SlideShare a Scribd company logo

SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh

Download as PPTX, PDF
R
RAKIBULISLAM529074

This document provides a tutorial on SQL, covering the creation of databases and tables, insertion of records, and common SQL statements. It explains SQL injection attacks, illustrating how malicious users can manipulate SQL queries to breach security and access or modify data. It emphasizes the importance of using prepared statements and encoding data as countermeasures against these vulnerabilities.

Science
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
SQL Injection Attack
Brief Tutorial of SQL • Log in to MySQL: We will use MySQL database, which is an open-source relational database management system. We can log in using the following command: • Create a Database: Inside MySQL, we can create multiple databases. “SHOW DATABSES” command can be used to list existing databases. We will create a new database called dbtest:
SQL Tutorial: Create a Table • A relational database organizes its data using tables. Let us create a table called employee with seven attributes (i.e. columns) for the database “dbtest” • We need to let the system know which database to use as there may be multiple databases • After a table is created, we can use describe to display the structure of the table
SQL Tutorial: Insert a Row • We can use the INSERT INTO statement to insert a new record into a table : • Here, we insert a record into the “employee” table. • We do not specify a value of the ID column, as it will be automatically set by the database.
SQL Tutorial: SELECT Statement • The SELECT statement is the most common operation on databases • It retrieves information from a database Asks the database for all its records, including all the columns Asks the database only for Name, EID and Salary columns
SQL Tutorial: WHERE Clause • It is uncommon for a SQL query to retrieve all records in a database. • WHERE clause is used to set conditions for several types of SQL statements including SELECT, UPDATE, DELETE etc. • The above SQL statement only reflects the rows for which the predicate in the WHERE clause is TRUE. • The predicate is a logical expression; multiple predicates can be combined using keywords AND and OR. • Lets look at an example in the next slide.
SQL Tutorial: WHERE Clause • The first query returns a record that has EID5001 in EID field • The second query returns the records that satisfy either EID=‘EID5001’ or Name=‘David’
SQL Tutorial: WHERE Clause • If the condition is always True, then all the rows are affected by the SQL statement • This 1=1 predicate looks quite useless in real queries, but it will become useful in SQL Injection attacks
SQL Tutorial: UPDATE Statement • We can use the UPDATE Statement to modify an existing record
SQL Tutorial: Comments MySQL supports three comment styles • Text from the # character to the end of line is treated as a comment • Text from the “--” to the end of line is treated as a comment. • Similar to C language, text between /* and */ is treated as a comment
Interacting with Database in Web Application • A typical web application consists of three major components: • SQL Injection attacks can cause damage to the database. As we notice in the figure, the users do not directly interact with the database but through a web server. If this channel is not implemented properly, malicious users can attack the database.
Getting Data from User • This example shows a form where users can type their data. Once the submit button is clicked, an HTTP request will be sent out with the data attached • The HTML source of the above form is given below: • Request generated is:
Getting Data from User • The request shown is an HTTP GET request, because the method field in the HTML code specified the get type • In GET requests, parameters are attached after the question mark in the URL • Each parameter has a name=value pair and are separated by “&” • In the case of HTTPS, the format would be similar but the data will be encrypted • Once this request reached the target PHP script the parameters inside the HTTP request will be saved to an array $_GET or $_POST. The following example shows a PHP script getting data from a GET request
How Web Applications Interact with Database Connecting to MySQL Database • PHP program connects to the database server before conducting query on database using. • The code shown below uses new mysqli(…) along with its 4 arguments to create the database connection.
How Web Applications Interact with Database • Construct the query string and then send it to the database for execution. • The channel between user and database creates a new attack surface for the database.
