SlideShare a Scribd company logo

SQL injection basics

B
Blueinfy Solutions

This document discusses SQL injection vulnerabilities and techniques for exploiting them. It explains how user-supplied parameters can be manipulated to alter SQL queries and access unauthorized data or execute stored procedures. Some methods covered include adding SQL syntax like OR 1=1 to return all rows, using semicolons to concatenate queries, and prematurely terminating queries with characters like single quotes. The document also provides examples of forcing SQL errors to identify vulnerabilities and tips for retrieving excessive data or invoking stored procedures during an SQL injection attack.

Technology
1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
SQL Injections and basics
SQL Query Poisoning • Parameters from the URL or input fields get used in SQL queries. • An instance of Input Validation attacks. • Data can be altered to extend the SQL query. – e.g. http://server/query.asp?item=3+OR+1=1 • Execution of stored procedures. • May even lead to back-end database server compromise.
Identify candidate parameters • Determine what parameters seem to be passed to the database. • Usually some selection criteria. • Results have a uniform template, but varying data content.
Force SQL errors • Insert meta-characters around or within the parameters. • Range testing - BOF or EOF. • Changing the data type. • Premature query termination: – quotation marks - ‘ or “ – trailing hyphens -- • Look for error messages generated from the database.
SQL Query Poisoning • Insecure code (ASP): roduct_id = request.querystring(“ID”) onn.Open uery = "select * from items where product_id = " & product_id et result = conn.execute(query)
SQL Query Poisoning • How the query gets assembled http://192.168.7.120/details.asp?id=http://192.168.7.120/details.asp?id= 33 select * from items where product_id =select * from items where product_id = 33 DB
Identifying SQL errors • Try and force error messages from database servers. • Gives us an idea how the SQL query is being created and used. • Tamper the input parameter. – Change data type – Premature termination by ‘ “ etc… • If the SQL query fails, we have a candidate for SQL injection.
Identifying SQL errors • Identify which resources contain SQL interfaces. • Identify the offending parameters which cause the SQL queries to break. • Root cause of all SQL query poisoning is lack of input sanitization. • Strip off meta-characters.
http://192.168.7.120/details.asp?id= Identifying SQL errors • Forcing SQL errors. • Ideal for identifying database interfaces! ‘3 select * from items where product_id = ‘3 DB
Identifying SQL errors • Premature SQL query termination: We now have an SQL injection point.
Identifying SQL errors Example: PHP + MySQL error message
Identifying SQL errors Example: ColdFusion + SQL Server error msg
Extend SQL queries • Add valid SQL clauses to extend the SQL query. • “OR 1=1” – return all rows. • “;SELECT …” – multiple queries. • “;EXEC …” – stored procedures.
Retrieve all rows • Retrieve excessive data http://192.168.7.120/details.asp?id= 3+OR+1=1 select * from items where product_id = 3 OR 1=1 DB
Executing Stored Procedures • SQL Injection attacks can be extended beyond excessive data retrieval. • Stored procedures, if known, and accessible, can also be invoked. – For example Microsoft SQL Server’s extended stored procedures. • Use the SQL “EXEC” statement.
EXEC master..xp_cmdshell ‘dir’ Executing Stored Procedures • How the query gets assembled: http://192.168.7.120/details.asp?id= 3%01EXEC+master..xp_cmdshell+’dir’ select * from items where product_id = 3 DB
Executing Stored Procedures • Viewing the results of execution:
Conclusion

More Related Content

PPT
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
PPT
HTTP protocol and Streams Security
Blueinfy Solutions
 
PDF
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PPS
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
PPTX
Web hacking series part 3
Aditya Kamat
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
PPTX
Web application attack Presentation
Khoa Nguyen
 
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
HTTP protocol and Streams Security
Blueinfy Solutions
 
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
Sql Injection attacks and prevention
helloanand
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Web hacking series part 3
Aditya Kamat
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Web application attack Presentation
Khoa Nguyen
 

What's hot (20)

PPTX
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
PDF
Object Oriented Programming with Laravel - Session 4
Shahrzad Peyman
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PPTX
Unicode
Ronan Dunne, CEH, SSCP
 
PPTX
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
PDF
RESTful Web Services
Christopher Bartling
 
