2. Beating my own drums...
Arjun Gupta M
fb.com/arjungupta.m
▪ Working with Birlasoft, Security analyst at
World Bank Group....just bkz I have to work
▪ I enjoy hacking ...de facto I knw ntng else
▪ Always a learner
▪ Long rides, Planting trees, Charities
▪ Indian...I take pride in this
3. Let’s start with DB and SQL
▪ Database is an organized collection of data.
▪ Easy to Access, Manage and Update the data.
▪ SQL / Structured Query language is the standard language to interact
with the databases.
▪ DB’s andTrue/False are thick friends…Lets see why, further.
4. SQLI and the infamous ‘
▪ SQL injection is a code injection technique in which malicious SQL
statements are inserted into an entry field for execution.
– Get / Post parameters, Cookies, Referrer header, User Agent and so on…
▪ It involves the alteration of SQL statements that are used within a
web application through the use of attacker-supplied data.
▪ It is caused because of Incorrectly filtering the special characters
before an action is performed on the input.
▪ The infamous rouge character that we love is ‘ which breaks the
syntax and lets us do the work.
5. Honors and greatness of SQLI
▪ SQLi was ranked first on the MITRE CommonWeakness Enumeration
(CWE) in 2011.
▪ TopVulnerability in OWASPTop 10 (2010 and 2013) under Injection
category.
▪ SANSTop 25 Most Dangerous Software Errors list.
Authentication bypass, complete takeover of the database.
If you are still lucky, you can get the command shell too.
8. How does it work…
▪ The query used by the developer to validate the login credentials is :
Select * from users where username=‘$user’ and password=‘$pwd’;
– If DB it returns one row, the user gets logged in.
▪ Instead of legit credentials, I inject “ admin’ AND ‘1’=‘1’ -- “ for username
▪ PHP interpreter will comment out the query after “ - - “ and sends the
following query to DB for execution :
Select * from users where username=‘admin’AND ‘1’=‘1’;
▪ DB processes the above query and returns one row, as the expression
‘1’=‘1’ is alwaysTrue and the username also exists.
11. Behavior of the application with Malicious input
True Condition False Condition
Different responses for True and False conditions confirms the injection vuln.