Uploaded byGauthamMK
PDF, PPTX201 views

Sql injection

SQL injection is a code injection technique that allows attackers to execute malicious SQL statements to gain unauthorized access to data. It works by inserting SQL code into user input fields for execution by the backend database. This can give attackers full access to the database, including reading local files, uploading files, and accessing administrator privileges. While errors may reveal vulnerabilities, "blind SQL injection" occurs when no errors are displayed, requiring time-based or boolean techniques to exploit. Prevention methods like filtering and blacklisting can be bypassed, so the most secure approach is using parameterized statements to separate data from code.

Embed presentation

Download as PDF, PPTX
SQL INjection -Gautham MK A SQL query walks into a bar and sees two tables. He walks up to them and says 'Can I join you?’ -r/ProgrammerHumour
Some important concepts before we jump right in Data Database SQL
What is SQLi? SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution.
How dangerous is SQLi?
Give full access to the database-you basically have everything you need. Read local files outside the www root. Upload and read files similar to file inclusion vulnerabilities and even php shells. Access admin privileges by logging in as the admin.
Carrying out a simple SQLi attack by inserting into text fields Try to break the page by using and, order by or ” ’ ” Test text boxes and urls of the form: https:///www.target.com/ page.php?something=something Can be used for bypassing logins
Extracting sensitive data Use order by to identify the number of columns and find out where the information is displayed. Perform a union select to output multiple values and find the database information Find the table names in a particular database. (use information_schema) Find the required table and try to extract useful information.
Discovering SQLi and extracting data using sqlmap Automates detection of SQLi vulnerabilities sqlmap -u target url
Looking at a more challenging type of SQLi attacks: Blind SQLi We don’t have a clue as to whether the web application is vulnerable to injection attack or not. i.e no error messages are displayed. Can be exploited using time based and boolean based methods.
Looking at a more challenging type of SQLi attacks: Blind SQLi We don’t have a clue as to whether the web application is vulnerable to injection attack or not. i.e no error messages are displayed.
Preventing SQLi Using filters to make it look like there are no exploits. Can be bypassed. Using black lists to prevent the occurrence of order by, union, etc. Can be bypassed. Using a white list to allow only specific commands. Can be bypassed. Use parameterised statements, separate data from code
Thank You

More Related Content

PPTX
Top Academic Search Engines for Research
byCognibrain Healthcare
 
PPTX
Sql Injection
byAju Thomas
 
PPT
Sql injection attacks
bychaitanya Lotankar
 
PPT
Sql injection attacks
byKumar
 
PPT
Shaping Tomorrow - Getting Started - Sources
byKerry Richardson
 
PDF
Entity Relationship Diagram of Library System
byAbdul Rahman Sherzad
 
PDF
Apache Solr
byKevin Wenger
 
PDF
sql injection login bypass sqli-191017162412.pdf
bybankservicehyd
 
Top Academic Search Engines for Research
byCognibrain Healthcare
 
Sql Injection
byAju Thomas
 
Sql injection attacks
bychaitanya Lotankar
 
Sql injection attacks
byKumar
 
Shaping Tomorrow - Getting Started - Sources
byKerry Richardson
 
Entity Relationship Diagram of Library System
byAbdul Rahman Sherzad
 
Apache Solr
byKevin Wenger
 
sql injection login bypass sqli-191017162412.pdf
bybankservicehyd
 

Similar to Sql injection

PPTX
SQL injection
byRaj Parmar
 
PDF
SQL injection Colombo Cybersecurity Meetup
byJanith Malinga
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PDF
Practical Approach towards SQLi ppt
byAhamed Saleem
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
PPTX
cybersecurity and sql injection for students
byVeenaShree20
 
PPTX
SQL INJECTION
byMentorcs
 
PPTX
Sql injection
bySuraj Tiwari
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PDF
SQL Injection
byAbhinav Nair
 
PPTX
SQL injection implementation and prevention
byRejaul Islam Royel
 
PPTX
SQL INJECTIONS.pptx
byJayeshYadav53
 
PPTX
Sql injections
byKK004
 
PPT
Introduction to SQL Injection
byjpubal
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PDF
Understanding advanced blind sqli attack
byNguyễn Đoàn
 
PPT
Sql injection attacks
byNitish Kumar
 
PPTX
Sqlmap
byRushikesh Kulkarni
 
PPTX
SQL Injection.jpg.pptx
bydawitTerefe5
 
SQL injection
byRaj Parmar
 
SQL injection Colombo Cybersecurity Meetup
byJanith Malinga
 
How to identify and prevent SQL injection
byEguardian Global Services
 
Practical Approach towards SQLi ppt
byAhamed Saleem
 
SQL INJECTION
byAnoop T
 
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
cybersecurity and sql injection for students
byVeenaShree20
 
SQL INJECTION
byMentorcs
 
Sql injection
bySuraj Tiwari
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
SQL Injection
byAbhinav Nair
 
SQL injection implementation and prevention
byRejaul Islam Royel
 
SQL INJECTIONS.pptx
byJayeshYadav53
 
Sql injections
byKK004
 
Introduction to SQL Injection
byjpubal
 
Sql injection - security testing
byNapendra Singh
 
Understanding advanced blind sqli attack
byNguyễn Đoàn
 
Sql injection attacks
byNitish Kumar
 
Sqlmap
byRushikesh Kulkarni
 
SQL Injection.jpg.pptx
bydawitTerefe5
 

Recently uploaded

PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 

Sql injection

  • 1.
    SQL INjection -Gautham MK ASQL query walks into a bar and sees two tables. He walks up to them and says 'Can I join you?’ -r/ProgrammerHumour
  • 2.
    Some important concepts beforewe jump right in Data Database SQL
  • 3.
    What is SQLi? SQLinjection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution.
  • 4.
  • 6.
    Give full accessto the database-you basically have everything you need. Read local files outside the www root. Upload and read files similar to file inclusion vulnerabilities and even php shells. Access admin privileges by logging in as the admin.
  • 7.
    Carrying out asimple SQLi attack by inserting into text fields Try to break the page by using and, order by or ” ’ ” Test text boxes and urls of the form: https:///www.target.com/ page.php?something=something Can be used for bypassing logins
  • 8.
    Extracting sensitive data Use orderby to identify the number of columns and find out where the information is displayed. Perform a union select to output multiple values and find the database information Find the table names in a particular database. (use information_schema) Find the required table and try to extract useful information.
  • 9.
    Discovering SQLi and extractingdata using sqlmap Automates detection of SQLi vulnerabilities sqlmap -u target url
  • 10.
    Looking at amore challenging type of SQLi attacks: Blind SQLi We don’t have a clue as to whether the web application is vulnerable to injection attack or not. i.e no error messages are displayed. Can be exploited using time based and boolean based methods.
  • 11.
    Looking at amore challenging type of SQLi attacks: Blind SQLi We don’t have a clue as to whether the web application is vulnerable to injection attack or not. i.e no error messages are displayed.
  • 12.
    Preventing SQLi Using filtersto make it look like there are no exploits. Can be bypassed. Using black lists to prevent the occurrence of order by, union, etc. Can be bypassed. Using a white list to allow only specific commands. Can be bypassed. Use parameterised statements, separate data from code
  • 15.