Launching SQL Injection Attacks • Everything provided by user will become part of the SQL statement. Is it possible for a user to change the meaning of the SQL statement? • The intention of the web app developer by the following is for the user to provide some data for the blank areas. • Assume that a user inputs a random string in the password entry and types “EID5002’#” in the eid entry. The SQL statement will become the following
Launching SQL Injection Attacks • Everything from the # sign to the end of line is considered as comment. The SQL statement will be equivalent to the following: • The above statement will return the name, salary and SSN of the employee whose EID is EID5002 even though the user doesn’t know the employee’s password. This is security breach. • Let’s see if a user can get all the records from the database assuming that we don’t know all the EID’s in the database. • We need to create a predicate for WHERE clause so that it is true for all records.
Modify Database • If the statement is UPDATE or INSERT INTO, we will have chance to change the database. • Consider the form created for changing passwords. It asks users to fill in three pieces of information, EID, old password and new password. • When Submit button is clicked, an HTTP POST request will be sent to the server-side script changepassword.php, which uses an UPDATE statement to change the user’s password.
Modify Database • Let us assume that Alice (EID5000) is not satisfied with the salary she gets. She would like to increase her own salary using the SQL injection vulnerability. She would type her own EID and old password. The following will be typed into the “New Password” box : • By typing the above string in “New Password” box, we get the UPDATE statement to set one more attribute for us, the salary attribute. The SQL statement will now look as follows. • What if Alice doesn’t like Bob and would like to reduce Bob’s salary to 0, but she only knows Bob’s EID (eid5001), not his password. How can she execute the attack?
The Fundamental Cause Mixing data and code together is the cause of several types of vulnerabilities and attacks including SQL Injection attack, XSS attack, attacks on the system() function and format string attacks.
Countermeasures: Filtering and Encoding Data • Before mixing user-provided data with code, inspect the data. Filter out any character that may be interpreted as code. • Special characters are commonly used in SQL Injection attacks. To get rid of them, encode them. • Encoding a special character tells parser to treat the encoded character as data and not as code. This can be seen in the following example • PHP’s mysqli extension has a built-in method called mysqli::real_escape_string(). It can be used to encode the characters that have special meanings in SQL. The following code snippet shows how to use this API.
Countermeasures: Prepared Statement • Fundament cause of SQL injection: mixing data and code • Fundament solution: separate data and code. • Main Idea: Sending code and data in separate channels to the database server. This way the database server knows not to retrieve any code from the data channel. • How: using prepared statement • Prepared Statement: It is an optimized feature that provides improved performance if the same or similar SQL statement needs to be executed repeatedly. Using prepared statements, we send an SQL statement template to the database, with certain values called parameters left unspecified. The database parses, compiles and performs query optimization on the SQL statement template and stores the result without executing it. We later bind data to the prepared statement
Countermeasures: Prepared Statement The vulnerable version: code and data are mixed together. Using prepared statements, we separate code and data. Send code Send data Start execusion
Why Are Prepared Statements Secure? • Trusted code is sent via a code channel. • Untrusted user-provided data is sent via the data channel. • Database clearly knows the boundary between code and data. • Data received from the data channel is not parsed. • Attackers can hide code in data, but the code will never be treated as code, so it will never be attacked. • You can use this reference: https://jaredablon-31568.medium.com/how-to-prevent-sql-injection-vulnera bilities-how-prepared-statements-work-f492c369614f
Summary • Brief tutorial of SQL • SQL Injection attack and how to launch this type of attacks • The fundament cause of the vulnerability? • How to defend against SQL Injection attacks? • Prepared Statement

