SQL injection involves inserting malicious SQL statements into web application entry fields like URLs, cookies, or forms. By exploiting vulnerabilities in how an app sanitizes special characters, an attacker can alter SQL queries executed by the app to bypass authentication, access sensitive data, or take control of the underlying database. Common techniques include terminating queries with "--" and exploiting true/false conditions to return data without valid credentials. SQL injection has been a top vulnerability for many years due to how commonly databases are used yet insecurely coded into applications.

1. SQL Injection
and behind...
- Arjun M

2. Beating my own drums...
Arjun Gupta M
fb.com/arjungupta.m
▪ Working with Birlasoft, Security analyst at
World Bank Group....just bkz I have to work
▪ I enjoy hacking ...de facto I knw ntng else
▪ Always a learner
▪ Long rides, Planting trees, Charities
▪ Indian...I take pride in this

3. Let’s start with DB and SQL
▪ Database is an organized collection of data.
▪ Easy to Access, Manage and Update the data.
▪ SQL / Structured Query language is the standard language to interact
with the databases.
▪ DB’s andTrue/False are thick friends…Lets see why, further.

4. SQLI and the infamous ‘
▪ SQL injection is a code injection technique in which malicious SQL
statements are inserted into an entry field for execution.
– Get / Post parameters, Cookies, Referrer header, User Agent and so on…
▪ It involves the alteration of SQL statements that are used within a
web application through the use of attacker-supplied data.
▪ It is caused because of Incorrectly filtering the special characters
before an action is performed on the input.
▪ The infamous rouge character that we love is ‘ which breaks the
syntax and lets us do the work.

5. Honors and greatness of SQLI
▪ SQLi was ranked first on the MITRE CommonWeakness Enumeration
(CWE) in 2011.
▪ TopVulnerability in OWASPTop 10 (2010 and 2013) under Injection
category.
▪ SANSTop 25 Most Dangerous Software Errors list.
 Authentication bypass, complete takeover of the database.
 If you are still lucky, you can get the command shell too.

7. Authentication Bypass
BUT HOW

8. How does it work…
▪ The query used by the developer to validate the login credentials is :
Select * from users where username=‘$user’ and password=‘$pwd’;
– If DB it returns one row, the user gets logged in.
▪ Instead of legit credentials, I inject “ admin’ AND ‘1’=‘1’ -- “ for username
▪ PHP interpreter will comment out the query after “ - - “ and sends the
following query to DB for execution :
Select * from users where username=‘admin’AND ‘1’=‘1’;
▪ DB processes the above query and returns one row, as the expression
‘1’=‘1’ is alwaysTrue and the username also exists.

9. How does it work…

10. Behavior of the application with safe input
Another one…

11. Behavior of the application with Malicious input
True Condition False Condition
Different responses for True and False conditions confirms the injection vuln.

12. Little further...
No of columns are not 4
...try with a lesser one
No of columns : 3

13. Google Dorks
▪ Inurl:.php?id=
▪ article.php?id=
▪ about.php?cartID=
▪ inurl:login.php
▪ intitle:Admin inurl:login.php site:.pk
And so on….

14. Thanks to
My guru
Bharat kumar
Ping me @
fb.com/arjungupta.m
▪ Audi https://github.com/Audi-1/sqli-labs
▪ The makers of DVWA