Presentation on - SQL Injection. ~ By The Avi Sharma Presentation theme provided by - https://fppt.com Follow and join us - Instagram - https://instagram.com/the_avi_sharma_ WhatsApp - https://chat.whatsapp.com/LcRzPABUGdZ5otH4mG6zIP Telegram - https://t.me/theavisharma

1. SQL INJECTION
The Avi Sharma
Cyber security expert

2. Overview
• What is SQL Injection ?
• Forms of SQL Injection
• Blind SQL Injection
• How it works ?
• Types of attacks in SQL Injection
• Preventions
• Impacts and Tools
• Advantages and Disadvantages
• Conclusion

3. What is SQL Injection ?
• SQL injection is a code injection technique that might destroy your
database.
• SQL injection is one of the most common web hacking techniques.
• SQL injection is the placement of malicious code in SQL statements, via
web page input.
• SQL injection usually occurs when you ask a user for input, like their
username/user id, and instead of a name/id, the user gives you an SQL
statement that you will unknowingly run on your database.

4. Forms of SQL Injection
• There are four main sub-classes of SQL Injection:
• Classic SQL Injection
• Blind or Inference SQL Injection
• Database Management System-specific SQL Injection
• Compounded SQL Injection
• SQL Injection + insufficient authentication
• SQL Injection + DDoS attacks
• SQL Injection + DNS Hijacking
• SQL Injection + XSS
• The Storm Worm is one representation of Compounded SQL Injection.

5. Blind SQL Injection
Blind SQL injection is used when a web application is
vulnerable to an SQL injection but the results of the injection
are not visible to the attacker.
This type of attack has traditionally been considered time-
intensive because a new statement needed to be crafted for
each bit recovered, and depending on its structure, the attack
may consist of many unsuccessful requests.

6. Real world examples
• On august 17 , 2009 , the United States Justice Department
charged an American citizen Albert Gonzalez and two Russians
with the theft of 130 million credit card numbers using an SQL
injection attack.
• In 2008 a sweep of attacks began exploiting the SQLi
vulnerabilities of Microsoft's IIS web server and SQL database
server . Over 500,000 sites were exploited.

8. How it works?
• The ability to inject SQL commands into the database engine
through an existing application
• SQL injection is the use of publicly available fields to gain
entry to your database.
• This is done by entering SQL commands into your form fields
instead of the expected data.
• Improperly coded forms will allow a hacker to use them as an
entry point to your database

9. Types of attacks in SQL Injection
• SQL Injections can do more harm than just by passing the login
algorithms. Some of the attacks include -
1. Deleting data.
2. Updating data.
3. Inserting data.

10. Types of attacks in SQL Injection
4. Executing commands on the server that can
download and install malicious programs such as
Trojans
5. Exporting valuable data such as credit card details,
email, and passwords to the attacker’s remote server
• Getting user login details etc

11. How to prevent SQL Injections
• Step 1: Train and maintain awareness
• Step 2: Don’t trust any user input
• Step 3: Use white lists , not blacklists
• Step 4: Adopt the latest technologies
• Step 5: Employ verified mechanisms
• Step 6: Scan regularly (with Acunetix)

12. Prevention against
SQL Injection Attacks
• User input should never be trusted.
• Stored procedures – these can encapsulate the SQL
statements and treat all input as parameters.
• Regular expressions –these can be used to detect
potential harmful code and remove it before
executing the SQL statements.

13. Prevention against
SQL Injection Attacks
• Database connection user access rights –only
necessary access rights should be given to
accounts used to connect to the database. This can
help reduce what the SQL statements can perform
on the server.

14. Impacts of SQL Injection
1. Leakage of sensitive information.
2. Reputation decline.
3. Modification of sensitive information.
4. Loss of control of db server.
5. Data loss.
6. Denial of service.

15. SQL Injection Tools
• BSQL Hacker
• SQLmap
• SQLninja
• Safe3 SQL Injector
• SQLSus
• Mole
• Havij

16. Advantages of SQL
• Faster Query Processing –
Large amount of data is retrieved quickly and efficiently.
Operations like Insertion, deletion, manipulation of data is
also done in almost no time.
• No Coding Skills –
For data retrieval, large number of lines of code is not
required. All basic keywords such as SELECT, INSERT INTO,
UPDATE, etc are used and also the syntactical rules are not
complex in SQL, which makes it a user-friendly language.

17. Advantages of SQL
• Portable –
It can be used in programs in PCs, server, laptops independent
of any platform (Operating System, etc). Also, it can be
embedded with other applications as per
need/requirement/use.
• Interactive Language –
Easy to learn and understand, answers to complex queries can
be received in seconds.

18. Disadvantages of SQL
• Complex Interface –
SQL has a difficult interface that makes few users
uncomfortable while dealing with the database.
• Cost –
Some versions are costly and hence, programmers
cannot access it.
• Partial Control –
Due to hidden business rules, complete control is not
given to the database.

19. Disadvantages of SQL
• Unauthorized access to systems or accounts.
• Compromise of individual machines or entire
networks.
• Interfacing an SQL database is more complex than
adding a few lines of code.

20. Conclusion
• SQL injection is technique for exploiting applications
that use relational databases as their back end.
• Applications compose SQL statements and send to
database.
• SQL injection use the fact that many of these
applications concatenate the fixed part of SQL
statement with user-supplied data that forms where
predicates or additional sub-queries.

21. Thank You
Thank You
~The Avi Sharma
Cyber security expert
[ C.E.H ]