Sqli
Sqli
Samsung Research
Tutorial Guide
SQLi 101
Web
SQL SQL(Structured Query Language) injection is a code injection tech-
nique, used to attack data-driven applications, in which malicious SQL
Injection? statements are inserted into an entry field for execution (e.g. to dump
the database contents to the attacker).
https://en.wikipedia.org/wiki/SQL_injection
2
Old, but steady
3
Web application attack statistics: 2017 in review,
Introduction to the SQL
SELECT statement
▪ Used to select(retrieve) records from a database. ‘users’ table
▪ Syntax: SELECT col1, col2, … FROM table_name ;
idx id pw
1 James sosecure
WHERE clause
2 Mike mysecretpwd
▪ Used to filter records in the SQL statements.
▪ Syntax: WHILE condition 3 Smith mrmrssmith
▪ Logical operators such like AND, OR, etc. are available … … …
Example
SELECT * FROM `users` WHERE id='Mike' AND pw='mysecretpwd'";
4
Simple Use Case
request request
response response
USER SERVER DB
5
with general login-form
user_id
password
6
Server Implementation
user_id
password
response response
USER SERVER DB
7
Login Request
user_id
password
response response
USER SERVER DB
https://server/login?id=user_id&pw=password
8
Query Construction
user_id
password
response response
USER SERVER DB
9
Actual Query
user_id
password
response response
USER SERVER DB
10
Malicious Request
user
password
response response
USER SERVER DB
https://server/login?id=admin' OR '1'='1&pw=whatever
11
Query Construction
user
password
response response
USER SERVER DB
12
Actual Query
user
password
response response
USER SERVER DB
user
password
request request
response response
USER SERVER DB
14
15
16
Quiz #1
17
Solution for Quiz #1
18
Let’s practice
19
Challenge Definition
20
Removing unnecessary parts
What we want
▪ SELECT * FROM users WHERE id='admin'
▪ Nothing after WHERE clause.
Comment out
▪ '--' or '##' indicates comment in SQL.
▪ SQL statements after '--' or '#' are regarded as comments,
and not be processed.
▪ We can insert '--' or '#' into the SQL statement
to nullify unnecessary clauses.
21
Not so complex at all
Give it a shot!
22