SlideShare a Scribd company logo

Belajar Menghindari SQL Injection dengan Simulasi

R
Rio Astamal

Bagaimana mencegah SQL Injection dengan berpikir sebagai seorang attacker yang melakukan serangan. SQL Injection akan dilakukan pada lingkungan simulasi yang legal yaitu abwh.rioastamal.net

1 of 23
Download to read offline
SQL NJECT ON BELAJAR MENGHINDARI MELALUI SIMULASI RIO ASTAMAL 02 Februari 2021 19:00 Founder BelajarAWS.com PHPID-OL#52
DISCLAIMER MATERI DALAM PRESENTASI INI HANYA DITUJUKAN UNTUK MENINGKATKAN PENGETAHUAN TENTANG KEAMANAN WEB. SEGALA BENTUK PENYALAHGUNAAN AKSI AKIBAT DARI INFORMASI YANG ADA PADA MATERI INI BUKANLAH TANGGUNG JAWAB PEMATERI/PENYELENGGARA. WEB SIMULASI HACKING YANG DIGUNAKAN ADALAH ABWH.RIOASTAMAL.NET MILIK DARI RIO ASTAMAL DAN WEBSITE TERSEBUT MEMANG DIDESAIN SEBAGAI LINGKUNGAN LEGAL UNTUK MENCOBA WEB HACKING.
RIO ASTAMAL 2020 Writer TeknoCerdas.com (ID)*
 2017 Lead Backend @ClearView.team (US)
 2016 Founder BelajarAWS.com (ID)*
 2015 Lead Dev @DominoPOS (SG)
 2014 System Engineer @WowRack (US/ID)
 2004 Freelance Web Developer *) Masih aktif hingga sekarang
APA YANG DIPELAJARI? + Pengertian SQL Injection
 + Kenapa SQL Injection bisa terjadi
 + Contoh SQL Injection
 + Mencegah SQL Injection
 + Simulasi web hacking menggunakan 
 teknik Blind SQL Injection pada 
 RM6 abwh.rioastamal.net beginner - intermediate
APA ITU SQL NJECT ON?
SQL INJECTION TEKNIK PENYERANGAN YANG MEMASUKKAN ATAU “MENGINJEKSI” PERINTAH KE SEBUAH QUERY SQL YANG DIJALANKAN OLEH APLIKASI TARGET. SERANGAN SQL INJECTION YANG SUKSES DAPAT MEMBACA INFORMASI SENSITIF* PADA DATABASE, BAHKAN MENGUBAH DATA ATAU DAPAT MENGEKSEKUSI PERINTAH ADMINISTRATOR JIKA ROLE YANG DIDAPAT SESUAI. *) Password, Kartu Kredit, Info Pengguna atau lain-lain.
SEBERAPA BAHAYA SQL NJECT ON?
SQL NJECT ON #OWASP TOP 10 2010, 2013, 2017 MENEMPATKAN SEBAGAI ANCAMAN #1
SAYA MASIH BINGUNG BERI SAYA CONTOH!
CONTOH TAMPILKAN PRODUK BERDASARKAN KATEGORI URL http://example.com/products/?categori=X SQL QUERY SELECT * FROM `products` WHERE `catid`=‘X’ LIMIT 0,10 PARAMETER INJECTION http://example.com/products/?categori='%20OR%201=1%23 SELECT * FROM `products` WHERE `catid`=‘‘ OR 1=1 #LIMIT 0,10 MENGHASILKAN SQL INJECTION
CONTOH TADI SEPERTINYA TIDAK TERLIHAT BERBAHAYA! OH BEGITU. MARI KITA COBA LAKUKAN DEMO SQL INJECTION.
DEMO SQL NJECT ON SIMULASI HACKING PADA REALISTIC MISSION 6 ABW H.RIOASTAMAL.NET FOR EDUCATION ONLY!
TUJUAN DARI REALISTIC MISSION 6 + MENGGUNAKAN TEKNIK BLIND SQL INJECTION UNTUK MENGGALI INFORMASI DARI DATABASE + MENGUJI PEMAHAMAN PENGGUNAAN KLAUSA “UNION” UNTUK MENGGABUNGKAN HASIL QUERY PADA SAAT INVESTIGASI + MENGUJI PEMAHAMAN TENTANG TABEL SPESIAL PADA MYSQL YAITU “INFORMATION_SCHEMA”
BLIND SQL INJECTION SERANGAN SQL INJECTION YANG MENGANDALKAN RESPONSE TRUE/ FALSE DARI APLIKASI. ATTACKER AKAN MENCOBA MELAKUKAN SQL INJECTION PADA HALAMAN TARGET DENGAN MENGIRIM PARAMETER TERTENTU UNTUK MELIHAT HASILNYA. DARI MANA KITA TAHU HASILNYA TRUE ATAU FALSE?
CONTOH BLIND SQL INJECTION http://example.com/products/?categori=X SQL QUERY NORMAL SELECT * FROM `products` WHERE CatID=‘X’ LIMIT 0,10 SQL INJECTION DENGAN TARGET TRUE http://example.com/products/?categori=X'%20AND%201=1%23 SELECT * FROM `products` WHERE CatID=‘X’ AND 1=1 #LIMIT 0,10 MENGHASILKAN QUERY SQL INJECTION DENGAN TARGET FALSE http://example.com/products/?categori=X'%20AND%201=2%23 SELECT * FROM `products` WHERE CatID=‘X’ AND 1=2 #LIMIT 0,10 MENGHASILKAN QUERY
PERINTAH UNION PADA SQL MENGGABUNGKAN HASIL DARI SATU ATAU LEBIH STATEMENT SELECT. JUMLAH KOLOM DARI MASING-MASING SELECT STATEMENT HARUS SAMA. SELECT Website, Owner FROM websites;
 
