A SEMINAR POWERPOINT PRESENTATION

 ON sql injection

(Structured Query Language Injection) 

Session: 2017-18

Submitted To: Submitted By: Dr. Deepak Dembla Shivam Sahu Professor & HOD IT 16BCAN035

&Computer Applications Department IInd Sem BCA

JECRC University, Jaipur

Structure of presentation• What are Injection attacks?• What is SQL?• What is SQL Injection?• Classes of SQL Injection?• Is it can be a very serious problem?• Important SQL Syntax!• Find SQL Injection Bugs ?• Impact of SQL Injection• SQL Attack steps!• News!!??• Any Websites provide Bugs Bounty for SQL Injection?• SQL Injection(code and dork)• How to hack Website using SQL Injection with easy Steps!(Live Demonstartion!)• SQL injection exploit?• How Can You Prevent This?• Other Injection Types• SQL injection Conclusion• Bibliography

What are Injection attacks?

• Injection attacks trick an application into including unintended commands in the data send to an interpreter.

• Interpreters• Interpret strings as commands.• Ex: SQL, shell (cmd.exe, bash), LDAP, XPath• Key Idea• Input data from the application is executed as

code by the interpreter.

What is SQL?• SQL: Structured

Query Language

• Used to store, edit, and retrieve database data

• Applications issue SQL commands that manage data

Web Application

Database

SQLChanges

Retr

ieva

l

What is SQL Injection?• App sends form to user.

• Attacker submits form with SQL exploit data.

• Application builds string with exploit data.

• Application sends SQL query to DB.

• DB executes query, including exploit, sends data back to application.

• Application returns data to user.

• Many web applications take user input from a form

• Often this user input is used literally in the construction of a SQL query submitted to a database

DB Server

Firewall

User

Pass ‘ or 1=1--

Video Source : https://www.youtube.com/watch?v=FwIUkAwKzG8

Classes of SQL Injection• SQL Injection can be broken up into 3 classes:

• 1.Inband - data is extracted using the same channel that is used to inject the SQL code. • This is the most straightforward kind of attack, in which the retrieved data is presented • directly in the application web page

• 2.Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of • the query is generated and sent to the tester)

• 3.Inferential - there is no actual transfer of data, but the tester is able to reconstruct the • information by sending particular requests and observing the resulting behaviour of the • website/DB Server.

Is it can be a very serious problem?

• The attacker can delete, modify or even worse, steal your data

• Compromises the safety, security & trust of user data

• Compromises a company’s competitiveness or even the ability to stay in business

Important SyntaxCOMMENTS: --

Example: SELECT * FROM `table` --selects everything

LOGIC: ‘a’=‘a’Example: SELECT * FROM `table` WHERE ‘a’=‘a’

MULTI STATEMENTS: S1; S2Example: SELECT * FROM `table`; DROP TABLE `table`;

Impact of SQL Injection1. Leakage of sensitive

information.2. Reputation decline.3. Modification of sensitive

information.4. Loss of control of db

server.5. Data loss.6. Denial of service.

SQL Attack steps• Searching for a vulnerable point• Fingerprinting the backend DB• Enumerating or retrieving data of interest –

table dumps, usernames/passwords etc.• Eventual exploiting the system once the

information is handy– OS take over, data change, web server take over

etc.

SQL Injection Attacks on the rise• Many, many sites have lost customer data in this way,” said Chris Hinkley,

Senior Security Engineer at FireHost. “SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.

• 16/11/2016 :Websites of Indian Embassy in 7 Countries Hacked; Database Leaked Online

SQL injection exploit?• Access sensitive data in the database, • Modify database data,• Execute administrative operations within the

database (e.g. shutdown the DBMS), • Recover the content of a given file present on

the DBMS file system • And in some cases issue commands to the

operating system.

Video Source : https://www.youtube.com/watch?v=J6-zUVUzZA4

Websites that provide bug bounty for SQL

Injectionhttps://www.hackerone.com/

SQL Injection' or 0=0 --' or 0=0 --'' or 0=0 #" or 0=0 --" or 0=0 --''" or 0=0 --or 0=0 --' or 0=0

" or 0=0 #' or a=a--

' or "a"="a' or 'a'='a

" or "a"="a') or ('a'='a

") or ("a"="ahi" or "a"="ahi" or 1=1 --

or 0=0 #' or 'x'='x

" or "x"="x') or ('x'='x" or 1=1--or 1=1--

' or a=a--'' or a=a #

hi' or 1=1 --

hi' or 'a'='ahi') or ('a'='a

hi") or ("a"="a' or 1=1--" or 1=1--or 1=1--

' or 'a'='a" or "a"="a') or ('a'='a

Finding SQL Injection Bugs

1. Submit a single quote as input.If an error results, app is vulnerable.If no error, check for any output changes.

2. Submit two single quotes.Databases use ’’ to represent literal ’If error disappears, app is vulnerable.

3. Try string or numeric operators.

How to mitigate the risk?

• Escape all user supplied input• Always validate input• Use prepared statements– For PHP+MySQL – use PDO with strongly typed

parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB– Salt them and hash them

How does this prevent an attack?

• The SQL statement you pass to prepare is parsed and compiled by the database server.

• By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.

• Then when you call execute the prepared statement is combined with the parameter values you specify.

• It works because the parameter values are combined with the compiled statement, not a SQL string.

• SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend.

Prevention• Logic to allow only numbers / letters in username

and password.• How should you enforce the constraint?

SERVER SIDE.• ‘ESCAPE’ bad characters.

’ becomes \’• READ ONLY database access.• Remember this is NOT just for login areas!

NOT just for websites!!

Video Source: https://www.youtube.com/watch?v=WNNLpObPQuo

SQL injection Conclusion• SQL injection is technique for exploiting applications that use relational

databases as their back end. • Applications compose SQL statements and send to database. • SQL injection use the fact that many of these applications concatenate the

fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.

• The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information• All databases can be a target of SQL injection and all are vulnerable to this

technique. • The vulnerability is in the application layer outside of the database, and

the moment that the application has a connection into the database.

Other Injection Types• Shell injection.• Scripting language injection.• File inclusion.• XML injection.• XPath injection.• LDAP injection.• SMTP injection.

Some good sites to learn more

• Prevention guide (with sample code in many languages):• http://bobby-tables.com/• Tutorials:• (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-

myths-and-fallacies• http://www.netrostar.com/SQL-Injection-Attack• http://www.unixwiz.net/techtips/sql-injection.html• Cool site that let’s you try out attacks on a sample DB and explains why they

work• http://sqlzoo.net/hack/• Research paper on how to retrofit existing websites to combat SQL injection

attacks• http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf

BIBLIOGRAPHY• https://www.google.co.in/#q=sql+injection&• http://www.acunetix.com/websitesecurity/sql-injectio

n/• https://www.google.co.in/search?q=sql+injection&so

urce=lnms&tbm=isch&sa=X&sqi=2&ved=0ahUKEwir3_fijMfSAhUJqY8KHaZrD50Q_AUICCgD&biw=1440&bih=794

• https://www.w3schools.com/sql/sql_injection.asp• https://en.wikipedia.org/wiki/SQL_injection• https://www.tutorialspoint.com/sql/sql-injection.htm• http://searchsoftwarequality.techtarget.com/definition

/SQL-injection• https://www.netsparker.com/blog/web-security/sql-in

jection-vulnerability/

Queries WillBe

Appreciated?

Profound Thanks To:

Dr. Deepak Dembla Professor & HOD IT & Computer Applications Department