Mojgan Haratian 1

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

Injected SQL commands can alter SQL statement and compromise the security of a web application.

2

3

Demo Database

4

CustomerID CustomerName ContactName Address City PostalCode Country

1 Alfreds

Futterkiste

Maria Anders Obere Str. 57 Berlin 12209 Germany

2 Ana Trujillo

Emparedados y

helados

Ana Trujillo Avda. de la

Constitución

2222

México D.F. 05021 Mexico

3 Antonio Moreno

Taquería

Antonio Moreno Mataderos 2312 México D.F. 05023 Mexico

4 Around the Horn Thomas Hardy 120 Hanover Sq. London WA1 1DP UK

5 Berglunds

snabbköp

Christina

Berglund

Berguvsvägen 8 Luleå S-958 22 Sweden

SELECT * FROM Customers;

SELECT CustomerName,City FROM Customers;

SELECT * FROM CustomersWHERE Country='Mexico';

SELECT * FROM CustomersWHERE CustomerID=1;

SELECT * FROM CustomersWHERE Country='Germany'AND City='Berlin';

SELECT * FROM CustomersORDER BY Country, CustomerName;

UPDATE CustomersSET ContactName='Alfred Schmidt', City='Hamburg'WHERE CustomerName='Alfreds Futterkiste';

DELETE FROM CustomersWHERE CustomerName='Alfreds Futterkiste' AND ContactName='Maria Anders';

5

6

CustomerID CustomerName ContactName Address City PostalCode Country

1 Alfreds

Futterkiste

Maria Anders Obere Str. 57 Berlin 12209 Germany

SupplierID SupplierName ContactName Address City PostalCode Country

1 Exotic Liquid Charlotte Cooper 49 Gilbert St. London EC1 4SD UK

• Notice that each SELECT statement within the UNION must have the same number of columns. • The columns must also have similar data types. Also, the columns in each SELECT statement must be in the same order.

Demo Database

SELECT City FROM CustomersUNIONSELECT City FROM SuppliersORDER BY City;

7

8

NewsId Title Date Content ContentUser

1 1 NULL 'Some Text' Null

2 1 NULL 'Some user

inserted text'

Null

2 2 2016-01-07 [Status] User2

2 3 2016-01-07 [Some other

status]

user2

2 4 null 'Some other text' Null

2 5 null 'another text' Null

2 6 2016-01-07 [Another Status] user2

9

Demo Databes for News

<?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDB";

// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {

die("Connection failed: " . $conn->connect_error);}

$sql = "SELECT Content, Title FROM News where id=2";

$result = $conn->query($sql);

if ($result->num_rows > 0) {// output data of each rowwhile($row = $result->fetch_assoc()) {

echo "id: " . $row["id"]. " - Name: " . $row[" Content "]. " " . $row[" Title "]. "<br>";

}} else {

echo "0 results";}$conn->close();?>

Select

10

<?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDB";

// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {

die("Connection failed: " . $conn->connect_error);}

$sql = "INSERT INTO News (Title, Content, NewsId)VALUES (‘a', b', ‘12')";

if ($conn->query($sql) === TRUE) {echo "New record created successfully";

} else {echo "Error: " . $sql . "<br>" . $conn->error;

}

$conn->close();?>

Insert Into

11

http://html.net/page.php?Newsid=1254

Why is there a question mark after the page name?

The answer is that the characters after the question mark are an HTTP query string. An HTTP query string can contain both variables and their values. In the example above, the HTTP query string contains a variable named “Newsid", with the value "1254"

http://html.net/page.php?Title=Joe

people.php?name=Joe

12

<html>

<head>

<title>Query string</title>

</head>

<body>

<?php

// The value of the variable name is found

echo "<h1>Hello " . $_GET["name"] . "</h1>";

?>

</body>

</html>

13

<form>

When you code a form, there are two particular important attributes: action and method.

action

Is used to enter the URL where the form is submitted. It would be the PHP file that you want to handle the input.