 +-----------------+-------------+
 | Website | Owner |
 +-----------------+-------------+
 | BelajarAWS.com | Rio Astamal |
 | TeknoCerdas.com | Rio Astamal |
 +-----------------+-------------+ SELECT Website, Owner FROM websites
 UNION
 SELECT 1, 2;
 
 +-----------------+-------------+
 | Website | Owner |
 +-----------------+-------------+
 | BelajarAWS.com | Rio Astamal |
 | TeknoCerdas.com | Rio Astamal |
 | 1 | 2 |
 +-----------------+-------------+
TABEL INFORMATION_SCHEMA TABEL YANG BERISI METADATA DARI DATABASE PADA MYSQL SEPERTI NAMA TABEL DAN KOLOM. SELECT TABLE_NAME,TABLE_TYPE FROM 
 INFORMATION_SCHEMA.TABLES;
 
 +-----------------+-------------+
 | TABLE_NAME | TABLE_TYPE |
 +-----------------+-------------+
 | table_abc | BASE_TABLE |
 | table_xyz | BASE_TABLE |
 +-----------------+-------------+ SELECT COLUMN_NAME,DATA_TYPE FROM 
 INFORMATION_SCHEMA.COLUMNS
 WHERE TABLE_NAME=“table_abc”;
 
 +-----------------+-------------+
 | COLUMN_NAME | DATA_TYPE |
 +-----------------+-------------+
 | column_abc | VARCHAR |
 | column_xyz | VARCHAR |
 +-----------------+-------------+
BAGAIMANA MENCEGAH SQL NJECT ON?
#1 JANGAN PERNAH MEMPERCAYAI INPUT DARI USER SELALU LAKUKAN SANITASI PADA INPUTAN DARI USER JIKA MEMANG TERPAKSA MENGGUNAKAN RAW QUERY. // Jika mengharap inputan berupa angka saja
 $catId = (int)($someData); // atau
 $catId = filter_var($someData, FILTER_VALIDATE_INT); // Jika mengharap inputan alphanumeric
 if (preg_match(‘/[^0-9A-Za-z]/‘, $someData) {
 exit(1); } // Jika mengharap semua karakter maka escape atau quote
 $someData = $pdo->quote($someData);
#2 SELALU GUNAKAN PREPARED STATEMENT GUNAKAN PDO ATAU DRIVER YANG MENDUKUNG PREPARED STATEMENT $catId = $_GET[‘cat’] ?? 0;
 $query = ‘SELECT * FROM products WHERE categoryId = :id’
 
