Colin McLean gave a presentation on SQL injection vulnerabilities and hacking. He demonstrated how easily a hacker could exploit an SQL injection flaw to extract sensitive data like usernames, passwords and bank account information from a vulnerable web application. He emphasized that awareness is key to mitigating hacking threats, as most modern attacks require user interaction, such as clicking a malicious link. Abertay University offers various cybersecurity training courses to help improve awareness.

1. Colin McLean
Lecturer in Ethical Hacking

2.  This is a stand-alone environment.
 Seeing attacks makes a difference!
 Please don’t try any of this at home!
 PS Adam is a 4th
year Ethical Hacking
student at Abertay.

3. Installed On my
PC.
Adam will try to
hack it..
Installed On my
PC.
Adam will try to
hack it..

4. And generally not as well defended.

5. Web
server
Web app
Web app
Web app
Web app
transport
DB
DB
App
server
(optional)
Web client:
IE, Firefox,
Opera, etc.
HTTP
response
(HTML,
JavaScript,
VBScript,
etc.)
HTTP
request
Clear-
text or
SSL
• Apache
• IIS
• Netscape
• etc.
• ColdFusion
• Oracle 9iAS
• GlassFish
• etc.
• Perl
• C++
• CGI
• Java
• ASP
• PHP
• etc.
• ADO
• ODBC
• JDBC
• etc.
• Oracle
• SQL
Server
• etc.
• AJP
• IIOP
• etc.

6. Web
server
Web app
Web app
Web app
Web app
transport
DB
DB
App
server
(optional)

7.  Entering Colin and test gives a SQL query similar to the
following: -
$query = "SELECT * FROM accounts WHERE username=‘Colin' AND
password=‘test’;
 PROBLEM: - Often there is no filtering of input meaning that a
hacker can inject CODE.
Typical Code
$username = $_REQUEST["username"];
$password = $_REQUEST["password"];
$query = "SELECT * FROM accounts WHERE username='$username' AND
password='$password';

8.  Entering blah ‘OR 1=1#
 In MYSQL, “#” is a comment.
$query = SELECT * FROM accounts WHERE username= '$username' AND
password= '$password';
 Gives
$query = SELECT * FROM accounts WHERE username= ‘blah' OR 1=1#
password= ''
 Effectively
$query = SELECT * FROM accounts WHERE username= ‘blah' OR 1=1

9.  HacmeBank has an SQL injection flaw.
 Adam is currently trying to do as much as damage
as he can by exploiting this flaw....
 “SQLMAP” tool as used by hacking groups.

10. login_id password user_name
JV JV789 Joe Vilella
JM jm789 John Mathew
JC jc789 Jane Chris

11. Abertay Ethical Hacking Group
user_id branch
curren
cy account_no account_type creation_date balance_amount
1
Texas-Remington
Circle USD 5204320422040000 Platinum
Jun 14 2005
1:29AM 16779
1
Texas-Remington
Circle USD 5204320422040000 Silver
Jun 14 2005
1:29AM 8145
2
Mahnattan - New
york USD 5204320422040000 Silver
Sep 14 2005
1:29AM 8555
2
Mahnattan - New
York USD 5204320422040000 Platinum
Sep 12 2005
1:23AM 91000
3L A-Hoston Road USD 5204320422040000 Platinum
Jun 14 2005
1:29AM 4800
3L A-Hoston Road USD 5204320422040000 Silver
Jun 14 2005
1:29AM 5100
3
Buston-Richadson
Avenue USD 5204320422040000 Platinum
Jun 14 2005
1:29AM 7600
3
Buston-Richadson
Avenue USD 5204320422040000 Silver
Jun 14 2005
1:29AM 1200
2
Mahnattan - New
York USD 5204320422040000 Gold
Oct 12 2005
1:23AM 850
Transactions tableTransactions table

12.  Gain a “shell” on the victims PC.
 Stop firewall
 Deface Web site
 Could also publish database on the Internet.

13.  Reputation?
 Compensation?
 Could be devastating for the company.

15.  Approximately 3 lines of code..
 AWARENESS.
 Only one of many Web flaws.
 A1-Injection
 A2-Broken Authentication and Session Management
 A3-Cross-Site Scripting (XSS)
 A4- Insecure Direct Object References
 A5-Security Misconfiguration
 A6-Sensitive Data Exposure
 A7-Missing Function Level Access Control
 A8-Cross-Site Request Forgery (CSRF)
 A9-Using Components with Known Vulnerabilities
 A10-Unvalidated Redirects and Forwards .
 ..etc

16. We are all
vulnerable.
No such thing as
a “dumb user”.

17.  Relies on victim clicking on a link (e.g. E-Mail,
Google search .....etc).
 Hackers success against a company can be
greatly increased using targeting users.
 E.g. Might not be easy to get an accountant to
click on any old link....but...

19.  Get user to visit a page...
 Issue commands from the menu.

20. This is many
users view of
what a trojan is...
This is many
users view of
what a trojan is...

21.  Install...
◦ Visit the wrong web page/install the wrong
software/Someone gets on your PC.
 Anti-virus can be evaded relatively easily.
 The ultimate hack.

23. Unpatched /
Downloaded..
How dangerous?
Unpatched /
Downloaded..
How dangerous?
• This demo applies to “out of date”
software or packages downloaded
from the Internet.
• If a flaw isn’t fixed then this is what
can happen.

24.  Technical controls can help greatly but
 Developers/Networking staff/IT Staff/User
awareness is a major mitigation.
 Most modern hacking attacks require user “help”.

25.  Awareness training @ Abertay Uni...
◦ Pen Testing & Vulnerability Assessment (2 days)
◦ Security awareness for users (1/2 day)
◦ Web Security testing (2 days)
◦ Security Awareness for Managers (1/2 day)
◦ Secure Coding (1 day)
◦ Wireless security (1 day)
◦ Intro to Digital Forensics (2 days)
◦ Network Forensics (2 days).
 In our Ethical Hacking lab or in your company.

26. Any questions?
Abertay Ethical Hacking Group