sql injections (part 1)
DESCRIPTION
SQL Injections (Part 1) by Wasim Halani @ null Mumbai Meet, May, 2011TRANSCRIPT
SQL Injection Part 1 - BASICS
Wasim Halani(WaSHaL)
./whoami
0Student0Fallible0NOT a SQL expert
0 “Do not take anything I say as fact. I have been wrong before and I will be wrong again.” - Nullthreat
OWASP Top 10
0A1 – Injection Flaws0 Injection flaws, such as SQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
0Simpler definition, anyone?
SQL Injection
0SQL = Structured Query Language0Execute a SQL query/statement or syntax by injecting
it in an user input field on the web application
Why study it?
0Barracuda0HBGary / HBGary Federal0Appinonline0Appinlabs0NIIT0Mysql.com
Our Sample DB
id username password Role
1 admin admin123 1
2 tom T0m!@# 0
3 jerry jerry 0
4 harry 098@harry 0
user_db
Generic SQL - Select
0SQL> select * from userdb where username=‘xxxx’ and password=‘yyyy’;0 returns all columns from table ‘userdb’ and every row
which have given username and password
0SQL> select role from userdb where username=‘zzzz’;0 returns only column ‘role’ where username matches
UNION Operator
0Combine results of two or more SELECT statements
0SELECT username,password from user_db UNION SELECT username,password from admin_db
0SELECT username,password from user_db UNION ALL SELECT username,password from admin_db
ORDER BY Clause
0Sort results of SELECT query by a specific column0 number 0 column name
Misc.
0 INSERT0UPDATE0DELETE0ALTER0DROP
Categories of SQL Injection
0 In-band0 Error0 Union
0Out-band0 Dns0 Ping
0 Inferential (Blind)0 Sleep0 Waitfor
Ref: www.toorcon.org/tcx/9_McCray.pdf
SQL Injection Attacks
Vulnerable Code
Vanilla Injection
0 ‘ or 1=1 --0a‘ or ‘a’=‘a
Finding # of Columns1234....100
Finding # of Columns - 2
Injecting Queries (UNION)
Ref: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
Tools
0Netsparker (Pro/Community)0Havij0SQLMap0SQLNinja
Coming Up…
0Blind SQL0Manual Extraction of Data using SQLi+Burp0Preventing SQL Injections