 $stmt = $pdo->prepare($query);
 $stmt->execute([‘:id’ => $catId]);
#3 GUNAKAN FRAMEWORK FRAMEWORK UMUMNYA MENYEDIAKAN PUSTAKA ORM YANG OTOMATIS MELAKUKAN SANITASI DAN HAL-HAL YANG DIPERLUKAN UNTUK MENGHINDARI SQL INJECTION. // Laravel
 $products = Product::where(‘CatId’, $catId) ->take(10) ->get();
#4 LAKUKAN CODE REVIEW BERKALA CARA PALING EFEKTIF SEBENARNYA ADALAH PENCEGAHAN. YAITU DENGAN MELAKUKAN CODE REVIEW BERKALA. KADANG DEVELOPER BERPENGALAMAN PUN MELAKUKAN KESALAHAN ENTAH KARENA DIBURU WAKTU ATAU TERLUPA SEHINGGA ASPEK SECURITY TERABAIKAN. AKAN LEBIH BAIK LAGI JIKA DILAKUKAN INTERNAL PENETRATION TESTING SENDIRI UNTUK MENGETAHUI CELAH KEAMANAN YANG ADA. ATAU MENAMBAHKAN TOOLS PENTESTING SEPERTI SQLMAP PADA CI/CD PIPELINE. $ git push master:pentesting
./END Rio Astamal rioastamal rioastamal.net rio@rioastamal.net Gambar icon diambil dari Flaticon.com Presentasi ini juga dapat dilihat pada https://rioastamal.net/presentasi/2021/02/

Recommended

Oracle: PLSQL Commands
Oracle: PLSQL CommandsOracle: PLSQL Commands
Oracle: PLSQL Commands
DataminingTools Inc
 
Sq li
Sq liSq li
Sq li
Ashok kumar sandhyala
 
Optimizer percona live_ams2015
Optimizer percona live_ams2015Optimizer percona live_ams2015
Optimizer percona live_ams2015
Manyi Lu
 
Intro to KnockoutJS
Intro to KnockoutJSIntro to KnockoutJS
Intro to KnockoutJS
Kianosh Pourian
 
Short Intro to PHP and MySQL
Short Intro to PHP and MySQLShort Intro to PHP and MySQL
Short Intro to PHP and MySQLJussi Pohjolainen
 
Oracle Database features every developer should know about
Oracle Database features every developer should know aboutOracle Database features every developer should know about
Oracle Database features every developer should know about
gvenzl
 
Certifications Java
Certifications JavaCertifications Java
Certifications Java
Yannick Chartois
 
cPanel now supports MySQL 8.0 - My Top Seven Features
cPanel now supports MySQL 8.0 - My Top Seven FeaturescPanel now supports MySQL 8.0 - My Top Seven Features
cPanel now supports MySQL 8.0 - My Top Seven Features
Dave Stokes
 

Recommended

Oracle: PLSQL Commands
Oracle: PLSQL CommandsOracle: PLSQL Commands
Oracle: PLSQL Commands
DataminingTools Inc
 
Sq li
Sq liSq li
Sq li
Ashok kumar sandhyala
 
Optimizer percona live_ams2015
Optimizer percona live_ams2015Optimizer percona live_ams2015
Optimizer percona live_ams2015
Manyi Lu
 
Intro to KnockoutJS
Intro to KnockoutJSIntro to KnockoutJS
Intro to KnockoutJS
Kianosh Pourian
 
Short Intro to PHP and MySQL
Short Intro to PHP and MySQLShort Intro to PHP and MySQL
Short Intro to PHP and MySQLJussi Pohjolainen
 
Oracle Database features every developer should know about
Oracle Database features every developer should know aboutOracle Database features every developer should know about
Oracle Database features every developer should know about
gvenzl
 
Certifications Java
Certifications JavaCertifications Java
Certifications Java
Yannick Chartois
 
cPanel now supports MySQL 8.0 - My Top Seven Features
cPanel now supports MySQL 8.0 - My Top Seven FeaturescPanel now supports MySQL 8.0 - My Top Seven Features
cPanel now supports MySQL 8.0 - My Top Seven Features
Dave Stokes
 
Beg sql
Beg sqlBeg sql
Beg sqlKPNR Jan
 
Beg sql
Beg sqlBeg sql
Beg sql
Karthik Perumal
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
Alex Zaballa
 
MySQL 8.0 Released Update
MySQL 8.0 Released UpdateMySQL 8.0 Released Update
MySQL 8.0 Released Update
Keith Hollman
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Introduction databases and MYSQL
Introduction databases and MYSQLIntroduction databases and MYSQL
Introduction databases and MYSQL
Naeem Junejo
 
PHP mysql Introduction database
PHP mysql Introduction database PHP mysql Introduction database
PHP mysql Introduction database
Mudasir Syed
 
Mysql python
Mysql pythonMysql python
Mysql python
Janu Jahnavi
 
Mysql python
Mysql pythonMysql python
Mysql python
Janu Jahnavi
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorialMozaaic Cyber Security
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
Intro to SQL for Beginners
Intro to SQL for BeginnersIntro to SQL for Beginners
Intro to SQL for Beginners
Product School
 