More Related Content

PDF
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
PPT
Sql injection attacks
chaitanya Lotankar
 
PPTX
Sql injection
Hemendra Kumar
 
PPT
Sql injection attacks
Nitish Kumar
 
PPT
Sql injection attacks
Kumar
 
PPSX
Web application security
www.netgains.org
 
PPT
PHP - Introduction to Advanced SQL
Vibrant Technologies & Computers
 
PPT
SQLSecurity.ppt
LokeshK66
 
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
Sql injection attacks
chaitanya Lotankar
 
Sql injection
Hemendra Kumar
 
Sql injection attacks
Nitish Kumar
 
Sql injection attacks
Kumar
 
Web application security
www.netgains.org
 
PHP - Introduction to Advanced SQL
Vibrant Technologies & Computers
 
SQLSecurity.ppt
LokeshK66
 

Similar to SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh (20)

PPT
SQLSecurity.ppt
CNSHacking
 
PPT
Sql security
Safwan Hashmi
 
PPT
Sql Injection Adv Owasp
Aung Khant
 
PPT
Advanced SQL Injection
amiable_indian
 
PPTX
Code injection and green sql
Kaustav Sengupta
 
PPTX
Greensql2007
Kaustav Sengupta
 
PPT
Sql injection
Nitish Kumar
 
PDF
Chapter 14 sql injection
newbie2019
 
PPT
Sql injection
Nikunj Dhameliya
 
PPT
8 sql injection
drewz lin
 
PPT
Advanced sql injection 1
Karunakar Singh Thakur
 
PPTX
Sql injection
Mehul Boghra
 
PPTX
Sql injection
Suraj Tiwari
 
PDF
SQL Injection
Magno Logan
 
PDF
sql-inj_attack.pdf
ssuser07cf8b
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bankservicehyd
 
PDF
Appsec SQL injection case study
Mohamed Ridha CHEBBI, CISSP
 
PPTX
SQL INJECTION
Anoop T
 
PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PPTX
SQL INJECTION
Ziaullah Khan
 
SQLSecurity.ppt
CNSHacking
 
Sql security
Safwan Hashmi
 
Sql Injection Adv Owasp
Aung Khant
 
Advanced SQL Injection
amiable_indian
 
Code injection and green sql
Kaustav Sengupta
 
Greensql2007
Kaustav Sengupta
 
Sql injection
Nitish Kumar
 
Chapter 14 sql injection
newbie2019
 
Sql injection
Nikunj Dhameliya
 
8 sql injection
drewz lin
 
Advanced sql injection 1
Karunakar Singh Thakur
 
Sql injection
Mehul Boghra
 
Sql injection
Suraj Tiwari
 
SQL Injection
Magno Logan
 
sql-inj_attack.pdf
ssuser07cf8b
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bankservicehyd
 
Appsec SQL injection case study
Mohamed Ridha CHEBBI, CISSP
 
SQL INJECTION
Anoop T
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL INJECTION
Ziaullah Khan
 
Ad

Recently uploaded (20)

PPTX
C1 cut-Methane and it's Derivatives.pptx
ketanparmar49
 
PDF
Assessment of environmental effects of quarrying in Kitengela subcountyof Kaj...
mohamedmahmoudSebbab1
 
PPTX
7. General Toxicologyfor clinical phrmacy.pptx
faysalphr
 
PPTX
Introduction to Cardiovascular system_structure and functions-1
muralinath2
 
PDF
Warm, water-depleted rocky exoplanets with surfaceionic liquids: A proposed c...
Sérgio Sacani
 
PPTX
ognitive-behavioral therapy, mindfulness-based approaches, coping skills trai...
OliveJolly1
 
PPTX
ECG_Course_Presentation د.محمد صقران ppt
lelouchml1995
 
PDF
CHAPTER 3 Cell Structures and Their Functions Lecture Outline.pdf
DaniseNobrera
 
PPTX
Overview of calcium in human muscles.pptx
safaparvin28
 
PPTX
2Systematics of Living Organisms t-.pptx
RachanaT6
 
PDF
Phytochemical Investigation of Miliusa longipes.pdf
IrfanShahirSharafi
 
PPTX
Protein & Amino Acid Structures Levels of protein structure (primary, seconda...
Muhammad Sajid Afridi
 
PPTX
Classification Systems_TAXONOMY_SCIENCE8.pptx
glofernignacio
 
PPTX
POULTRY PRODUCTION AND MANAGEMENTNNN.pptx
RomnickTanilon
 
PPT
6.1 High Risk New Born. Padetric health ppt
pickyblinder789
 
PPTX
Introduction to Fisheries Biotechnology_Lesson 1.pptx
Esther Pongcol
 
PDF
Biophysics 2.pdffffffffffffffffffffffffff
MiraMusleh
 
PPTX
TOTAL hIP ARTHROPLASTY Presentation.pptx
hararghemssc
 
DOCX
Q1_LE_Mathematics 8_Lesson 5_Week 5.docx
marcusaviso1101
 
PPTX
Taita Taveta Laboratory Technician Workshop Presentation.pptx
CALVINCEOWINO
 
C1 cut-Methane and it's Derivatives.pptx
ketanparmar49
 
Assessment of environmental effects of quarrying in Kitengela subcountyof Kaj...
mohamedmahmoudSebbab1
 
