SQL Injection Part 1 - BASICS<br />WasimHalani<br />(WaSHaL)<br />
./whoami<br />Student<br />Fallible<br />NOT a SQL expert<br />“Do not take anything I say as fact. I have been wrong befo...
OWASP Top 10<br />A1 – Injection Flaws<br />Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted dat...
SQL Injection<br />SQL = Structured Query Language<br />Execute a SQL query/statement or syntax by injecting it in an user...
Why study it?<br />Barracuda<br />HBGary/ HBGary Federal<br />Appinonline<br />Appinlabs<br />NIIT<br />Mysql.com<br />
Our Sample DB<br />user_db<br />
Generic SQL - Select<br />SQL> select * from userdb where username=‘xxxx’ and password=‘yyyy’;<br />returns all columns fr...
UNION Operator<br />Combine results of two or more SELECT statements<br />SELECT username,password from user_db UNION SELE...
ORDER BY Clause<br />Sort results of SELECT query by a specific column<br />number <br />column name<br />
Misc.<br />INSERT<br />UPDATE<br />DELETE<br />ALTER<br />DROP<br />
Categories of SQL Injection<br />In-band<br />Error<br />Union<br />Out-band<br />Dns<br />Ping<br />Inferential (Blind)<b...
SQL Injection Attacks<br />
Vulnerable Code<br />
Vanilla Injection<br />‘ or 1=1 --<br />a‘ or ‘a’=‘a<br />
Finding # of Columns<br />1<br />2<br />3<br />4<br />.<br />.<br />.<br />.<br />100<br />
Finding # of Columns - 2<br />
Injecting Queries (UNION)<br />Ref: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/<br />
Tools<br />Netsparker (Pro/Community)<br />Havij<br />SQLMap<br />SQLNinja<br />
Coming Up…<br />Blind SQL<br />Manual Extraction of Data using SQLi+Burp<br />Preventing SQL Injections<br />
Questions?*<br />wasimhalani@gmail.com<br />@washalsec<br />http://securitythoughts.wordpress.com/<br />*Conditions Apply<...
Upcoming SlideShare
Loading in …5
×

SQL Injections (Part 1)

3,821 views
3,571 views

Published on

SQL Injections (Part 1) by Wasim Halani @ null Mumbai Meet, May, 2011

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,821
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
221
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

SQL Injections (Part 1)

  1. 1. SQL Injection Part 1 - BASICS<br />WasimHalani<br />(WaSHaL)<br />
  2. 2. ./whoami<br />Student<br />Fallible<br />NOT a SQL expert<br />“Do not take anything I say as fact. I have been wrong before and I will be wrong again.” - Nullthreat<br />
  3. 3. OWASP Top 10<br />A1 – Injection Flaws<br />Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.<br />Simpler definition, anyone? <br />
  4. 4. SQL Injection<br />SQL = Structured Query Language<br />Execute a SQL query/statement or syntax by injecting it in an user input field on the web application <br />
  5. 5. Why study it?<br />Barracuda<br />HBGary/ HBGary Federal<br />Appinonline<br />Appinlabs<br />NIIT<br />Mysql.com<br />
  6. 6. Our Sample DB<br />user_db<br />
  7. 7. Generic SQL - Select<br />SQL> select * from userdb where username=‘xxxx’ and password=‘yyyy’;<br />returns all columns from table ‘userdb’ and every row which have given username and password<br />SQL> select role from userdb where username=‘zzzz’;<br />returns only column ‘role’ where username matches <br />
  8. 8. UNION Operator<br />Combine results of two or more SELECT statements<br />SELECT username,password from user_db UNION SELECT username,password from admin_db<br />SELECT username,password from user_db UNION ALL SELECT username,password from admin_db<br />
  9. 9. ORDER BY Clause<br />Sort results of SELECT query by a specific column<br />number <br />column name<br />
  10. 10. Misc.<br />INSERT<br />UPDATE<br />DELETE<br />ALTER<br />DROP<br />
  11. 11. Categories of SQL Injection<br />In-band<br />Error<br />Union<br />Out-band<br />Dns<br />Ping<br />Inferential (Blind)<br />Sleep<br />Waitfor<br />Ref: www.toorcon.org/tcx/9_McCray.pdf<br />
  12. 12. SQL Injection Attacks<br />
  13. 13. Vulnerable Code<br />
  14. 14. Vanilla Injection<br />‘ or 1=1 --<br />a‘ or ‘a’=‘a<br />
  15. 15. Finding # of Columns<br />1<br />2<br />3<br />4<br />.<br />.<br />.<br />.<br />100<br />
  16. 16. Finding # of Columns - 2<br />
  17. 17. Injecting Queries (UNION)<br />Ref: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/<br />
  18. 18. Tools<br />Netsparker (Pro/Community)<br />Havij<br />SQLMap<br />SQLNinja<br />
  19. 19. Coming Up…<br />Blind SQL<br />Manual Extraction of Data using SQLi+Burp<br />Preventing SQL Injections<br />
  20. 20. Questions?*<br />wasimhalani@gmail.com<br />@washalsec<br />http://securitythoughts.wordpress.com/<br />*Conditions Apply<br />
  21. 21. Blind SQL Injection<br />The game of TRUE and FALSE<br />No error messages/responses<br />Result determination is from<br />Response page<br />HTTP Status code<br />

×