How to Hack a Database
What is SQL? Database Basics SQL Insert Basics SQL Select Basics SQL Where Basics SQL AND & OR Basics SQL Update Basics SQL Delete Basics SQL Injection Basics
Basic Database Functions Structured Query Language Common Language For Varity of Databases ANSI Standard Database Specific Extensions Uses Common Baseline Syntax Scripting Language Allows Comments (--) Semicolon Terminates Command (;)
Pros: Very Flexible Universal (Oracle, SQL Server, MySQL) Relatively Few Commands to Learn Cons: Requires Detailed Knowledge of the Structure of the Database Can Provide Misleading Results
FFour Basic Operations CCRUD CC – Create (Insert) RR – Read (Select) UU – Update DD – Delete
IINSERT – Allows Data to be Inserted into Database TThree Basic Components TTable CColumn(s) VValues
SSyntax IINSERT INTO t able ( column(s) ) VALUES ( value(s) ) TTable – Name of Table Data is Being Stored In CColumn(s) – Name of Column, or Columns, to Insert Data Into VValue(s) – Values to Insert NNote : Columns and Values Must be in Same Order
Select – Select Data from Database Syntax SELECT column(s) FROM table WHERE condition Column(s) – Column, or Columns, Names to Retrieve “*” – Means All Columns from table Table – Table Name to Get Data From Can be more than one table
Example Select state_name, state_abbr FROM states Select * FROM agencies
Where Clause Added to Refine Result Set Uses Conditional Operators =,>,>=, ) Between x AND y IN ( list ) LIKE ‘ %string ’ (“%” us a wild-card) IS NULL NOT {BETWEEN / IN / LIKE / NULL}
Examples SELECT * FROM annual_summaries WHERE sd_duration_code = ‘1’ SELECT state_name FROM states WHERE state_population > SELECT * FROM annual_summaries WHERE sd_duration_code IN (‘1’,’W’,’X’) AND annual_summary_year = 2000
Multiple WHERE conditions are Linked by AND / OR Statements “AND” – All Conditions True “OR” – At Least One Condition is TRUE Group with ()
Allows Changes to Row(s) of Data in a Table Three Basic Parts Name of Table to Update Column Name to Update Value to Update Can Update More Than One Column at a Time Can Include Where Clause to More Refined Update
SSyntax UUPDATE t able SET c olumn = v alue WHERE c olumn = value EExample UUPDATE clubs SET ClubName = ‘Club 1’ WHERE ClubID = 1
Allows for Data to be Removed from the Database One Required Part Table Name Can Delete All Data in Table, or Just Selected Data One Optional Part WHERE Clause – Allows for Selective Delete
Syntax DELETE FROM table WHERE column = value Table – Name of Table to Remove Data from Column – Name of Column in Table Value – Value that is in the Column Example DELETE FROM clubs (Deletes all Data in Table) DELETE FROM clubs WHERE ClubID = 1
SQL Takes Advantage of Poor Programming Inserting SQL Commands into Input Field for Exploitation Example User Name / Password Input (admin, admin) Into SQL: SELECT * FROM users WHERE username = ‘admin’ AND password = ‘admin’ Returns Data for User admin Where Password is admin
SQL Injection Input (admin, ‘ or 1 = 1 --) SELECT * FROM users WHERE username = ‘admin’ AND password = ‘’ or 1 = 1 -- Returns Data for User admin Where Password is Empty OR 1 = 1 (Always True) Note : This will Return All Data in Table
Can Create New User Using Same User Name / Password Example Input (admin, ’;INSERT INTO Users VALUES ('Hijack','This') -- SQL SELECT * FROM users WHERE username = ‘admin’ AND password = ’’;INSERT INTO Users VALUES ('Hijack','This') -- Note : Creates a New User (Hijack) with a Password (This)
Can Create Table Values Using Same User Name / Password Example Input (admin, ’;UPDATE Orders Set Amount= SQL SELECT * FROM users WHERE username = ‘admin’ AND password = ’’;UPDATE Orders Set Amount= Note : Sets all Order Amounts to one cent
SQL ict.com/as_as_computing/ocr/H447/F453/3_3_9/s qlintro/miniweb/index.htm ict.com/as_as_computing/ocr/H447/F453/3_3_9/s qlintro/miniweb/index.htm SQL Injection basic-sql-injection-with-login.html basic-sql-injection-with-login.html Practice Site