![Page 1: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/1.jpg)
![Page 2: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/2.jpg)
![Page 3: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/3.jpg)
SQL is used to build and communicate with a database. The communicating sections are typically a "front end" which transmit a SQL Statement across a connection to a "back end" that having the database.
Ex: Oracle, MS SQL Server, MS Access, Ingres, DB2, Sybase, Informix, etc.
![Page 4: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/4.jpg)
![Page 5: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/5.jpg)
![Page 6: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/6.jpg)
)
SELECT
UPDATE
INSERT INTO
DELETE
CREATE TABLE ALTER TABLE DROP TABLE
![Page 7: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/7.jpg)
)
GRANT
REVOKE
COMMIT ROLL BACK
![Page 8: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/8.jpg)
![Page 9: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/9.jpg)
![Page 10: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/10.jpg)
![Page 11: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/11.jpg)
![Page 12: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/12.jpg)
![Page 13: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/13.jpg)
CREATE DATABASE.
CREATE TABLE.
ALTER TABLE.
DROP DATABASE.
DROP TABLE.
UPDATE.
SELECT
![Page 14: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/14.jpg)
![Page 15: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/15.jpg)
' or " Character string indicators
-- or # Single-line comment
/*…*/ Multiple-line comment
+ Addition, concatenate (or space in url)
|| (Double pipe) concatenate
% Wildcard attribute indicator
?Param1=foo&Param2=bar Url parameter
@variable Local variable
@@variable Global variable
‘’ “” Character string indicators
. Identifier qualifier separator
“” Quoted identifier indicators
-- Single-line comment delimiter
![Page 16: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/16.jpg)
3) Dumping Data
2) Bypass attack 6) Expand Influence
5) RCE
1) Info. Gathering
4)OS Interaction
![Page 17: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/17.jpg)
![Page 18: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/18.jpg)
Output mechanism
Understand the query
Determine database type
Find out user privilege level
Determine OS interaction level
![Page 19: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/19.jpg)
Union based injection (Parameter& Post)
Error based injection
Blind SQL injection
Single, double quote injection
Integer, Boolean
Time based
Header, Cookie based
![Page 20: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/20.jpg)
Union based injection is merging multiple column to
identify the how many columns .
![Page 21: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/21.jpg)
Already told how to break sql query, When We break the
query It’ll shows an error message so that we can able get
interact with db.
![Page 22: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/22.jpg)
Web Content page with integer input in URL; id
parameter is used to code injection. That will helps to
SQLi.
![Page 23: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/23.jpg)
It is far to be a kind of Cookie Poisoning. A SQL
injection attack consists of modification of cookies
via cookie editor will used to exploit the web app.
-ref: wikipedia
![Page 24: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/24.jpg)
![Page 25: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/25.jpg)
It’s a general class of web application
security vulnerability It occurs when Hypertext
Transfer Protocol (HTTP) headers are
dynamically generated based on user input.
![Page 26: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/26.jpg)
Time-Based Blind SQL
Injection Attacks. Perform
tests by injecting time delays
![Page 27: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/27.jpg)
It doesn’t displays any error’s but some
actions occurs on the web page
![Page 28: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/28.jpg)
![Page 29: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/29.jpg)
• Hashing • Different case • Bypass keyword removal filters • URL-encoding • SQL comments • String Building
![Page 30: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/30.jpg)
• Reading and writing system files from disk
• Find passwords and configuration files
• Execute commands by overwriting initialization or configuration
files
• Direct command execution We can do anything Both are
restricted by the database's running privileges and permissions
![Page 31: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/31.jpg)
Stored DB query
Whitelisting the query
Firewall,IDS
![Page 32: SQL is used to build and communicate with a database. Thegbhackers.com/AdvanceSqli.pdf · SQL is used to build and communicate with a database. The communicating sections are typically](https://reader035.vdocuments.us/reader035/viewer/2022070921/5fba1b6d2db8be73ad343eec/html5/thumbnails/32.jpg)