Your SlideShare is downloading. ×
SQL Injections (Part 1)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SQL Injections (Part 1)

3,064
views

Published on

SQL Injections (Part 1) by Wasim Halani @ null Mumbai Meet, May, 2011

SQL Injections (Part 1) by Wasim Halani @ null Mumbai Meet, May, 2011

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,064
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
176
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SQL Injection Part 1 - BASICS
    WasimHalani
    (WaSHaL)
  • 2. ./whoami
    Student
    Fallible
    NOT a SQL expert
    “Do not take anything I say as fact. I have been wrong before and I will be wrong again.” - Nullthreat
  • 3. OWASP Top 10
    A1 – Injection Flaws
    Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
    Simpler definition, anyone? 
  • 4. SQL Injection
    SQL = Structured Query Language
    Execute a SQL query/statement or syntax by injecting it in an user input field on the web application
  • 5. Why study it?
    Barracuda
    HBGary/ HBGary Federal
    Appinonline
    Appinlabs
    NIIT
    Mysql.com
  • 6. Our Sample DB
    user_db
  • 7. Generic SQL - Select
    SQL> select * from userdb where username=‘xxxx’ and password=‘yyyy’;
    returns all columns from table ‘userdb’ and every row which have given username and password
    SQL> select role from userdb where username=‘zzzz’;
    returns only column ‘role’ where username matches
  • 8. UNION Operator
    Combine results of two or more SELECT statements
    SELECT username,password from user_db UNION SELECT username,password from admin_db
    SELECT username,password from user_db UNION ALL SELECT username,password from admin_db
  • 9. ORDER BY Clause
    Sort results of SELECT query by a specific column
    number
    column name
  • 10. Misc.
    INSERT
    UPDATE
    DELETE
    ALTER
    DROP
  • 11. Categories of SQL Injection
    In-band
    Error
    Union
    Out-band
    Dns
    Ping
    Inferential (Blind)
    Sleep
    Waitfor
    Ref: www.toorcon.org/tcx/9_McCray.pdf
  • 12. SQL Injection Attacks
  • 13. Vulnerable Code
  • 14. Vanilla Injection
    ‘ or 1=1 --
    a‘ or ‘a’=‘a
  • 15. Finding # of Columns
    1
    2
    3
    4
    .
    .
    .
    .
    100
  • 16. Finding # of Columns - 2
  • 17. Injecting Queries (UNION)
    Ref: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
  • 18. Tools
    Netsparker (Pro/Community)
    Havij
    SQLMap
    SQLNinja
  • 19. Coming Up…
    Blind SQL
    Manual Extraction of Data using SQLi+Burp
    Preventing SQL Injections
  • 20. Questions?*
    wasimhalani@gmail.com
    @washalsec
    http://securitythoughts.wordpress.com/
    *Conditions Apply
  • 21. Blind SQL Injection
    The game of TRUE and FALSE
    No error messages/responses
    Result determination is from
    Response page
    HTTP Status code

×