The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
2. WHAT?
• Technique to hack database.
• Attacker injects commands within an application.
• Done using html forms or URLS.
• SQL is used to corrupt or destroy the database.
4. TYPES OF ATTACKS
FIRST ORDER ATTACKS
• Attacker receives desired
results immediately.
• Uses form injection or URL
injection.
SECOND ORDER ATTACKS
• Process in which the
malicious code is injected into
a web based application and
not immediately executed.
7. METHODS
1. NORMAL SQL INJECTION
• Attacker injects SQL query.
• Sometimes, server returns error page describing the
type and cause in detail.
• Attacker, tries to match his query with the
developer’s query by using info in error message.
10. METHODS
2. BLIND SQL INJECTION
• Similar to normal method, but instead of receiving an
error message, attacker gets a generic page set up by
the developer.
• This makes exploiting data difficult, but not impossible.
• Done by asking a series of true and false questions
through SQL statements.