL Injection Discovery

  • Frequently Asked Questions

  • 3 Reviewing Code for SQL Injection

  • Introduction

  • Reviewing Source Code for SQL Injection

  • Dangerous Coding Behaviors

  • Dangerous Functions

  • Following the Data

  • Following Data in PHP

  • Following Data in Java

  • Following Data in C#

  • Reviewing Android Application Code

  • Reviewing PL/SQL and T-SQL Code

  • Automated Source Code Review

  • Graudit

  • Yet Another Source Code Analyzer (YASCA)

  • Pixy

  • AppCodeScan

  • OWASP LAPSE+ Project

  • Microsoft Source Code Analyzer for SQL Injection

  • Microsoft Code Analysis Tool .NET (CAT.NET)

  • RIPS—A Static Source Code Analyzer for Vulnerabilities in PHP Scripts

  • CodePro AnalytiX

  • Teachable Static Analysis Workbench

  • Commercial Source Code Review Tools

  • Fortify Source Code Analyzer

  • Rational AppScan Source Edition

  • CodeSecure

  • Klocwork Solo

  • Summary

  • Solutions fast track

  • Reviewing Source Code for SQL Injection

  • Automated Source Code Review

  • Frequently Asked Questions

  • 4 Exploiting SQL Injection

  • Introduction

  • Understanding Common Exploit Techniques

  • Using Stacked Queries

  • Exploiting Oracle from Web Applications

  • Identifying the Database

  • Non-Blind Fingerprint

  • Banner Grabbing

  • Blind Fingerprint

  • Extracting Data through UNION Statements

  • Matching Columns

  • Matching Data Types

  • Using Conditional Statements

  • Approach 1: Time-Based

  • Approach 2: Error-Based

  • Approach 3: Content-Based

  • Working with Strings

  • Extending the Attack

  • Using Errors for SQL Injection

  • Error Messages in Oracle

  • Enumerating the Database Schema

  • SQL Server

  • MySQL

  • PostgreSQL

  • Oracle

  • Injecting into “INSERT” Queries

  • First Scenario: Inserting User Determined Data

  • Second Scenario: Generating INSERT Errors

  • Other Scenarios

  • Escalating Privileges

  • SQL Server

  • Privilege Escalation on Unpatched Servers

  • Oracle

  • SYS.LT

  • SYS.DBMS_CDC_PUBLISH

  • Getting Past the CREATE PROCEDURE Privilege

  • Cursor Injection

  • SYS.KUPP$PROC

  • Weak Permissions

  • Stealing the Password Hashes

  • SQL Server

  • MySQL

  • PostgreSQL

  • Oracle

  • Oracle Components

  • APEX

  • Oracle Internet Directory

  • Out-of-Band Communication

  • E-mail

  • Microsoft SQL Server

  • Oracle

  • HTTP/DNS

  • File System

  • SQL Server

  • MySQL

  • Oracle

  • SQL Injection on Mobile Devices

  • Automating SQL Injection Exploitation

  • sqlmap

  • Bobcat

  • BSQL

  • Other Tools

  • Summary

  • Solutions Fast Track

  • Understanding Common Exploit Techniques

  • Identifying the Database

  • Extracting Data Through UNION Statements

  • Using Conditional Statements

  • Enumerating the Database Schema

  • Injecting into INSERT Queries

  • Escalating Privileges

  • Stealing the Password Hashes

  • Out-of-Band Communication

  • SQL Injection on Mobile Devices

  • Automating SQL Injection Exploitation

  • Frequently Asked Questions

  • 5 Blind SQL Injection Exploitation

  • Introduction

  • Finding and Confirming Blind SQL Injection

  • Forcing Generic Errors

  • Injecting Queries with Side Effects

  • Splitting and Balancing

  • Common Blind SQL Injection Scenarios

  • Blind SQL Injection Techniques

  • Inference Techniques

  • Increasing the Complexity of Inference Techniques

  • Alternative Channel Techniques

  • Using Time-Based Techniques

  • Delaying Database Queries

  • MySQL Delays

  • Generic MySQL Binary Search Inference Exploits

  • Generic MySQL Bit-by-Bit Inference Exploits

  • PostgreSQL Delays

  • Generic PostgreSQL Binary Search Inference Exploits

  • Generic PostgreSQL Bit-by-Bit Inference Exploits

  • SQL Server Delays

  • Generic SQL Server Binary Search Inference Exploits

  • Generic SQL Server Bit-by-Bit Inference Exploits

  • Oracle Delays

  • Time-Based Inference Considerations

  • Using Response-Based Techniques

  • MySQL Response Techniques

  • PostgreSQL Response Techniques

  • SQL Server Response Techniques

  • Oracle Response Techniques

  • Returning More Than 1 bit of Information

  • Using Alternative Channels

  • Database Connections

  • DNS Exfiltration

  • Email Exfiltration

  • HTTP Exfiltration

  • ICMP Exfiltration

  • Automating Blind SQL Injection Exploitation

  • Absinthe

  • BSQL Hacker

  • SQLBrute

  • Sqlmap

  • Sqlninja

  • Squeeza

  • Summary

  • Solutions Fast Track

  • Finding and Confirming Blind SQL Injection

  • Using Time-Based Techniques

  • Using Response-Based Techniques

  • Using Alternative Channels

  • Automating Blind SQL Injection Exploitation

  • Frequently Asked Questions

  • 6 Exploiting the Operating System

  • Introduction

  • Accessing the File System

  • Reading Files

  • MySQL

  • Microsoft SQL Server

  • Oracle

  • PostgreSQL

  • Writing Files

  • MySQL

  • Microsoft SQL Server

  • Oracle

  • PostgreSQL

  • Executing Operating System Commands

  • MySQL

  • WAMP Environments

  • Microsoft SQL Server

  • Oracle

  • Privilege Escalation

  • Code Execution Via Direct Access

  • EXTPROC

  • Executing Code with Java

  • DBMS_SCHEDULER

  • PL/SQL Native

  • Oracle Text

  • Alter System Set Events

  • PL/SQL native 9i

  • Buffer Overflows

  • Custom Application Code

  • Executing Code as SYSDBA

  • PostgreSQL

  • Consolidating Access

  • Summary

  • Solutions Fast Track

  • Accessing the File System

  • Executing Operating System Commands

  • Consolidating Access

  • References

  • Frequently Asked Questions

  • 7 Advanced Topics

  • Introduction

  • Evading Input Filters

  • Using Case Variation

  • Using SQL Comments

  • Using URL Encoding

  • Using Dynamic Query Execution

  • Using Null Bytes

  • Nesting Stripped Expressions

  • Exploiting Truncation

  • Bypassing Custom Filters

  • Using Non-Standard Entry Points

  • Exploiting Second-Order SQL Injection

  • Finding Second-Order Vulnerabilities

  • Exploiting Client-Side SQL Injection

  • Accessing Local Databases

  • Attacking Client-Side Databases

  • Using Hybrid Attacks

  • Leveraging Captured Data

  • Creating Cross-Site Scripting

  • Running Operating System Commands on Oracle

  • Exploiting Authenticated Vulnerabilities

  • Summary

  • Solutions fast track

  • Evading Input Filters

  • Exploiting Second-Order SQL Injection

  • Exploiting Client-Side SQL Injection

  • Using Hybrid Attacks

  • Frequently Asked Questions

  • 8 Code-Level Defenses

  • Introduction

  • Domain Driven Security

  • Using Parameterized Statements

  • Parameterized Statements in Java

  • Parameterized Statements in .NET (C#)

  • Parameterized Statements in PHP

  • Parameterized Statements in PL/SQL

  • Parameterized Statements in mobile apps

  • Parameterized Statements in iOS Applications

  • Parameterized Statements in Android Applications

  • Parameterized Statements in HTML5 Browser Storage

  • Validating Input

  • Whitelisting

  • Known Value Validation

  • Blacklisting

  • Validating Input in Java

  • Validating Input in .NET

  • Validating Input in PHP

  • Validating Input in Mobile Applications

  • Validating Input in HTML5

  • Encoding Output

  • Encoding to the Database

  • Encoding for Oracle

  • Oracle dbms_assert

  • Encoding for Microsoft SQL Server

  • Encoding for MySQL

  • Encoding for PostgreSQL

  • Avoiding NoSQL injection

  • Canonicalization

  • Canonicalization Approaches

  • Working with Unicode

  • Design Techniques to Avoid the Dangers of SQL Injection

  • Using Stored Procedures

  • Using Abstraction Layers

  • Handling Sensitive Data

  • Avoiding Obvious Object Names

  • Setting up Database Honeypots

  • Additional Secure Development Resources

  • Summary

  • Solutions Fast Track

  • Domain Driven Security

  • Using Parameterized Statements

  • Validating Input

  • Encoding Output

  • Canonicalization

  • Designing to Avoid the Dangers of SQL Injection

  • Frequently Asked Questions

  • 9 Platform Level Defenses

  • Introduction

  • Using Runtime Protection

  • Web Application Firewalls

  • Using ModSecurity

  • Configurable Rule Set

  • Request Coverage

  • Request Normalization

  • Response Analysis

  • Intrusion Detection Capabilities

  • Intercepting Filters

  • Web Server Filters

  • UrlScan

  • WebKnight

  • Application Filters

  • Implementing the Filter Pattern in Scripted Languages

  • Filtering Web Service Messages

  • Non-Editable Versus Editable Input Protection

  • URL/Page-Level Strategies

  • Page Overriding

  • URL Rewriting

  • Resource Proxying/Wrapping

  • Aspect-Oriented Programing (AOP)

  • Application Intrusion Detection Systems (IDSs)

  • Database Firewall

  • Securing the Database

  • Locking Down the Application Data

  • Use the Least-Privileged Database Login

  • Segregated Database Logins

  • Revoke PUBLIC Permissions

  • Use Stored Procedures

  • Use Strong Cryptography to Protect Stored Sensitive Data

  • Maintaining an Audit Trail

  • Oracle Error Triggers

  • Locking Down the Database Server

  • Additional Lockdown of System Objects

  • Restrict Ad Hoc Querying

  • Strengthen Controls Surrounding Authentication

  • Run in the Context of a Least-Privileged Operating System Account

  • Ensure That the Database Server Software is Patched

  • Additional Deployment Considerations

  • Minimize Unnecessary Information Leakage

  • Suppress Error Messages

  • Use an Empty Default Web Site

  • Use Dummy Host Names for Reverse DNS Lookups

  • Use Wildcard SSL Certificates

  • Limit Discovery Via Search Engine Hacking

  • Disable Web Services Description Language (WSDL) Information

  • Increase the Verbosity of Web Server Logs

  • Deploy the Web and Database Servers on Separate Hosts

  • Configure Network Access Control

  • Summary

  • Solutions fast track

  • Using Runtime Protection

  • Securing the Database

  • Additional Deployment Considerations

  • Frequently Asked Questions

  • 10 Confirming and Recovering from SQL Injection Attacks

  • Introduction

  • Investigating a Suspected SQL Injection Attack

  • Following Forensically Sound Practices

  • Analyzing Digital Artifacts

  • Web Server Log Files

  • Database Execution Plans

  • What to Look for Within Cached Execution Plans

  • How to Access Execution Plans

  • Microsoft SQL Server

  • Oracle

  • MySQL

  • PostgreSQL

  • Execution Plan Limitations

  • Transaction Log

  • What to Look For

  • Microsoft SQL Server

  • Oracle

  • MySQL

  • PostgreSQL

  • Database Object Time Stamps

  • SQL Server

  • Oracle

  • MySQL

  • PostgreSQL

  • So, You’re a Victim—Now What?

