SQL Injection by Prashant Sirohi

7/29/2019 SQL Injection by Prashant Sirohi

1/21

Presented By:

Prashant sirohi

CS09077

SQL INJECTIONJAIPUR ENGINEERING COLLEGE

KUKAS,JAIPUR


2/21

What is SQL? SQL stands for Structured Query Language.

It allows us to access our database by:

o

Insert data into the databaseo Retrieve data from the database

o Update data in the database

o Delete data from the database

o Execute specific commands on the database

The most current standard is SQL99


3/21

SQL INJECTIONSQL injection is a type of security exploit in which the

attacker adds Structured Query Language (SQL) code

to a Web form input box to gain access to resources ormake changes to data.

This is done by including portions of SQL statements in

an entry field in an attempt to get the website to pass a

newly formed rogue SQL command to the database.


4/21

4

SQL Data Manipulation Language(DML)

SQL includes a syntax to update, insert, and deleterecords:

SELECT - extracts data UPDATE - updates data

INSERT INTO - inserts new data

DELETE - deletes data


5/21

5

SQL Data Definition Language

(DDL) The Data Definition Language (DDL) part of SQL

permits:

Database tables to be created or deleted

Define indexes (keys)

Specify links between tables

Impose constraints between database tables

Some of the most commonly used DDL statements inSQL are:

CREATE TABLE - creates a new database table

ALTER TABLE - alters (changes) a database table

DROP TABLE - deletes a database table


6/21

6

How common is it? It is probably the most common Website vulnerability

today!

It is a flaw in "web application" development,it is not a DB or web server problem

Most programmers are still not aware of this problem

A lot of the tutorials & demo templates are vulnerable

Even worse, a lot of solutions posted on the Internet are not

good enough

In our pen tests over 60% of our clients turn out tobe vulnerable to SQL Injection


7/217

Vulnerable Applications Almost all SQL databases and programming languages are

potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS

Access, Sybase, Informix, etc

Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL

Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and APIs Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)


8/21

SQL INJECTION


9/219

SQL Injection Characters 'or" character String Indicators -- or # single-line comment /**/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters

PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay


10/21

How it works? Several website have forms where it asks for user

input. Forms such as login, search, etc.

Often times, user input from these forms is directlyused into SQL query construction.

For example: SELECT from Users

WHERE user = USER INPUT

AND password = USER INPUT SQL injection happens when a attacker puts a SQL

statement into this forms.


11/21

Example 1 USERNAME

PASSWORD

Resulting Query:SELECT FROM USERS

WHERE user = blah OR 1 = 1

And password = blah OR 1 = 1 Thus, attacker was able login without valid

credentials.

blah OR 1 = 1

blah OR 1 = 1


12/21


13/21

Example 2 USERNAME

Resulting QuerySELECT FROM USERS

WHERE user = blah; DROP TABLE USERS; --

*Note how comment (--) consumes the final quote

This query will cause our entire Users database to bedeleted.

*Many popular Database software do not allow multiplequeries anymore.

blah; DROP TABLE USERS; --


14/21

Example 3

URL INJECTION

http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT username, passwordFROM USERS

RESULTING QUERY:SELECT ProductName, ProductDescription

FROM Products

WHERE ProductID = '123' UNION SELECT Username, PasswordFROM Users;

Attacker now has username and password of every

user from the database


15/21

http://www.victimsite.com/resources/?id=1


16/21

Conclusion SQL Injection is something that is not possible in

many websites now-a-days.

But still there are large list of vulnerable websites.

It results due to poor coding ability of programmerand developer.

So, while developing a site problems that may arisedue to SQL injection, must not be neglected.

Proper preventive steps should be taken whiledeveloping a website.


17/21

PreventionInput Sanitization

Search for and remove special characters, suchas apostrophes ( ) orquotation marks ( )

-> \

-> '

Search for and remove query words like DROP Can be tedious and time-consuming


18/21

PreventionParameterized Queries

Parameterized queries are passed variableparameters as input.

Example:

$name = $_REQUEST['name'];$email = $_REQUEST['email'];$params = array($name, $email);

$sql = 'INSERT INTO CustomerTable (Name, Email) VALUES(?, ?)';

$stmt = sqlsrv_query($conn, $sql, $params);

This method ensures that input strings are treated asstrings, not queries.


19/21

PreventionClosed System Database

Give the web application the minimum permissionsnecessary to perform the queries it must perform.

This limits the types of queries an intruder canperform if an SQL injection vulnerability is exploited.


20/21

Thank You


21/21

Queries???

Documents

SQL Injection by Prashant Sirohi