This document discusses SQL injection, which is a security vulnerability that allows attackers to interfere with how a database operates. SQL injection occurs when user input is not sanitized and is used directly in SQL queries, allowing attackers to alter the structure and meaning of queries. The document provides an example of how an attacker could log in without a password by adding SQL code to the username field. It also lists some common SQL injection techniques like using comments, concatenation, and wildcards. Finally, it points to additional online resources for learning more about SQL injection and database security.
2. INDEX
Ethical Hacking.
What is SQL.
How does SQL Injection work.
Example of SQL Injection.
Diagram of SQL Injection.
3. ETHICAL HACKING
Independent computer security Professionals breaking
into the computer systems.
Neither damage the target systems nor steal information.
Evaluate target systems security and report back to
owners about the Bugs found.
4. ETHICAL HACKERS BUT NOT CRIMINAL
HACKERS
Completely trustworthy.
Strong programming and computer networking skills.
Learn about the system and trying to find its weaknesses.
Techniques of Criminal hackers-Detection-Prevention.
Tester only reports findings, does not solve problems.
5. WHAT IS SQL?
SQL stands for Structured Query Language
Allows us to access a database
ANSI and ISO standard computer language
The most current standard is SQL99
SQL can:
execute queries against a database
retrieve data from a database
insert new records in a database
delete records from a database
update records in a database
6. WHAT IS A SQL INJECTION ATTACK?
Many web applications take user input from a form
Often this user input is used literally in the construction
of a SQL query submitted to a database. For example:
SELECT productdata FROM table WHERE productname =
‘user input product name’;
A SQL injection attack involves placing SQL statements
in the user input
7. HOW DOES SQL INJECTION WORK?
Common vulnerable login query
SELECT * FROM users
WHERE login = 'victor'
AND password = '123'
(If it returns something then login)
ASP/MS SQL Server login syntax
var sql = "SELECT * FROM users
WHERE login = '" + formusr +
"' AND password = '" + formpwd + "'";
8. INJECTING THROUGH STRINGS
formusr = ' or 1=1 – –
formpwd = anything
Final query would look like this:
SELECT * FROM users
WHERE username = ' ' or 1=1
– – AND password = 'anything'
9.
10. SQL INJECTION CHARACTERS
' or "character String Indicators
-- or # single-line commen
/*…*/ multiple-line comment
+ addition, concatenate (or space in url)
|| (double pipe) concatenate
% wildcard attribute indicator
11. ALL TABLES AND COLUMNS IN ONE QUERY
union select 0, sysobjects.name + ': ' + syscolumns.name
+ ': ' + systypes.name, 1, 1, '1', 1, 1, 1, 1, 1 from
sysobjects, syscolumns, systypes where sysobjects.xtype
= 'U' AND sysobjects.id = syscolumns.id AND
syscolumns.xtype = systypes.xtype --