The vJUG talk about jOOQ: Get Back in Control of Your SQL
The vJUG talk about jOOQ: Get Back in Control of Your SQLThe vJUG talk about jOOQ: Get Back in Control of Your SQL
The vJUG talk about jOOQ: Get Back in Control of Your SQL
Lukas Eder
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
QB Into the Box 2018
QB Into the Box 2018QB Into the Box 2018
QB Into the Box 2018
Ortus Solutions, Corp
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Eoin Keary
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices I
Carlos Oliveira
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection AttacksCompare Infobase Limited
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 

More Related Content

Similar to Belajar Menghindari SQL Injection dengan Simulasi

Beg sql
Beg sqlBeg sql
Beg sql
Karthik Perumal
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
Alex Zaballa
 
MySQL 8.0 Released Update
MySQL 8.0 Released UpdateMySQL 8.0 Released Update
MySQL 8.0 Released Update
Keith Hollman
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Introduction databases and MYSQL
Introduction databases and MYSQLIntroduction databases and MYSQL
Introduction databases and MYSQL
Naeem Junejo
 
PHP mysql Introduction database
PHP mysql Introduction database PHP mysql Introduction database
PHP mysql Introduction database
Mudasir Syed
 
Mysql python
Mysql pythonMysql python
Mysql python
Janu Jahnavi
 
Mysql python
Mysql pythonMysql python
Mysql python
Janu Jahnavi
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
Intro to SQL for Beginners
Intro to SQL for BeginnersIntro to SQL for Beginners
Intro to SQL for Beginners
Product School
 
The vJUG talk about jOOQ: Get Back in Control of Your SQL
The vJUG talk about jOOQ: Get Back in Control of Your SQLThe vJUG talk about jOOQ: Get Back in Control of Your SQL
The vJUG talk about jOOQ: Get Back in Control of Your SQL
Lukas Eder
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
QB Into the Box 2018
QB Into the Box 2018QB Into the Box 2018
QB Into the Box 2018
Ortus Solutions, Corp
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Eoin Keary
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices I
Carlos Oliveira
 

Similar to Belajar Menghindari SQL Injection dengan Simulasi (20)

Beg sql
Beg sqlBeg sql
Beg sql
 
Beg sql
Beg sqlBeg sql
Beg sql
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
 
MySQL 8.0 Released Update
MySQL 8.0 Released UpdateMySQL 8.0 Released Update
MySQL 8.0 Released Update
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Introduction databases and MYSQL
Introduction databases and MYSQLIntroduction databases and MYSQL
Introduction databases and MYSQL
 
PHP mysql Introduction database
PHP mysql Introduction database PHP mysql Introduction database
PHP mysql Introduction database
 
Mysql python
Mysql pythonMysql python
Mysql python
 
Mysql python
Mysql pythonMysql python
Mysql python
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lampDEFCON 23 - Lance buttars Nemus - sql injection on lamp
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorial
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Intro to SQL for Beginners
Intro to SQL for BeginnersIntro to SQL for Beginners
Intro to SQL for Beginners
 
The vJUG talk about jOOQ: Get Back in Control of Your SQL
The vJUG talk about jOOQ: Get Back in Control of Your SQLThe vJUG talk about jOOQ: Get Back in Control of Your SQL
The vJUG talk about jOOQ: Get Back in Control of Your SQL
 
Sql injection
Sql injectionSql injection
Sql injection
 
QB Into the Box 2018
QB Into the Box 2018QB Into the Box 2018
QB Into the Box 2018
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices I
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 

Recently uploaded

1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 

Recently uploaded (20)