7. General Toxicologyfor clinical phrmacy.pptx
faysalphr
 
Introduction to Cardiovascular system_structure and functions-1
muralinath2
 
Warm, water-depleted rocky exoplanets with surfaceionic liquids: A proposed c...
Sérgio Sacani
 
ognitive-behavioral therapy, mindfulness-based approaches, coping skills trai...
OliveJolly1
 
ECG_Course_Presentation د.محمد صقران ppt
lelouchml1995
 
CHAPTER 3 Cell Structures and Their Functions Lecture Outline.pdf
DaniseNobrera
 
Overview of calcium in human muscles.pptx
safaparvin28
 
2Systematics of Living Organisms t-.pptx
RachanaT6
 
Phytochemical Investigation of Miliusa longipes.pdf
IrfanShahirSharafi
 
Protein & Amino Acid Structures Levels of protein structure (primary, seconda...
Muhammad Sajid Afridi
 
Classification Systems_TAXONOMY_SCIENCE8.pptx
glofernignacio
 
POULTRY PRODUCTION AND MANAGEMENTNNN.pptx
RomnickTanilon
 
6.1 High Risk New Born. Padetric health ppt
pickyblinder789
 
Introduction to Fisheries Biotechnology_Lesson 1.pptx
Esther Pongcol
 
Biophysics 2.pdffffffffffffffffffffffffff
MiraMusleh
 
TOTAL hIP ARTHROPLASTY Presentation.pptx
hararghemssc
 
Q1_LE_Mathematics 8_Lesson 5_Week 5.docx
marcusaviso1101
 
Taita Taveta Laboratory Technician Workshop Presentation.pptx
CALVINCEOWINO
 
Ad

SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh

  • 2. Brief Tutorial of SQL • Log in to MySQL: We will use MySQL database, which is an open-source relational database management system. We can log in using the following command: • Create a Database: Inside MySQL, we can create multiple databases. “SHOW DATABSES” command can be used to list existing databases. We will create a new database called dbtest:
  • 3. SQL Tutorial: Create a Table • A relational database organizes its data using tables. Let us create a table called employee with seven attributes (i.e. columns) for the database “dbtest” • We need to let the system know which database to use as there may be multiple databases • After a table is created, we can use describe to display the structure of the table
  • 4. SQL Tutorial: Insert a Row • We can use the INSERT INTO statement to insert a new record into a table : • Here, we insert a record into the “employee” table. • We do not specify a value of the ID column, as it will be automatically set by the database.
  • 5. SQL Tutorial: SELECT Statement • The SELECT statement is the most common operation on databases • It retrieves information from a database Asks the database for all its records, including all the columns Asks the database only for Name, EID and Salary columns
  • 6. SQL Tutorial: WHERE Clause • It is uncommon for a SQL query to retrieve all records in a database. • WHERE clause is used to set conditions for several types of SQL statements including SELECT, UPDATE, DELETE etc. • The above SQL statement only reflects the rows for which the predicate in the WHERE clause is TRUE. • The predicate is a logical expression; multiple predicates can be combined using keywords AND and OR. • Lets look at an example in the next slide.
  • 7. SQL Tutorial: WHERE Clause • The first query returns a record that has EID5001 in EID field • The second query returns the records that satisfy either EID=‘EID5001’ or Name=‘David’
  • 8. SQL Tutorial: WHERE Clause • If the condition is always True, then all the rows are affected by the SQL statement • This 1=1 predicate looks quite useless in real queries, but it will become useful in SQL Injection attacks
  • 9. SQL Tutorial: UPDATE Statement • We can use the UPDATE Statement to modify an existing record
  • 10. SQL Tutorial: Comments MySQL supports three comment styles • Text from the # character to the end of line is treated as a comment • Text from the “--” to the end of line is treated as a comment. • Similar to C language, text between /* and */ is treated as a comment
  • 11. Interacting with Database in Web Application • A typical web application consists of three major components: • SQL Injection attacks can cause damage to the database. As we notice in the figure, the users do not directly interact with the database but through a web server. If this channel is not implemented properly, malicious users can attack the database.
  • 12. Getting Data from User • This example shows a form where users can type their data. Once the submit button is clicked, an HTTP request will be sent out with the data attached • The HTML source of the above form is given below: • Request generated is:
  • 13. Getting Data from User • The request shown is an HTTP GET request, because the method field in the HTML code specified the get type • In GET requests, parameters are attached after the question mark in the URL • Each parameter has a name=value pair and are separated by “&” • In the case of HTTPS, the format would be similar but the data will be encrypted • Once this request reached the target PHP script the parameters inside the HTTP request will be saved to an array $_GET or $_POST. The following example shows a PHP script getting data from a GET request
  • 14. How Web Applications Interact with Database Connecting to MySQL Database • PHP program connects to the database server before conducting query on database using. • The code shown below uses new mysqli(…) along with its 4 arguments to create the database connection.
  • 15. How Web Applications Interact with Database • Construct the query string and then send it to the database for execution. • The channel between user and database creates a new attack surface for the database.
  • 16. Launching SQL Injection Attacks • Everything provided by user will become part of the SQL statement. Is it possible for a user to change the meaning of the SQL statement? • The intention of the web app developer by the following is for the user to provide some data for the blank areas. • Assume that a user inputs a random string in the password entry and types “EID5002’#” in the eid entry. The SQL statement will become the following
  • 17. Launching SQL Injection Attacks • Everything from the # sign to the end of line is considered as comment. The SQL statement will be equivalent to the following: • The above statement will return the name, salary and SSN of the employee whose EID is EID5002 even though the user doesn’t know the employee’s password. This is security breach. • Let’s see if a user can get all the records from the database assuming that we don’t know all the EID’s in the database. • We need to create a predicate for WHERE clause so that it is true for all records.
  • 18. Modify Database • If the statement is UPDATE or INSERT INTO, we will have chance to change the database. • Consider the form created for changing passwords. It asks users to fill in three pieces of information, EID, old password and new password. • When Submit button is clicked, an HTTP POST request will be sent to the server-side script changepassword.php, which uses an UPDATE statement to change the user’s password.
  • 19. Modify Database • Let us assume that Alice (EID5000) is not satisfied with the salary she gets. She would like to increase her own salary using the SQL injection vulnerability. She would type her own EID and old password. The following will be typed into the “New Password” box : • By typing the above string in “New Password” box, we get the UPDATE statement to set one more attribute for us, the salary attribute. The SQL statement will now look as follows. • What if Alice doesn’t like Bob and would like to reduce Bob’s salary to 0, but she only knows Bob’s EID (eid5001), not his password. How can she execute the attack?
  • 20. The Fundamental Cause Mixing data and code together is the cause of several types of vulnerabilities and attacks including SQL Injection attack, XSS attack, attacks on the system() function and format string attacks.
  • 21. Countermeasures: Filtering and Encoding Data • Before mixing user-provided data with code, inspect the data. Filter out any character that may be interpreted as code. • Special characters are commonly used in SQL Injection attacks. To get rid of them, encode them. • Encoding a special character tells parser to treat the encoded character as data and not as code. This can be seen in the following example • PHP’s mysqli extension has a built-in method called mysqli::real_escape_string(). It can be used to encode the characters that have special meanings in SQL. The following code snippet shows how to use this API.
  • 22. Countermeasures: Prepared Statement • Fundament cause of SQL injection: mixing data and code • Fundament solution: separate data and code. • Main Idea: Sending code and data in separate channels to the database server. This way the database server knows not to retrieve any code from the data channel. • How: using prepared statement • Prepared Statement: It is an optimized feature that provides improved performance if the same or similar SQL statement needs to be executed repeatedly. Using prepared statements, we send an SQL statement template to the database, with certain values called parameters left unspecified. The database parses, compiles and performs query optimization on the SQL statement template and stores the result without executing it. We later bind data to the prepared statement
  • 23. Countermeasures: Prepared Statement The vulnerable version: code and data are mixed together. Using prepared statements, we separate code and data. Send code Send data Start execusion
  • 24. Why Are Prepared Statements Secure? • Trusted code is sent via a code channel. • Untrusted user-provided data is sent via the data channel. • Database clearly knows the boundary between code and data. • Data received from the data channel is not parsed. • Attackers can hide code in data, but the code will never be treated as code, so it will never be attacked. • You can use this reference: https://jaredablon-31568.medium.com/how-to-prevent-sql-injection-vulnera bilities-how-prepared-statements-work-f492c369614f
  • 25. Summary • Brief tutorial of SQL • SQL Injection attack and how to launch this type of attacks • The fundament cause of the vulnerability? • How to defend against SQL Injection attacks? • Prepared Statement

