SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.
2
Demo Database
4
CustomerID CustomerName ContactName Address City PostalCode Country
1 Alfreds
Futterkiste
Maria Anders Obere Str. 57 Berlin 12209 Germany
2 Ana Trujillo
Emparedados y
helados
Ana Trujillo Avda. de la
Constitución
2222
México D.F. 05021 Mexico
3 Antonio Moreno
Taquería
Antonio Moreno Mataderos 2312 México D.F. 05023 Mexico
4 Around the Horn Thomas Hardy 120 Hanover Sq. London WA1 1DP UK
5 Berglunds
snabbköp
Christina
Berglund
Berguvsvägen 8 Luleå S-958 22 Sweden
SELECT * FROM Customers;
SELECT CustomerName,City FROM Customers;
SELECT * FROM CustomersWHERE Country='Mexico';
SELECT * FROM CustomersWHERE CustomerID=1;
SELECT * FROM CustomersWHERE Country='Germany'AND City='Berlin';
SELECT * FROM CustomersORDER BY Country, CustomerName;
UPDATE CustomersSET ContactName='Alfred Schmidt', City='Hamburg'WHERE CustomerName='Alfreds Futterkiste';
DELETE FROM CustomersWHERE CustomerName='Alfreds Futterkiste' AND ContactName='Maria Anders';
5
6
CustomerID CustomerName ContactName Address City PostalCode Country
1 Alfreds
Futterkiste
Maria Anders Obere Str. 57 Berlin 12209 Germany
SupplierID SupplierName ContactName Address City PostalCode Country
1 Exotic Liquid Charlotte Cooper 49 Gilbert St. London EC1 4SD UK
• Notice that each SELECT statement within the UNION must have the same number of columns. • The columns must also have similar data types. Also, the columns in each SELECT statement must be in the same order.
Demo Database
NewsId Title Date Content ContentUser
1 1 NULL 'Some Text' Null
2 1 NULL 'Some user
inserted text'
Null
2 2 2016-01-07 [Status] User2
2 3 2016-01-07 [Some other
status]
user2
2 4 null 'Some other text' Null
2 5 null 'another text' Null
2 6 2016-01-07 [Another Status] user2
9
Demo Databes for News
<?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDB";
// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);}
$sql = "SELECT Content, Title FROM News where id=2";
$result = $conn->query($sql);
if ($result->num_rows > 0) {// output data of each rowwhile($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - Name: " . $row[" Content "]. " " . $row[" Title "]. "<br>";
}} else {
echo "0 results";}$conn->close();?>
Select
10
<?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDB";
// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);}
$sql = "INSERT INTO News (Title, Content, NewsId)VALUES (‘a', b', ‘12')";
if ($conn->query($sql) === TRUE) {echo "New record created successfully";
} else {echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();?>
Insert Into
11
http://html.net/page.php?Newsid=1254
Why is there a question mark after the page name?
The answer is that the characters after the question mark are an HTTP query string. An HTTP query string can contain both variables and their values. In the example above, the HTTP query string contains a variable named “Newsid", with the value "1254"
http://html.net/page.php?Title=Joe
people.php?name=Joe
12
<html>
<head>
<title>Query string</title>
</head>
<body>
<?php
// The value of the variable name is found
echo "<h1>Hello " . $_GET["name"] . "</h1>";
?>
</body>
</html>
13
<form>
When you code a form, there are two particular important attributes: action and method.
action
Is used to enter the URL where the form is submitted. It would be the PHP file that you want to handle the input.
method
Can either have the value "post" or "get", which are two different methods to pass data. At this point, you don't need to know much about the difference, but with "get", the data is sent through the URL, and with "post", the data is sent as a block of data through standard input service (STDIN(
14
<html>
<head>
<title>Form</title>
</head>
<body>
<h1>Enter your name</h1>
<form method="post" action="handler.php">
<input type="text" name="username">
<input type="submit">
</form>
</body>
</html>
15
<html>
<head>
<title>Form</title>
</head>
<body>
<?php
echo "<h1>Hello " . $_POST["username"] . "</h1>";
?>
</body>
</html>
16
Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data.
The concept of "Google Hacking" dates back to 2002, when Johnny Long began to collect interesting Google search queries that uncovered vulnerable systems and/or sensitive information disclosures - labeling them googleDorks. some people call it googlehacking.
17
A Google dork is an employee who unknowingly exposes sensitive corporate information on the Internet
Google dorks put corporate information at risk because they unwittingly create back doors that allow an attacker to enter a network without permission and/or gain access to unauthorized information. To locate sensitive information, attackers use advanced search strings called Google dork queries.
Google dork queries are built with the advanced search operators that IT administrators, researchers and other professionals use in their daily work to narrow down search engine results. Commonly used search operators include:
site: restricts query results to a certain site or domain.
filetype: restricts query results to PDF files or other specific file types.
intext: resticts results to those content records that contain specific words or phrases.
Because search operators can be strung together, an attacker can use complex queries to find information that was published on the Internet but was not meant to be found. The use of advanced search operators to find information that is not easily accessed through simple searches is sometimes called Google dorking or Google hacking.
18
Operators
as well as programming, google dorks also has its operators, I will not be able to show all operators but here are the most commonly used Operators. Lets take a look at the special google search operators that are used to construct those high powered google hack search terms.
intitle
Specifying intitle, will tell google to show only those pages that have the term in their html title. For example intitle:"login page" will show those pages which have the term "login page" in the title text.
inurl
Searches for the specified term in the url. For example inurl:"login.php".
filetype
Searches for specific file types. filetype:pdf will looks for pdf files in websites. Similarly filetype:txt looks for files with extension .txt
intext
Searches the content of the page. Somewhat like a plain google search. For example intext:"index of /“
site
Limits the search to a specific site only. site:nullbyte.com
Information gathering
19
So you would normally understand it like this:
"inurl" = input URL
"domain" = your desired domain ex. .gov
"dorks" = your dork of your choice
Here is another example of that
You can use following words instead of inurl :
intitle:inurl:intext:define:site:phonebook:maps:book:froogle:info:movie:weather:related:link:
Information gathering
20
bWAPP, or a buggy web application, is a free and a PHP application and open source deliberately insecure web application. that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.Another possibility is to download the bee-box
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
23
24
Installation guide
inVmware (bee-box)
https://www.computersecuritystudent.com/SECURITY_TOOLS/
bWAPP/v2.2/lesson1/index.html
In kali linux (bwapp)
https://www.youtube.com/watch?v=XDCZ8FC856s
The web app is literally asking the database server:
Do you have a user with the username ‘Alex’ and the password ‘xxxx’ registered in your system?
Which in SQL language looks like this:
SELECT id FROM users WHERE username=’Alex’ and password=’xxxx’
29
The SQL syntax is broken and an error occurs , this plays a key role in sqlinjection!
Select id from users where username=’Alex’’ and password=’xxxx’
30
Alex’
The original query
SELECT id FROM users WHERE username=’Test’ and password=’xxxx’
become this
SELECT id FROM users WHERE username=’Test’’ or 1=1--and password=’xxxx’
33