  • Containing the Incident

  • Assessing the Data Involved

  • Notifying the Appropriate Individuals

  • Determining What Actions the Attacker Performed on the System

  • Recovering from a SQL Injection Attack

  • Determining the Payload of an Attack

  • Recovering from Attacks Carrying Static Payloads

  • Recovering from Attacks Carrying Dynamic Payloads

  • Summary

  • Solutions Fast Track

  • Investigating a Suspected SQL Injection Attack:

  • Required Forensically Sound Practices:

  • Analyzing Digital Artifacts:

  • Identifying SQL Injection Attack Activity:

  • Confirming if a SQL Injection Attack was Successful:

  • Containing the Incident:

  • Assessing the Data Involved:

  • Notifying the Appropriate Individuals:

  • Determining the Actions the Attacker Took on a System:

  • Determining the Attack Payload:

  • Recovering from a SQL Injection Attack:

  • Frequently Asked Questions

  • 11 References

  • Introduction

  • Structured Query Language (SQL) Primer

  • SQL Queries

  • SELECT Statement

  • UNION Operator

  • INSERT Statement

  • UPDATE Statement

  • DELETE Statement

  • DROP Statement

  • CREATE TABLE Statement

  • ALTER TABLE Statement

  • GROUP BY Statement

  • ORDER BY Clause

  • Limiting the Result Set

  • SQL Injection Quick Reference

  • Identifying SQL Injection Vulnerabilities

  • Identifying the Database Platform

  • Identifying the Database Platform Via Time Delay Inference

  • Identifying the Database Platform Via SQL Dialect Inference

  • Extracting Data Via Error Messages

  • Combining Multiple Rows into a Single Row

  • Microsoft SQL Server Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: Microsoft SQL Server

  • Microsoft SQL Server Privilege Escalation

  • OPENROWSET Reauthentication Attack

  • Attacking the Database Server: Microsoft SQL Server

  • System Command Execution via xp_cmdshell

  • xp_cmdshell Alternative

  • Cracking Database Passwords

  • Microsoft SQL Server 2005 Hashes

  • File Read/Write

  • MySQL Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: MySQL

  • Attacking the Database Server: MySQL

  • System Command Execution

  • Cracking Database Passwords

  • Attacking the Database Directly

  • File Read

  • File Write

  • Oracle Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: Oracle

  • Attacking the Database Server: Oracle

  • Command Execution

  • Reading Local Files

  • Reading Local Files: Oracle Text

  • Reading Local Files (PL/SQL injection only)

  • Writing Local Files (PL/SQL Injection Only)

  • Cracking Database Passwords

  • PostgreSQL Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: PostgreSQL

  • Attacking the Database Server: PostgreSQL

  • System Command Execution

  • Local File Access

  • Cracking Database Passwords

  • Bypassing Input Validation Filters

  • Quote Filters

  • HTTP Encoding

  • Troubleshooting SQL Injection Attacks

  • SQL Injection on Other Platforms

  • DB2 Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: DB2

  • Informix Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: Informix

  • Ingres Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: Ingres

  • Sybase Cheat Sheet

  • Enumerating Database Configuration Information and Schema

  • Blind SQL Injection Functions: Sybase

  • Microsoft Access

  • Resources

  • SQL Injection White Papers

  • SQL Injection Cheat Sheets

  • SQL Injection Exploit Tools

  • Password Cracking Tools

  • Solutions Fast Track

  • Structured Query Language (SQL) Primer

  • SQL Injection Quick Reference

  • Bypassing Input Validation Filters

  • Troubleshooting SQL Injection Attacks

  • SQL Injection on Other Platforms

  • Index

  • A

  • B

  • C

  • D

  • E

  • F

  • G

  • H

  • I

  • J

  • K

  • M

  • O

  • P

  • R

  • S

  • T

  • U

  • V

  • W

  • X

  • Z

    • 服务邮箱: whx@cnpiec.com.cn

    联系电话:010-65063046;65001305

    京ICP备09090397号-16 京公网安备 11010502049547号