Editor's Notes

  • #2: SQL commands are non-case sensitive, but we capitalize them to separate them from non-commands in lowercase
  • #3: Syntax explanation: Table columns are defined inside parentheses after the table name Each column definition starts with its name, followed by the data type The number association with the data type specifies the maximum length for the data in the column Use example of column “ID” to explain the same Data type Not Null Auto increment
  • #4: SQL commands are non-case sensitive, but we capitalize them to separate them from non-commands in lowercase
  • #11: Explanation of the components: Web Browser: Browser is on the client side, its primary function is to get content from the web server, present the content to the user, interact with the user and get the user inputs Web Application server: They are responsible for generating and delivering content to the browser. They usually rely on an independent database server for data management Browsers communicate with web servers using the Hypertext Transfer Protocol, while web servers interact with databases using database languages, such as SQL
  • #12: Depending on whether the HTTP request is a GET or POST request, the ways how data are attached are different.
  • #14: Web apps store data in databases and fetch additional data based on given input from database. 3 main methods for PHP programs to interact with a MySQL database: PHP’s MySQL Extension PHP’s MySQLi Extension [commonly used] PHP Data Objects MySQLi extension allows PHP programs to access the functionality provided by MySQL 4.1 and above. 4 arguments of mysqli: hostname of database server, login name, password and the database name. The hostname depends on where the database is run. If on same machine as the web app server then we use “localhost”.
  • #15: Code shows how query string is constructed, executed, and how the queried results are obtained. Data typed in form, eventually become part of the SQL string executed by database. Even though user doesn’t directly interact with the database, there does exists a channel between the user and the database. If not protected properly, user may be able to launch attacks on the database through channel.
  • #16: To understand possible attacks, we consider the abstract version of the web app creates a SQL statement template and a user needs to fill in the blanks inside the rectangle area. The attack demonstrated shows the user taking help of some special characters to change the meaning of the SQL statement.
  • #19: User inputs are used to construct the SQL statement, hence there is a SQL injection vulnerability. A single UPDATE statement can set multiple attributes of a matching record, if a list of attributes, separated by commas, is given to the SET command. The SQL statement in changepassword.php is meant to set only one attribute, the password attribute. The intention of the PHP script is to change the password attribute. Due to SQL injection vulnerability, attackers can make changes to other attributes (here, salary).
  • #20: See the book for detailed discussion of this diagram
  • #21: Characters that have special meaning in SQL statement and can be encoded, includes: NULL (ASCII 0), carriage return (\r), newline (\n), backspace (\b), etc The filtering or escaping approach doesn’t address the fundamental cause of the problem. Data and code are still mixed together. The approach makes code more secure.
  • #22: Countermeasure for attack on system(); use execve(). It takes the command name and data separately, using separate arguments. Prepared statements not developed for security purpose but an ideal candidate for countermeasure against SQL injection attacks since it separates data and code.
  • #23: Lines 1 and 2 : Preparing SQL statement Line 3 : Binding Data Line 4, 5 and 6 : Execution and Retrieving results