of 21
7/29/2019 SQL Injection by Prashant Sirohi
1/21
Presented By:
Prashant sirohi
CS09077
SQL INJECTIONJAIPUR ENGINEERING COLLEGE
KUKAS,JAIPUR
7/29/2019 SQL Injection by Prashant Sirohi
2/21
What is SQL? SQL stands for Structured Query Language.
It allows us to access our database by:
o
Insert data into the databaseo Retrieve data from the database
o Update data in the database
o Delete data from the database
o Execute specific commands on the database
The most current standard is SQL99
7/29/2019 SQL Injection by Prashant Sirohi
3/21
SQL INJECTIONSQL injection is a type of security exploit in which the
attacker adds Structured Query Language (SQL) code
to a Web form input box to gain access to resources ormake changes to data.
This is done by including portions of SQL statements in
an entry field in an attempt to get the website to pass a
newly formed rogue SQL command to the database.
7/29/2019 SQL Injection by Prashant Sirohi
4/21
4
SQL Data Manipulation Language(DML)
SQL includes a syntax to update, insert, and deleterecords:
SELECT - extracts data UPDATE - updates data
INSERT INTO - inserts new data
DELETE - deletes data
7/29/2019 SQL Injection by Prashant Sirohi
5/21
5
SQL Data Definition Language
(DDL) The Data Definition Language (DDL) part of SQL
permits:
Database tables to be created or deleted
Define indexes (keys)
Specify links between tables
Impose constraints between database tables
Some of the most commonly used DDL statements inSQL are:
CREATE TABLE - creates a new database table
ALTER TABLE - alters (changes) a database table
DROP TABLE - deletes a database table
7/29/2019 SQL Injection by Prashant Sirohi
6/21
6
How common is it? It is probably the most common Website vulnerability
today!
It is a flaw in "web application" development,it is not a DB or web server problem
Most programmers are still not aware of this problem
A lot of the tutorials & demo templates are vulnerable
Even worse, a lot of solutions posted on the Internet are not
good enough
In our pen tests over 60% of our clients turn out tobe vulnerable to SQL Injection
7/29/2019 SQL Injection by Prashant Sirohi
7/217
Vulnerable Applications Almost all SQL databases and programming languages are
potentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS
Access, Sybase, Informix, etc
Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL
Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and APIs Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
7/29/2019 SQL Injection by Prashant Sirohi
8/21
SQL INJECTION
7/29/2019 SQL Injection by Prashant Sirohi
9/219
SQL Injection Characters 'or" character String Indicators -- or # single-line comment /**/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters
PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay
7/29/2019 SQL Injection by Prashant Sirohi
10/21
How it works? Several website have forms where it asks for user
input. Forms such as login, search, etc.
Often times, user input from these forms is directlyused into SQL query construction.
For example: SELECT from Users
WHERE user = USER INPUT
AND password = USER INPUT SQL injection happens when a attacker puts a SQL
statement into this forms.
7/29/2019 SQL Injection by Prashant Sirohi
11/21
Example 1 USERNAME
PASSWORD
Resulting Query:SELECT FROM USERS
WHERE user = blah OR 1 = 1
And password = blah OR 1 = 1 Thus, attacker was able login without valid
credentials.
blah OR 1 = 1
blah OR 1 = 1
7/29/2019 SQL Injection by Prashant Sirohi
12/21
7/29/2019 SQL Injection by Prashant Sirohi
13/21
Example 2 USERNAME
Resulting QuerySELECT FROM USERS
WHERE user = blah; DROP TABLE USERS; --
*Note how comment (--) consumes the final quote
This query will cause our entire Users database to bedeleted.
*Many popular Database software do not allow multiplequeries anymore.
blah; DROP TABLE USERS; --
7/29/2019 SQL Injection by Prashant Sirohi
14/21
Example 3
URL INJECTION
http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT username, passwordFROM USERS
RESULTING QUERY:SELECT ProductName, ProductDescription
FROM Products
WHERE ProductID = '123' UNION SELECT Username, PasswordFROM Users;
Attacker now has username and password of every
user from the database
7/29/2019 SQL Injection by Prashant Sirohi
15/21
http://www.victimsite.com/resources/?id=1
7/29/2019 SQL Injection by Prashant Sirohi
16/21
Conclusion SQL Injection is something that is not possible in
many websites now-a-days.
But still there are large list of vulnerable websites.
It results due to poor coding ability of programmerand developer.
So, while developing a site problems that may arisedue to SQL injection, must not be neglected.
Proper preventive steps should be taken whiledeveloping a website.
7/29/2019 SQL Injection by Prashant Sirohi
17/21
PreventionInput Sanitization
Search for and remove special characters, suchas apostrophes ( ) orquotation marks ( )
-> \
-> '
Search for and remove query words like DROP Can be tedious and time-consuming
7/29/2019 SQL Injection by Prashant Sirohi
18/21
PreventionParameterized Queries
Parameterized queries are passed variableparameters as input.
Example:
$name = $_REQUEST['name'];$email = $_REQUEST['email'];$params = array($name, $email);
$sql = 'INSERT INTO CustomerTable (Name, Email) VALUES(?, ?)';
$stmt = sqlsrv_query($conn, $sql, $params);
This method ensures that input strings are treated asstrings, not queries.
7/29/2019 SQL Injection by Prashant Sirohi
19/21
PreventionClosed System Database
Give the web application the minimum permissionsnecessary to perform the queries it must perform.
This limits the types of queries an intruder canperform if an SQL injection vulnerability is exploited.
7/29/2019 SQL Injection by Prashant Sirohi
20/21
Thank You
7/29/2019 SQL Injection by Prashant Sirohi
21/21
Queries???