PDF
Object Oriented Programming with Laravel - Session 5
Shahrzad Peyman
 
PPTX
ASP.NET Mvc 4 web api
Tiago Knoch
 
PPTX
Overview of RESTful web services
nbuddharaju
 
PPTX
40+ tips to use Postman more efficiently
postmanclient
 
PPT
Secure code practices
Hina Rawal
 
PPTX
ApacheCon North America 2018: Creating Spark Data Sources
Jayesh Thakrar
 
PPTX
SQL injection prevention techniques
SongchaiDuangpan
 
PPTX
Web Hacking Series Part 1
Aditya Kamat
 
PDF
Solr Architecture
Ramez Al-Fayez
 
PPTX
Introducing asp
aspnet123
 
PPTX
Postman Collection Format v2.0 (pre-draft)
Postman
 
PPTX
Web Hacking Series Part 4
Aditya Kamat
 
PDF
CORS and (in)security
n|u - The Open Security Community
 
PPTX
ASP.NET WEB API
Thang Chung
 
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Object Oriented Programming with Laravel - Session 4
Shahrzad Peyman
 
Common Web Application Attacks
Ahmed Sherif
 
Unicode
Ronan Dunne, CEH, SSCP
 
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
RESTful Web Services
Christopher Bartling
 
Object Oriented Programming with Laravel - Session 5
Shahrzad Peyman
 
ASP.NET Mvc 4 web api
Tiago Knoch
 
Overview of RESTful web services
nbuddharaju
 
40+ tips to use Postman more efficiently
postmanclient
 
Secure code practices
Hina Rawal
 
ApacheCon North America 2018: Creating Spark Data Sources
Jayesh Thakrar
 
SQL injection prevention techniques
SongchaiDuangpan
 
Web Hacking Series Part 1
Aditya Kamat
 
Solr Architecture
Ramez Al-Fayez
 
Introducing asp
aspnet123
 
Postman Collection Format v2.0 (pre-draft)
Postman
 
Web Hacking Series Part 4
Aditya Kamat
 
CORS and (in)security
n|u - The Open Security Community
 
ASP.NET WEB API
Thang Chung
 
Ad

Similar to SQL injection basics (20)

PPTX
SQL injection
Akash Panchal
 
PPTX
SQL Injection in JAVA
Hossein Yavari
 
PPTX
PHP and MySQL.pptx
natesanp1234
 
PPT
PHP - Introduction to Advanced SQL
Vibrant Technologies & Computers
 
PPTX
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
PPTX
The Pushdown of Everything by Stephan Kessler and Santiago Mola
Spark Summit
 
PPTX
API-Testing-SOAPUI-1.pptx
amarnathdeo
 
PPTX
Introduction to Azure Data Lake and U-SQL for SQL users (SQL Saturday 635)
Michael Rys
 
PPTX
Introduction to SoapUI day 2
Qualitest
 
PDF
Api security-testing
n|u - The Open Security Community
 
PPTX
Orms vs Micro-ORMs
David Paquette
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
RAKIBULISLAM529074
 
PPT
Advanced SQL Injection
amiable_indian
 
PPT
Sql Injection Adv Owasp
Aung Khant
 
PDF
Data normalization weaknesses
Ivan Novikov
 
PPTX
Dynamic Publishing with Arbortext Data Merge
Clay Helberg
 
PPTX
Vulnerabilities in data processing levels
beched
 
PPTX
SQL Injection Defense in Python
Public Broadcasting Service
 
PDF
22jdbc
Adil Jafri
 
PPT
Sql injection attacks
chaitanya Lotankar
 
SQL injection
Akash Panchal
 
SQL Injection in JAVA
Hossein Yavari
 
PHP and MySQL.pptx
natesanp1234
 
PHP - Introduction to Advanced SQL
Vibrant Technologies & Computers
 
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
The Pushdown of Everything by Stephan Kessler and Santiago Mola
Spark Summit
 
API-Testing-SOAPUI-1.pptx
amarnathdeo
 
Introduction to Azure Data Lake and U-SQL for SQL users (SQL Saturday 635)
Michael Rys
 
Introduction to SoapUI day 2
Qualitest
 
Api security-testing
n|u - The Open Security Community
 
Orms vs Micro-ORMs
David Paquette
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
RAKIBULISLAM529074
 
Advanced SQL Injection
amiable_indian
 
Sql Injection Adv Owasp
Aung Khant
 
Data normalization weaknesses
Ivan Novikov
 
Dynamic Publishing with Arbortext Data Merge
Clay Helberg
 
Vulnerabilities in data processing levels
beched
 
SQL Injection Defense in Python
Public Broadcasting Service
 
22jdbc
Adil Jafri
 
Sql injection attacks
chaitanya Lotankar
 
Ad

More from Blueinfy Solutions (19)

PDF
Mobile Application Scan and Testing
Blueinfy Solutions
 
PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPT
iOS Application Security Testing
Blueinfy Solutions
 
