powerpoint presentation on sql injection in brief (simple)
TRANSCRIPT
A SEMINAR POWERPOINT PRESENTATION
ON sql injection
(Structured Query Language Injection)
Session: 2017-18
Submitted To: Submitted By: Dr. Deepak Dembla Shivam Sahu Professor & HOD IT 16BCAN035
&Computer Applications Department IInd Sem BCA
JECRC University, Jaipur
Structure of presentation• What are Injection attacks?• What is SQL?• What is SQL Injection?• Classes of SQL Injection?• Is it can be a very serious problem?• Important SQL Syntax!• Find SQL Injection Bugs ?• Impact of SQL Injection• SQL Attack steps!• News!!??• Any Websites provide Bugs Bounty for SQL Injection?• SQL Injection(code and dork)• How to hack Website using SQL Injection with easy Steps!(Live Demonstartion!)• SQL injection exploit?• How Can You Prevent This?• Other Injection Types• SQL injection Conclusion• Bibliography
What are Injection attacks?
• Injection attacks trick an application into including unintended commands in the data send to an interpreter.
• Interpreters• Interpret strings as commands.• Ex: SQL, shell (cmd.exe, bash), LDAP, XPath• Key Idea• Input data from the application is executed as
code by the interpreter.
What is SQL?• SQL: Structured
Query Language
• Used to store, edit, and retrieve database data
• Applications issue SQL commands that manage data
Web Application
Database
SQLChanges
Retr
ieva
l
What is SQL Injection?• App sends form to user.
• Attacker submits form with SQL exploit data.
• Application builds string with exploit data.
• Application sends SQL query to DB.
• DB executes query, including exploit, sends data back to application.
• Application returns data to user.
• Many web applications take user input from a form
• Often this user input is used literally in the construction of a SQL query submitted to a database
DB Server
Firewall
User
Pass ‘ or 1=1--
Video Source : https://www.youtube.com/watch?v=FwIUkAwKzG8
Classes of SQL Injection• SQL Injection can be broken up into 3 classes:
• 1.Inband - data is extracted using the same channel that is used to inject the SQL code. • This is the most straightforward kind of attack, in which the retrieved data is presented • directly in the application web page
• 2.Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of • the query is generated and sent to the tester)
• 3.Inferential - there is no actual transfer of data, but the tester is able to reconstruct the • information by sending particular requests and observing the resulting behaviour of the • website/DB Server.
Is it can be a very serious problem?
• The attacker can delete, modify or even worse, steal your data
• Compromises the safety, security & trust of user data
• Compromises a company’s competitiveness or even the ability to stay in business
Important SyntaxCOMMENTS: --
Example: SELECT * FROM `table` --selects everything
LOGIC: ‘a’=‘a’Example: SELECT * FROM `table` WHERE ‘a’=‘a’
MULTI STATEMENTS: S1; S2Example: SELECT * FROM `table`; DROP TABLE `table`;
Impact of SQL Injection1. Leakage of sensitive
information.2. Reputation decline.3. Modification of sensitive
information.4. Loss of control of db
server.5. Data loss.6. Denial of service.
SQL Attack steps• Searching for a vulnerable point• Fingerprinting the backend DB• Enumerating or retrieving data of interest –
table dumps, usernames/passwords etc.• Eventual exploiting the system once the
information is handy– OS take over, data change, web server take over
etc.
SQL Injection Attacks on the rise• Many, many sites have lost customer data in this way,” said Chris Hinkley,
Senior Security Engineer at FireHost. “SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.
• 16/11/2016 :Websites of Indian Embassy in 7 Countries Hacked; Database Leaked Online
SQL injection exploit?• Access sensitive data in the database, • Modify database data,• Execute administrative operations within the
database (e.g. shutdown the DBMS), • Recover the content of a given file present on
the DBMS file system • And in some cases issue commands to the
operating system.
Video Source : https://www.youtube.com/watch?v=J6-zUVUzZA4
Websites that provide bug bounty for SQL
Injectionhttps://www.hackerone.com/
SQL Injection' or 0=0 --' or 0=0 --'' or 0=0 #" or 0=0 --" or 0=0 --''" or 0=0 --or 0=0 --' or 0=0
" or 0=0 #' or a=a--
' or "a"="a' or 'a'='a
" or "a"="a') or ('a'='a
") or ("a"="ahi" or "a"="ahi" or 1=1 --
or 0=0 #' or 'x'='x
" or "x"="x') or ('x'='x" or 1=1--or 1=1--
' or a=a--'' or a=a #
hi' or 1=1 --
hi' or 'a'='ahi') or ('a'='a
hi") or ("a"="a' or 1=1--" or 1=1--or 1=1--
' or 'a'='a" or "a"="a') or ('a'='a
Finding SQL Injection Bugs
1. Submit a single quote as input.If an error results, app is vulnerable.If no error, check for any output changes.
2. Submit two single quotes.Databases use ’’ to represent literal ’If error disappears, app is vulnerable.
3. Try string or numeric operators.
How to mitigate the risk?
• Escape all user supplied input• Always validate input• Use prepared statements– For PHP+MySQL – use PDO with strongly typed
parameterized queries (using bindParam()) • Code reviews • Don’t store password in plain text in the DB– Salt them and hash them
How does this prevent an attack?
• The SQL statement you pass to prepare is parsed and compiled by the database server.
• By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.
• Then when you call execute the prepared statement is combined with the parameter values you specify.
• It works because the parameter values are combined with the compiled statement, not a SQL string.
• SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend.
Prevention• Logic to allow only numbers / letters in username
and password.• How should you enforce the constraint?
SERVER SIDE.• ‘ESCAPE’ bad characters.
’ becomes \’• READ ONLY database access.• Remember this is NOT just for login areas!
NOT just for websites!!
Video Source: https://www.youtube.com/watch?v=WNNLpObPQuo
SQL injection Conclusion• SQL injection is technique for exploiting applications that use relational
databases as their back end. • Applications compose SQL statements and send to database. • SQL injection use the fact that many of these applications concatenate the
fixed part of SQL statement with user-supplied data that forms WHERE predicates or additional sub-queries.
• The technique is based on malformed user-supplied data • Transform the innocent SQL calls to a malicious call • Cause unauthorized access, deletion of data, or theft of information• All databases can be a target of SQL injection and all are vulnerable to this
technique. • The vulnerability is in the application layer outside of the database, and
the moment that the application has a connection into the database.
Other Injection Types• Shell injection.• Scripting language injection.• File inclusion.• XML injection.• XPath injection.• LDAP injection.• SMTP injection.
Some good sites to learn more
• Prevention guide (with sample code in many languages):• http://bobby-tables.com/• Tutorials:• (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-
myths-and-fallacies• http://www.netrostar.com/SQL-Injection-Attack• http://www.unixwiz.net/techtips/sql-injection.html• Cool site that let’s you try out attacks on a sample DB and explains why they
work• http://sqlzoo.net/hack/• Research paper on how to retrofit existing websites to combat SQL injection
attacks• http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf
BIBLIOGRAPHY• https://www.google.co.in/#q=sql+injection&• http://www.acunetix.com/websitesecurity/sql-injectio
n/• https://www.google.co.in/search?q=sql+injection&so
urce=lnms&tbm=isch&sa=X&sqi=2&ved=0ahUKEwir3_fijMfSAhUJqY8KHaZrD50Q_AUICCgD&biw=1440&bih=794
• https://www.w3schools.com/sql/sql_injection.asp• https://en.wikipedia.org/wiki/SQL_injection• https://www.tutorialspoint.com/sql/sql-injection.htm• http://searchsoftwarequality.techtarget.com/definition
/SQL-injection• https://www.netsparker.com/blog/web-security/sql-in
jection-vulnerability/
Queries WillBe
Appreciated?
Profound Thanks To:
Dr. Deepak Dembla Professor & HOD IT & Computer Applications Department