1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 

Belajar Menghindari SQL Injection dengan Simulasi

  • 1. SQL NJECT ON BELAJAR MENGHINDARI MELALUI SIMULASI RIO ASTAMAL 02 Februari 2021 19:00 Founder BelajarAWS.com PHPID-OL#52
  • 2. DISCLAIMER MATERI DALAM PRESENTASI INI HANYA DITUJUKAN UNTUK MENINGKATKAN PENGETAHUAN TENTANG KEAMANAN WEB. SEGALA BENTUK PENYALAHGUNAAN AKSI AKIBAT DARI INFORMASI YANG ADA PADA MATERI INI BUKANLAH TANGGUNG JAWAB PEMATERI/PENYELENGGARA. WEB SIMULASI HACKING YANG DIGUNAKAN ADALAH ABWH.RIOASTAMAL.NET MILIK DARI RIO ASTAMAL DAN WEBSITE TERSEBUT MEMANG DIDESAIN SEBAGAI LINGKUNGAN LEGAL UNTUK MENCOBA WEB HACKING.
  • 3. RIO ASTAMAL 2020 Writer TeknoCerdas.com (ID)*
 2017 Lead Backend @ClearView.team (US)
 2016 Founder BelajarAWS.com (ID)*
 2015 Lead Dev @DominoPOS (SG)
 2014 System Engineer @WowRack (US/ID)
 2004 Freelance Web Developer *) Masih aktif hingga sekarang
  • 4. APA YANG DIPELAJARI? + Pengertian SQL Injection
 + Kenapa SQL Injection bisa terjadi
 + Contoh SQL Injection
 + Mencegah SQL Injection
 + Simulasi web hacking menggunakan 
 teknik Blind SQL Injection pada 
 RM6 abwh.rioastamal.net beginner - intermediate
  • 6. SQL INJECTION TEKNIK PENYERANGAN YANG MEMASUKKAN ATAU “MENGINJEKSI” PERINTAH KE SEBUAH QUERY SQL YANG DIJALANKAN OLEH APLIKASI TARGET. SERANGAN SQL INJECTION YANG SUKSES DAPAT MEMBACA INFORMASI SENSITIF* PADA DATABASE, BAHKAN MENGUBAH DATA ATAU DAPAT MENGEKSEKUSI PERINTAH ADMINISTRATOR JIKA ROLE YANG DIDAPAT SESUAI. *) Password, Kartu Kredit, Info Pengguna atau lain-lain.
  • 8. SQL NJECT ON #OWASP TOP 10 2010, 2013, 2017 MENEMPATKAN SEBAGAI ANCAMAN #1
  • 9. SAYA MASIH BINGUNG BERI SAYA CONTOH!
  • 10. CONTOH TAMPILKAN PRODUK BERDASARKAN KATEGORI URL http://example.com/products/?categori=X SQL QUERY SELECT * FROM `products` WHERE `catid`=‘X’ LIMIT 0,10 PARAMETER INJECTION http://example.com/products/?categori='%20OR%201=1%23 SELECT * FROM `products` WHERE `catid`=‘‘ OR 1=1 #LIMIT 0,10 MENGHASILKAN SQL INJECTION
  • 11. CONTOH TADI SEPERTINYA TIDAK TERLIHAT BERBAHAYA! OH BEGITU. MARI KITA COBA LAKUKAN DEMO SQL INJECTION.
  • 12. DEMO SQL NJECT ON SIMULASI HACKING PADA REALISTIC MISSION 6 ABW H.RIOASTAMAL.NET FOR EDUCATION ONLY!
  • 13. TUJUAN DARI REALISTIC MISSION 6 + MENGGUNAKAN TEKNIK BLIND SQL INJECTION UNTUK MENGGALI INFORMASI DARI DATABASE + MENGUJI PEMAHAMAN PENGGUNAAN KLAUSA “UNION” UNTUK MENGGABUNGKAN HASIL QUERY PADA SAAT INVESTIGASI + MENGUJI PEMAHAMAN TENTANG TABEL SPESIAL PADA MYSQL YAITU “INFORMATION_SCHEMA”
  • 14. BLIND SQL INJECTION SERANGAN SQL INJECTION YANG MENGANDALKAN RESPONSE TRUE/ FALSE DARI APLIKASI. ATTACKER AKAN MENCOBA MELAKUKAN SQL INJECTION PADA HALAMAN TARGET DENGAN MENGIRIM PARAMETER TERTENTU UNTUK MELIHAT HASILNYA. DARI MANA KITA TAHU HASILNYA TRUE ATAU FALSE?
  • 15. CONTOH BLIND SQL INJECTION http://example.com/products/?categori=X SQL QUERY NORMAL SELECT * FROM `products` WHERE CatID=‘X’ LIMIT 0,10 SQL INJECTION DENGAN TARGET TRUE http://example.com/products/?categori=X'%20AND%201=1%23 SELECT * FROM `products` WHERE CatID=‘X’ AND 1=1 #LIMIT 0,10 MENGHASILKAN QUERY SQL INJECTION DENGAN TARGET FALSE http://example.com/products/?categori=X'%20AND%201=2%23 SELECT * FROM `products` WHERE CatID=‘X’ AND 1=2 #LIMIT 0,10 MENGHASILKAN QUERY
  • 16. PERINTAH UNION PADA SQL MENGGABUNGKAN HASIL DARI SATU ATAU LEBIH STATEMENT SELECT. JUMLAH KOLOM DARI MASING-MASING SELECT STATEMENT HARUS SAMA. SELECT Website, Owner FROM websites;
 