PPT
Html5 on mobile
Blueinfy Solutions
 
PPT
Android secure coding
Blueinfy Solutions
 
PPT
Android attacks
Blueinfy Solutions
 
PPT
Automation In Android & iOS Application Review
Blueinfy Solutions
 
PPT
Web Services Hacking and Security
Blueinfy Solutions
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PPT
HTML5 hacking
Blueinfy Solutions
 
PDF
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
PPT
XSS - Attacks & Defense
Blueinfy Solutions
 
PPT
Defending against Injections
Blueinfy Solutions
 
PPT
Blind SQL Injection
Blueinfy Solutions
 
PPT
Application fuzzing
Blueinfy Solutions
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PPT
Assessment methodology and approach
Blueinfy Solutions
 
PPT
Advanced applications-architecture-threats
Blueinfy Solutions
 
Mobile Application Scan and Testing
Blueinfy Solutions
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
iOS Application Security Testing
Blueinfy Solutions
 
Html5 on mobile
Blueinfy Solutions
 
Android secure coding
Blueinfy Solutions
 
Android attacks
Blueinfy Solutions
 
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Web Services Hacking and Security
Blueinfy Solutions
 
Source Code Analysis with SAST
Blueinfy Solutions
 
HTML5 hacking
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Blueinfy Solutions
 
Blind SQL Injection
Blueinfy Solutions
 
Application fuzzing
Blueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Assessment methodology and approach
Blueinfy Solutions
 
Advanced applications-architecture-threats
Blueinfy Solutions
 

Recently uploaded (20)

PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
A Presentation on Artificial Intelligence
memembruh336
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

SQL injection basics

  • 2. SQL Query Poisoning • Parameters from the URL or input fields get used in SQL queries. • An instance of Input Validation attacks. • Data can be altered to extend the SQL query. – e.g. http://server/query.asp?item=3+OR+1=1 • Execution of stored procedures. • May even lead to back-end database server compromise.
  • 3. Identify candidate parameters • Determine what parameters seem to be passed to the database. • Usually some selection criteria. • Results have a uniform template, but varying data content.
  • 4. Force SQL errors • Insert meta-characters around or within the parameters. • Range testing - BOF or EOF. • Changing the data type. • Premature query termination: – quotation marks - ‘ or “ – trailing hyphens -- • Look for error messages generated from the database.
  • 5. SQL Query Poisoning • Insecure code (ASP): roduct_id = request.querystring(“ID”) onn.Open uery = "select * from items where product_id = " & product_id et result = conn.execute(query)
  • 6. SQL Query Poisoning • How the query gets assembled http://192.168.7.120/details.asp?id=http://192.168.7.120/details.asp?id= 33 select * from items where product_id =select * from items where product_id = 33 DB
  • 7. Identifying SQL errors • Try and force error messages from database servers. • Gives us an idea how the SQL query is being created and used. • Tamper the input parameter. – Change data type – Premature termination by ‘ “ etc… • If the SQL query fails, we have a candidate for SQL injection.
  • 8. Identifying SQL errors • Identify which resources contain SQL interfaces. • Identify the offending parameters which cause the SQL queries to break. • Root cause of all SQL query poisoning is lack of input sanitization. • Strip off meta-characters.
  • 9. http://192.168.7.120/details.asp?id= Identifying SQL errors • Forcing SQL errors. • Ideal for identifying database interfaces! ‘3 select * from items where product_id = ‘3 DB
  • 10. Identifying SQL errors • Premature SQL query termination: We now have an SQL injection point.
  • 11. Identifying SQL errors Example: PHP + MySQL error message
  • 12. Identifying SQL errors Example: ColdFusion + SQL Server error msg
  • 13. Extend SQL queries • Add valid SQL clauses to extend the SQL query. • “OR 1=1” – return all rows. • “;SELECT …” – multiple queries. • “;EXEC …” – stored procedures.
  • 14. Retrieve all rows • Retrieve excessive data http://192.168.7.120/details.asp?id= 3+OR+1=1 select * from items where product_id = 3 OR 1=1 DB
  • 15. Executing Stored Procedures • SQL Injection attacks can be extended beyond excessive data retrieval. • Stored procedures, if known, and accessible, can also be invoked. – For example Microsoft SQL Server’s extended stored procedures. • Use the SQL “EXEC” statement.
  • 16. EXEC master..xp_cmdshell ‘dir’ Executing Stored Procedures • How the query gets assembled: http://192.168.7.120/details.asp?id= 3%01EXEC+master..xp_cmdshell+’dir’ select * from items where product_id = 3 DB
  • 17. Executing Stored Procedures • Viewing the results of execution: