Powerpoint presentation on SQL injection in brief (Simple)
SEMINAR POWERPOINT PRESENTATION
(Structured Query Language Injection)
Submitted To: Submitted By:
Dr. Deepak Dembla Shivam Sahu
Professor & HOD IT 16BCAN035
&Computer Applications Department IInd Sem BCA
JECRC University, Jaipur
Structure of presentation
• What are Injection attacks?
• What is SQL?
• What is SQL Injection?
• Classes of SQL Injection?
• Is it can be a very serious problem?
• Important SQL Syntax!
• Find SQL Injection Bugs ?
• Impact of SQL Injection
• SQLAttack steps!
• Any Websites provide Bugs Bounty for SQL Injection?
• SQL Injection(code and dork)
• How to hack Website using SQL Injection with easy Steps!(Live Demonstartion!)
• SQL injection exploit?
• How Can You Prevent This?
• Other Injection Types
• SQL injection Conclusion
What are Injection attacks?
• Injection attacks trick an application into
including unintended commands in the data
send to an interpreter.
• Interpret strings as commands.
• Ex: SQL, shell (cmd.exe, bash), LDAP, XPath
• Key Idea
• Input data from the application is executed as
code by the interpreter.
What is SQL?
• SQL: Structured
• Used to store, edit,
and retrieve database
• Applications issue
SQL commands that
What is SQL Injection?
• App sends form to user.
• Attacker submits form with SQL exploit
• Application builds string with exploit
• Application sends SQL query to DB.
• DB executes query, including exploit,
sends data back to application.
• Application returns data to user.
• Many web applications take user input
from a form
• Often this user input is used literally in
the construction of a SQL query
submitted to a database
Pass ‘ or 1=1--
Video Source : https://www.youtube.com/watch?v=FwIUkAwKzG8
Classes of SQL Injection
• SQL Injection can be broken up into 3 classes:
• 1.Inband - data is extracted using the same channel that is used to inject the SQL code.
• This is the most straightforward kind of attack, in which the retrieved data is presented
• directly in the application web page
• 2.Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of
• the query is generated and sent to the tester)
• 3.Inferential - there is no actual transfer of data, but the tester is able to reconstruct the
• information by sending particular requests and observing the resulting behaviour of the
• website/DB Server.
Is it can be a very serious problem?
• The attacker can delete, modify or even worse,
steal your data
• Compromises the safety, security & trust of
• Compromises a company’s competitiveness or
even the ability to stay in business
Example: SELECT * FROM `table` --selects
Example: SELECT * FROM `table` WHERE ‘a’=‘a’
MULTI STATEMENTS: S1; S2
Example: SELECT * FROM `table`; DROP TABLE
Impact of SQL Injection
1. Leakage of sensitive
2. Reputation decline.
3. Modification of sensitive
4. Loss of control of db
5. Data loss.
6. Denial of service.
SQL Attack steps
• Searching for a vulnerable point
• Fingerprinting the backend DB
• Enumerating or retrieving data of interest –
table dumps, usernames/passwords etc.
• Eventual exploiting the system once the
information is handy
– OS take over, data change, web server take over
SQL Injection Attacks on the rise
• Many, many sites have lost customer data in this way,” said Chris
Hinkley, Senior Security Engineer at FireHost. “SQL Injection attacks
are often automated and many website owners may be blissfully
unaware that their data could actively be at risk. These attacks can
be detected and businesses should be taking basic and blanket
steps to block attempted SQL Injection, as well as the other types of
attacks we frequently see.
• 16/11/2016 :Websites of Indian Embassy in 7 Countries Hacked;
Database Leaked Online
SQL injection exploit?
• Access sensitive data in the database,
• Modify database data,
• Execute administrative operations within the
database (e.g. shutdown the DBMS),
• Recover the content of a given file present on
the DBMS file system
• And in some cases issue commands to the
Video Source : https://www.youtube.com/watch?v=J6-zUVUzZA4
Websites that provide bug bounty for
' or 0=0 --
' or 0=0 --'
' or 0=0 #
" or 0=0 --
" or 0=0 --'
'" or 0=0 --
or 0=0 --
' or 0=0
" or 0=0 #
' or a=a--
' or "a"="a
' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
" or 1=1--
' or a=a--'
' or a=a #
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
' or 1=1--
" or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Finding SQL Injection Bugs
1. Submit a single quote as input.
If an error results, app is vulnerable.
If no error, check for any output changes.
2. Submit two single quotes.
Databases use ’’ to represent literal ’
If error disappears, app is vulnerable.
3. Try string or numeric operators.
How to mitigate the risk?
• Escape all user supplied input
• Always validate input
• Use prepared statements
– For PHP+MySQL – use PDO with strongly typed
parameterized queries (using bindParam())
• Code reviews
• Don’t store password in plain text in the DB
– Salt them and hash them
How does this prevent an attack?
• The SQL statement you pass to prepare is parsed and
compiled by the database server.
• By specifying parameters (either a ? or a named parameter
like :name) you tell the database engine what to filter on.
• Then when you call execute the prepared statement is
combined with the parameter values you specify.
• It works because the parameter values are combined with
the compiled statement, not a SQL string.
• SQL injection works by tricking the script into including
malicious strings when it creates SQL to send to the
database. So by sending the actual SQL separately from the
parameters you limit the risk of ending up with something
you didn't intend.
• Logic to allow only numbers / letters in
username and password.
• How should you enforce the constraint?
• ‘ESCAPE’ bad characters.
’ becomes ’
• READ ONLY database access.
• Remember this is NOT just for login areas!
NOT just for websites!!
Video Source: https://www.youtube.com/watch?v=WNNLpObPQuo
SQL injection Conclusion
• SQL injection is technique for exploiting applications that use
relational databases as their back end.
• Applications compose SQL statements and send to database.
• SQL injection use the fact that many of these applications
concatenate the fixed part of SQL statement with user-supplied
data that forms WHERE predicates or additional sub-queries.
• The technique is based on malformed user-supplied data
• Transform the innocent SQL calls to a malicious call
• Cause unauthorized access, deletion of data, or theft of information
• All databases can be a target of SQL injection and all are vulnerable
to this technique.
• The vulnerability is in the application layer outside of the database,
and the moment that the application has a connection into the
Other Injection Types
• Shell injection.
• Scripting language injection.
• File inclusion.
• XML injection.
• XPath injection.
• LDAP injection.
• SMTP injection.
Some good sites to learn more
• Prevention guide (with sample code in many languages):
• (webinar) http://www.percona.com/webinars/2012-07-25-sql-
• Cool site that let’s you try out attacks on a sample DB and explains
why they work
• Research paper on how to retrofit existing websites to combat SQL