 +-----------------+-------------+
 | Website | Owner |
 +-----------------+-------------+
 | BelajarAWS.com | Rio Astamal |
 | TeknoCerdas.com | Rio Astamal |
 +-----------------+-------------+ SELECT Website, Owner FROM websites
 UNION
 SELECT 1, 2;
 
 +-----------------+-------------+
 | Website | Owner |
 +-----------------+-------------+
 | BelajarAWS.com | Rio Astamal |
 | TeknoCerdas.com | Rio Astamal |
 | 1 | 2 |
 +-----------------+-------------+
  • 17. TABEL INFORMATION_SCHEMA TABEL YANG BERISI METADATA DARI DATABASE PADA MYSQL SEPERTI NAMA TABEL DAN KOLOM. SELECT TABLE_NAME,TABLE_TYPE FROM 
 INFORMATION_SCHEMA.TABLES;
 
 +-----------------+-------------+
 | TABLE_NAME | TABLE_TYPE |
 +-----------------+-------------+
 | table_abc | BASE_TABLE |
 | table_xyz | BASE_TABLE |
 +-----------------+-------------+ SELECT COLUMN_NAME,DATA_TYPE FROM 
 INFORMATION_SCHEMA.COLUMNS
 WHERE TABLE_NAME=“table_abc”;
 
 +-----------------+-------------+
 | COLUMN_NAME | DATA_TYPE |
 +-----------------+-------------+
 | column_abc | VARCHAR |
 | column_xyz | VARCHAR |
 +-----------------+-------------+
  • 19. #1 JANGAN PERNAH MEMPERCAYAI INPUT DARI USER SELALU LAKUKAN SANITASI PADA INPUTAN DARI USER JIKA MEMANG TERPAKSA MENGGUNAKAN RAW QUERY. // Jika mengharap inputan berupa angka saja
 $catId = (int)($someData); // atau
 $catId = filter_var($someData, FILTER_VALIDATE_INT); // Jika mengharap inputan alphanumeric
 if (preg_match(‘/[^0-9A-Za-z]/‘, $someData) {
 exit(1); } // Jika mengharap semua karakter maka escape atau quote
 $someData = $pdo->quote($someData);
  • 20. #2 SELALU GUNAKAN PREPARED STATEMENT GUNAKAN PDO ATAU DRIVER YANG MENDUKUNG PREPARED STATEMENT $catId = $_GET[‘cat’] ?? 0;
 $query = ‘SELECT * FROM products WHERE categoryId = :id’
 
 $stmt = $pdo->prepare($query);
 $stmt->execute([‘:id’ => $catId]);
  • 21. #3 GUNAKAN FRAMEWORK FRAMEWORK UMUMNYA MENYEDIAKAN PUSTAKA ORM YANG OTOMATIS MELAKUKAN SANITASI DAN HAL-HAL YANG DIPERLUKAN UNTUK MENGHINDARI SQL INJECTION. // Laravel
 $products = Product::where(‘CatId’, $catId) ->take(10) ->get();
  • 22. #4 LAKUKAN CODE REVIEW BERKALA CARA PALING EFEKTIF SEBENARNYA ADALAH PENCEGAHAN. YAITU DENGAN MELAKUKAN CODE REVIEW BERKALA. KADANG DEVELOPER BERPENGALAMAN PUN MELAKUKAN KESALAHAN ENTAH KARENA DIBURU WAKTU ATAU TERLUPA SEHINGGA ASPEK SECURITY TERABAIKAN. AKAN LEBIH BAIK LAGI JIKA DILAKUKAN INTERNAL PENETRATION TESTING SENDIRI UNTUK MENGETAHUI CELAH KEAMANAN YANG ADA. ATAU MENAMBAHKAN TOOLS PENTESTING SEPERTI SQLMAP PADA CI/CD PIPELINE. $ git push master:pentesting
  • 23. ./END Rio Astamal rioastamal rioastamal.net rio@rioastamal.net Gambar icon diambil dari Flaticon.com Presentasi ini juga dapat dilihat pada https://rioastamal.net/presentasi/2021/02/