Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Injections (Part 1)


Published on

SQL Injections (Part 1) by Wasim Halani @ null Mumbai Meet, May, 2011

Published in: Technology
  • Be the first to comment

SQL Injections (Part 1)

  1. 1. SQL Injection Part 1 - BASICS<br />WasimHalani<br />(WaSHaL)<br />
  2. 2. ./whoami<br />Student<br />Fallible<br />NOT a SQL expert<br />“Do not take anything I say as fact. I have been wrong before and I will be wrong again.” - Nullthreat<br />
  3. 3. OWASP Top 10<br />A1 – Injection Flaws<br />Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.<br />Simpler definition, anyone? <br />
  4. 4. SQL Injection<br />SQL = Structured Query Language<br />Execute a SQL query/statement or syntax by injecting it in an user input field on the web application <br />
  5. 5. Why study it?<br />Barracuda<br />HBGary/ HBGary Federal<br />Appinonline<br />Appinlabs<br />NIIT<br /><br />
  6. 6. Our Sample DB<br />user_db<br />
  7. 7. Generic SQL - Select<br />SQL> select * from userdb where username=‘xxxx’ and password=‘yyyy’;<br />returns all columns from table ‘userdb’ and every row which have given username and password<br />SQL> select role from userdb where username=‘zzzz’;<br />returns only column ‘role’ where username matches <br />
  8. 8. UNION Operator<br />Combine results of two or more SELECT statements<br />SELECT username,password from user_db UNION SELECT username,password from admin_db<br />SELECT username,password from user_db UNION ALL SELECT username,password from admin_db<br />
  9. 9. ORDER BY Clause<br />Sort results of SELECT query by a specific column<br />number <br />column name<br />
  10. 10. Misc.<br />INSERT<br />UPDATE<br />DELETE<br />ALTER<br />DROP<br />
  11. 11. Categories of SQL Injection<br />In-band<br />Error<br />Union<br />Out-band<br />Dns<br />Ping<br />Inferential (Blind)<br />Sleep<br />Waitfor<br />Ref:<br />
  12. 12. SQL Injection Attacks<br />
  13. 13. Vulnerable Code<br />
  14. 14. Vanilla Injection<br />‘ or 1=1 --<br />a‘ or ‘a’=‘a<br />
  15. 15. Finding # of Columns<br />1<br />2<br />3<br />4<br />.<br />.<br />.<br />.<br />100<br />
  16. 16. Finding # of Columns - 2<br />
  17. 17. Injecting Queries (UNION)<br />Ref:<br />
  18. 18. Tools<br />Netsparker (Pro/Community)<br />Havij<br />SQLMap<br />SQLNinja<br />
  19. 19. Coming Up…<br />Blind SQL<br />Manual Extraction of Data using SQLi+Burp<br />Preventing SQL Injections<br />
  20. 20. Questions?*<br /><br />@washalsec<br /><br />*Conditions Apply<br />
  21. 21. Blind SQL Injection<br />The game of TRUE and FALSE<br />No error messages/responses<br />Result determination is from<br />Response page<br />HTTP Status code<br />