SQL Injection     101     SQLi
SQLi                      Jason Pubal                          Contact InformationWebsitewww.intellavis.com/blog          ...
SQLiSQL Injection        Outline   OWASP Top 10   Web Architecture   What is SQLi?     Detecting SQLi   Exploiting SQLi   ...
SQLi
SQLi
SQLi            Web Application Basics                                                         SELECT *FROM productsWHERE ...
SQLi//connect to database$conn = mysql_connect(“localhost”, “username”, “password”);//build sql statement$query = “SELECT ...
SQLiSELECT useridFROM AppUsersWHERE user = ‘jsmith’ AND password = ‘kitteh’ ;
SQLiSELECT useridFROM AppUsersWHERE user = ‘jsmith’ AND password = ‘anything’ OR ‘1’ = ‘1’ ;
SQLi//connect to database$conn = mysql_connect(“localhost”,“username”, “password”);//build sql statement$query = “SELECT u...
SQLi                                    Impact•Authentication Bypass: This attack allows an attacker to log on to an appli...
SQLiVulnerable Sites  WhiteHat Security Statistics Report
SQLiWeb Application Attacks       Web Hacking Incident DB                      Body Text
SQLi                     Detecting SQLiTesting by Inference                              Special Characters•If I see this,...
SQLiSQLi Errors
SQLiDetecting SQLi        Other Signs       HTTP 500 Status   Custom Application Errors            Timing   Differences in...
SQLiManual Testing
SQLiManual Testing
SQLiAutomated Testing     Browser Plugins
SQLiAutomated Testing  Web Application Vulnerability Scanner
SQLiAutomated Testing  Web Application Vulnerability Scanner
SQLiExploitation    SQLMAP
SQLiPreventing SQLi
SQLi              Sources / Tools UsedMore about SQLiOWASP - https://www.owasp.org/index.php/SQL_InjectionSQL Injection At...
THANK YOU FOR   COMING          Contact Info:          jpubal@gmail.com          www.intellavis.com/blog          Twitter:...
Upcoming SlideShare
Loading in …5
×

Introduction to SQL Injection

3,251 views
2,899 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,251
On SlideShare
0
From Embeds
0
Number of Embeds
335
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Introduction to SQL Injection

  1. 1. SQL Injection 101 SQLi
  2. 2. SQLi Jason Pubal Contact InformationWebsitewww.intellavis.com/blog Social www.linkedin.com/in/pubalE-Mail Twitter: @pubaljpubal@gmail.com
  3. 3. SQLiSQL Injection Outline OWASP Top 10 Web Architecture What is SQLi? Detecting SQLi Exploiting SQLi Preventing SQLi
  4. 4. SQLi
  5. 5. SQLi
  6. 6. SQLi Web Application Basics SELECT *FROM productsWHERE category=‘balls’Get www.MyAwesomeStore.com/buystuff.php?category=balls baseballs soccer balls basketballs blue balls tennis balls
  7. 7. SQLi//connect to database$conn = mysql_connect(“localhost”, “username”, “password”);//build sql statement$query = “SELECT userid FROM AppUsers WHERE user=‘$_POST[“username”]’ “ .“AND password = ‘$_POST[“password”]’ “ ;//run query$result = mysql_query($query);//ensure a user was returned$numrows = mysql_num_rows($result);if ($numrows != 0){header(“Location: admin.php”);}else{die(‘Incorrect username or password.’)}
  8. 8. SQLiSELECT useridFROM AppUsersWHERE user = ‘jsmith’ AND password = ‘kitteh’ ;
  9. 9. SQLiSELECT useridFROM AppUsersWHERE user = ‘jsmith’ AND password = ‘anything’ OR ‘1’ = ‘1’ ;
  10. 10. SQLi//connect to database$conn = mysql_connect(“localhost”,“username”, “password”);//build sql statement$query = “SELECT userid FROM AppUsersWHERE user= ‘$_POST[“username”]’ “ .“AND password =‘$_POST[“password”]’ “ ;//run query$result = mysql_query($query);//ensure a user was returned$numrows = mysql_num_rows($result);if ($numrows != 0){header(“Location: admin.php”);}else{die(‘Incorrectusername or password.’)}
  11. 11. SQLi Impact•Authentication Bypass: This attack allows an attacker to log on to an application withoutsupplying a valid username and password.•Information Disclosure: This attack allows an attacker to obtain sensitive information thatis contained in a database.•Alter Data: This attack involves the alteration of the contents of a database. This can beused to deface a web page. It can also be used to insert malicious content, like JavaScriptmalware.•Delete Data: This attack allows an attacker to delete information with the intent to causeharm or delete log or audit information that is contained in a database.•Remote Command Execution: Performing command execution through a database canallow an attacker to compromise the host operating system. These attacks often leverage anexisting, predefined stored procedure for host operating system command execution.
  12. 12. SQLiVulnerable Sites WhiteHat Security Statistics Report
  13. 13. SQLiWeb Application Attacks Web Hacking Incident DB Body Text
  14. 14. SQLi Detecting SQLiTesting by Inference Special Characters•If I see this, then this is probably -- Comment everything afterhappening at the back end. /* Begin comment */ End Comment ‘ Mark beginning/end of stringTry to break the application. ; End of SQL statement “ Delimit identifiers•Find the Inputs likely to be generatingdynamic SQL.•Use Input that will create invalid SQL. Type Issues•See if you get errors! use strings instead of numbers add unexpected spaces
  15. 15. SQLiSQLi Errors
  16. 16. SQLiDetecting SQLi Other Signs HTTP 500 Status Custom Application Errors Timing Differences in Web Page
  17. 17. SQLiManual Testing
  18. 18. SQLiManual Testing
  19. 19. SQLiAutomated Testing Browser Plugins
  20. 20. SQLiAutomated Testing Web Application Vulnerability Scanner
  21. 21. SQLiAutomated Testing Web Application Vulnerability Scanner
  22. 22. SQLiExploitation SQLMAP
  23. 23. SQLiPreventing SQLi
  24. 24. SQLi Sources / Tools UsedMore about SQLiOWASP - https://www.owasp.org/index.php/SQL_InjectionSQL Injection Attacks and Defense (Amazon) - http://goo.gl/KSUAlWeb Application Vulnerability ScannersZAP – http://code.google.com/p/zaproxy/w3af – http://w3af.sourceforge.net/Browser PluginsTamper Data – https://addons.mozilla.org/en-US/firefox/addon/tamper-data/SQL Inject Me – https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/Vulnerable Web ApplicationsOWASP Broken Web Apps – http://code.google.com/p/owaspbwa/The BodgeIt Store – http://code.google.com/p/bodgeit/Damn Vulnerable Web Application – http://www.dvwa.co.uk/SQL ExploitationSQLMAP - http://sqlmap.org/Collections of ToolsBacktrack – http://www.backtrack-linux.org/Mantra – http://getmantra.com/
  25. 25. THANK YOU FOR COMING Contact Info: jpubal@gmail.com www.intellavis.com/blog Twitter: @pubal

×