Network and Information Security Laboratory

Assignment No – 09
Title: Simulation of SQL Injection

PART A
 SQL Injection Attack:
 SQL injection is a code insertion or "injection" method, utilized to attack data-
driven applications, in which malicious SQL statements are inserted or "injected"
into an entry field for execution. A successful SQL injection exploit can read raw
data from the database, modify database data (DML/DDL/DQL), execute
administrative operations on the database etc.
 The OWASP organization (Open Web Application Security Project) notes SQL injections
in their OWASP Top 10 2017 report as the number one threat to web application security.

 Types of SQL Injections:

In-Band Error Based SQLi

SQLii
UNION based SQLi
Inferential Blind Boolean based SQLi
SQLi
Blind Time based SQLi
Out-Of-Band
SQLi

Fig: Types of SQL Injection

 Various input strings that cause SQL Injection are:

 Anything’ or ‘x’=’x (Here the trailing inverted quote is not added because it
is automatically added by the SQL statement after execution).
 Anything’ or 1 = 1
 UNION based SQL queries like:
Url/dept_id = 1 UNION select column_name from users--+

 Commenting out part of SQL Query:

 While performing SQL Injection, we need to sometimes comment
out rest of the query after the payload.
 For example: password' or '1' = '1' -- , password' or '1' = '1'#
 For example: something’ or ‘1’ = ‘1’ --+ (For URLs)
 Installation Steps
 OS Configurations:
Windows 10, 64-bit Operating System

 Local Server: XAMPP (Cross Platform Apache, MySQL, PHP, Pearl)

Apache HTTP Server, version 2.4.41
XAMPP version 3.2.4

Fig: XAMPP Control Panel

 Database: MySQL
Database Name: test_db
Table Name: users
Column Names: username, password

Fig: Database Structure Fig: users table

 Demonstration of actual SQL Injection Attack
 A login page has been designed to input username and password from the user.
This login page is connected to the MySQL database. The username and password
is cross checked from the credentials stored in the database.

Fig: Login Page Design

 The login page is accessed using the Apache Local Server

http://localhost/login.html
 To perform SQL Injection, username is input as admin and password as
admin@123’OR’a’=’a or simply ‘OR’a’=’a
 The normal SQL Statement for login is:
SELECT * from users where username=’admin’ AND
password=’admin@123’

 After adding extra inputs to the password field, the SQL Statement becomes:
SELECT * from users where username=’admin’ AND
password=’admin@123’ OR ‘a’=’a’

As ‘a’ = ‘a’ is always true and is an OR condition, the statement always

returns a true value and thus user is logged in successfully.

Fig: SQL Injection

 Fig: users table exposed after SQL Injection

 Prevention of SQL Injection

 SQL Injection can be prevented using Prepared Statements in SQL. In this
example, PDO is used.
 PDO (PHP Data Objects) is a database abstraction layer that allows developers to
work with many different types of databases quickly and securely.
 The first step is to connect to the database using:

 Next, prepare statements are used as placeholders for data rather than the data
itself. Prepare statements prevent SQL Injection as no extra information is
included in the statement.

 The login page is again accessed using Apache Local Server

http://localhost/login.html
 The login page accepts username and password as input. Here the password field
is given input as ‘OR’a’=’a and the login is denied as credentials are invalid.

Fig: SQL Injection Prevention

 Fig: SQL Injection Failed (Invalid Credentials)

 For valid input, access is granted

Fig: Valid Credentials

Fig: Login Successful for Valid Credentials