Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to SQL Injection

3,567 views

Published on

Published in: Technology
  • Be the first to comment

Introduction to SQL Injection

  1. 1. SQL Injection 101 SQLi
  2. 2. SQLi Jason Pubal Contact InformationWebsitewww.intellavis.com/blog Social www.linkedin.com/in/pubalE-Mail Twitter: @pubaljpubal@gmail.com
  3. 3. SQLiSQL Injection Outline OWASP Top 10 Web Architecture What is SQLi? Detecting SQLi Exploiting SQLi Preventing SQLi
  4. 4. SQLi
  5. 5. SQLi
  6. 6. SQLi Web Application Basics SELECT *FROM productsWHERE category=‘balls’Get www.MyAwesomeStore.com/buystuff.php?category=balls baseballs soccer balls basketballs blue balls tennis balls
  7. 7. SQLi//connect to database$conn = mysql_connect(“localhost”, “username”, “password”);//build sql statement$query = “SELECT userid FROM AppUsers WHERE user=‘$_POST[“username”]’ “ .“AND password = ‘$_POST[“password”]’ “ ;//run query$result = mysql_query($query);//ensure a user was returned$numrows = mysql_num_rows($result);if ($numrows != 0){header(“Location: admin.php”);}else{die(‘Incorrect username or password.’)}
  8. 8. SQLiSELECT useridFROM AppUsersWHERE user = ‘jsmith’ AND password = ‘kitteh’ ;
  9. 9. SQLiSELECT useridFROM AppUsersWHERE user = ‘jsmith’ AND password = ‘anything’ OR ‘1’ = ‘1’ ;
  10. 10. SQLi//connect to database$conn = mysql_connect(“localhost”,“username”, “password”);//build sql statement$query = “SELECT userid FROM AppUsersWHERE user= ‘$_POST[“username”]’ “ .“AND password =‘$_POST[“password”]’ “ ;//run query$result = mysql_query($query);//ensure a user was returned$numrows = mysql_num_rows($result);if ($numrows != 0){header(“Location: admin.php”);}else{die(‘Incorrectusername or password.’)}
  11. 11. SQLi Impact•Authentication Bypass: This attack allows an attacker to log on to an application withoutsupplying a valid username and password.•Information Disclosure: This attack allows an attacker to obtain sensitive information thatis contained in a database.•Alter Data: This attack involves the alteration of the contents of a database. This can beused to deface a web page. It can also be used to insert malicious content, like JavaScriptmalware.•Delete Data: This attack allows an attacker to delete information with the intent to causeharm or delete log or audit information that is contained in a database.•Remote Command Execution: Performing command execution through a database canallow an attacker to compromise the host operating system. These attacks often leverage anexisting, predefined stored procedure for host operating system command execution.
  12. 12. SQLiVulnerable Sites WhiteHat Security Statistics Report
  13. 13. SQLiWeb Application Attacks Web Hacking Incident DB Body Text
  14. 14. SQLi Detecting SQLiTesting by Inference Special Characters•If I see this, then this is probably -- Comment everything afterhappening at the back end. /* Begin comment */ End Comment ‘ Mark beginning/end of stringTry to break the application. ; End of SQL statement “ Delimit identifiers•Find the Inputs likely to be generatingdynamic SQL.•Use Input that will create invalid SQL. Type Issues•See if you get errors! use strings instead of numbers add unexpected spaces
  15. 15. SQLiSQLi Errors
  16. 16. SQLiDetecting SQLi Other Signs HTTP 500 Status Custom Application Errors Timing Differences in Web Page
  17. 17. SQLiManual Testing
  18. 18. SQLiManual Testing
  19. 19. SQLiAutomated Testing Browser Plugins
  20. 20. SQLiAutomated Testing Web Application Vulnerability Scanner
  21. 21. SQLiAutomated Testing Web Application Vulnerability Scanner
  22. 22. SQLiExploitation SQLMAP
  23. 23. SQLiPreventing SQLi
  24. 24. SQLi Sources / Tools UsedMore about SQLiOWASP - https://www.owasp.org/index.php/SQL_InjectionSQL Injection Attacks and Defense (Amazon) - http://goo.gl/KSUAlWeb Application Vulnerability ScannersZAP – http://code.google.com/p/zaproxy/w3af – http://w3af.sourceforge.net/Browser PluginsTamper Data – https://addons.mozilla.org/en-US/firefox/addon/tamper-data/SQL Inject Me – https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/Vulnerable Web ApplicationsOWASP Broken Web Apps – http://code.google.com/p/owaspbwa/The BodgeIt Store – http://code.google.com/p/bodgeit/Damn Vulnerable Web Application – http://www.dvwa.co.uk/SQL ExploitationSQLMAP - http://sqlmap.org/Collections of ToolsBacktrack – http://www.backtrack-linux.org/Mantra – http://getmantra.com/
  25. 25. THANK YOU FOR COMING Contact Info: jpubal@gmail.com www.intellavis.com/blog Twitter: @pubal

×