3. Contents
● What is SQL.
● How does SQL Injection work.
● Example of SQL Injection.
● Diagram of SQL Injection.
4. WHAT IS SQL?
✔ SQL stands for Structured Query Language
✔ Allows us to access a database
✔ ANSI and ISO standard computer language
✔ The most current standard is SQL99
✔ SQL can:
✔ execute queries against a database
✔ retrieve data from a database
✔ insert new records in a database
✔ delete records from a database
✔ update records in a database
5.
6. WHAT IS A SQL INJECTION
ATTACK?
✔ Many web applications take user input from a form
✔ Often this user input is used literally in the
construction of a SQL query submitted to a
database. For example: SELECT productdata
FROM table WHERE productname = ‘user input
product name’;
✔ A SQL injection attack involves placing SQL
statements in the user input
12. SQL Injection Steps
✔ Searching for a vulnerable point
✔ Fingerprinting the back-end DB.
✔ Enumerating or retrieving data of interesting table
dumps, usernamepassword etc.
✔ Eventual exploiting the system once the
information is handy
-OS take over,data change, web server take over etc.