method

Can either have the value "post" or "get", which are two different methods to pass data. At this point, you don't need to know much about the difference, but with "get", the data is sent through the URL, and with "post", the data is sent as a block of data through standard input service (STDIN(

14

<html>

<head>

<title>Form</title>

</head>

<body>

<h1>Enter your name</h1>

<form method="post" action="handler.php">

<input type="text" name="username">

<input type="submit">

</form>

</body>

</html>

15

<html>

<head>

<title>Form</title>

</head>

<body>

<?php

echo "<h1>Hello " . $_POST["username"] . "</h1>";

?>

</body>

</html>

16

Google

Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data.

The concept of "Google Hacking" dates back to 2002, when Johnny Long began to collect interesting Google search queries that uncovered vulnerable systems and/or sensitive information disclosures - labeling them googleDorks. some people call it googlehacking.

17

A Google dork is an employee who unknowingly exposes sensitive corporate information on the Internet

Google dorks put corporate information at risk because they unwittingly create back doors that allow an attacker to enter a network without permission and/or gain access to unauthorized information. To locate sensitive information, attackers use advanced search strings called Google dork queries.

Google dork queries are built with the advanced search operators that IT administrators, researchers and other professionals use in their daily work to narrow down search engine results. Commonly used search operators include:

site: restricts query results to a certain site or domain.

filetype: restricts query results to PDF files or other specific file types.

intext: resticts results to those content records that contain specific words or phrases.

Because search operators can be strung together, an attacker can use complex queries to find information that was published on the Internet but was not meant to be found. The use of advanced search operators to find information that is not easily accessed through simple searches is sometimes called Google dorking or Google hacking.

18

Operators

as well as programming, google dorks also has its operators, I will not be able to show all operators but here are the most commonly used Operators. Lets take a look at the special google search operators that are used to construct those high powered google hack search terms.

intitle

Specifying intitle, will tell google to show only those pages that have the term in their html title. For example intitle:"login page" will show those pages which have the term "login page" in the title text.

inurl

Searches for the specified term in the url. For example inurl:"login.php".

filetype

Searches for specific file types. filetype:pdf will looks for pdf files in websites. Similarly filetype:txt looks for files with extension .txt

intext

Searches the content of the page. Somewhat like a plain google search. For example intext:"index of /“

site

Limits the search to a specific site only. site:nullbyte.com

Information gathering

19

So you would normally understand it like this:

"inurl" = input URL

"domain" = your desired domain ex. .gov

"dorks" = your dork of your choice

Here is another example of that

You can use following words instead of inurl :

intitle:inurl:intext:define:site:phonebook:maps:book:froogle:info:movie:weather:related:link:

Information gathering

20

21

e - o22

bWAPP, or a buggy web application, is a free and a PHP application and open source deliberately insecure web application. that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.Another possibility is to download the bee-box

It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.

23

24

Installation guide

inVmware (bee-box)

https://www.computersecuritystudent.com/SECURITY_TOOLS/

bWAPP/v2.2/lesson1/index.html

In kali linux (bwapp)

https://www.youtube.com/watch?v=XDCZ8FC856s

25

26

client

Database server

webserver

data

Typical modern web application architecture

27

Database server

28

The web app is literally asking the database server:

Do you have a user with the username ‘Alex’ and the password ‘xxxx’ registered in your system?

Which in SQL language looks like this:

SELECT id FROM users WHERE username=’Alex’ and password=’xxxx’

29

The SQL syntax is broken and an error occurs , this plays a key role in sqlinjection!

Select id from users where username=’Alex’’ and password=’xxxx’

30

Alex’

31

Test’ or 1=1--

32

How is it possible???

The original query

SELECT id FROM users WHERE username=’Test’ and password=’xxxx’

become this

SELECT id FROM users WHERE username=’Test’’ or 1=1--and password=’xxxx’

33

1. Find Vulnerable websites (How?) by google hacking

2. Try sites for sqli bugs

3. Hack it!

34The End-part 1