(CyberSec'24) Lab06 - Student Version
(CyberSec'24) Lab06 - Student Version
Hands-On 1, 2
SQL
Fundamen
tals
How Relational Databases Work?
Important SQL Commands
SQL Special Characters
SELECT Statement Syntax
● The SQL code snippet above queries the database, asking for the name and the
description attributes of a record in the products table. In this example, the selected
record has an id of 9.
UNION Statement Syntax
● The SQL code snippet above queries the database, asking for the name and the description
attributes of a record in the products table in addition to querying the database for the price
attribute of the record with an id equal to 9.
SQL Comments
● There are two strings you can use to comment a line in SQL:
o # (the hash symbol)
o -- (two dashes followed by a space)
Introductio
n to SQL
Injection
What is SQL Injection?
● SQL injection (SQLi) is a web application injection vulnerability that
occurs when an attacker injects malicious SQL statements into an
application's input fields.
● This occurs when a web application does not properly validate user
input, allowing an attacker to inject SQL code/queries that can
manipulate the database or gain access to sensitive information.
● For example, suppose a website has a login form that accepts a
username and password. If the website does not properly validate
the user's input, an attacker could enter a malicious SQL statement
into the username field that would allow them to bypass the login
process and gain access to the website's database.
Anatomy of an SQL injection
Attack
SQL Injection Types & Subtypes
In-Band SQL Injection
In-Band SQL Injection
● In-band SQLi occurs when the attacker uses the same
communication channel to both launch the attack and gather the
result of the attack.
● Easier to exploit than other categories of SQLi.
● Two common types of in-band SQLi:
o Error-based SQLi
o Union-based SQLi
In-Band SQL Injection
Error Based SQL Injection
Error Based SQL Injection
● Error-based SQLi is an in-band SQLi technique that forces the
database to generate an error, giving the attacker information upon
which to refine their injection.
● Example:
Exploiting The Single Quote (‘)
● If we consider a login form where the username and password inputs
are concatenated into an SQL query without proper validation:
● If the application does not handle the single quote character in the
input correctly, an attacker can inject a single quote to terminate
the string literal and add their malicious SQL code. Here's an
example of an attack payload:
Exploiting The Single Quote (‘)
● The modified query would become:
● In this example, the single quote ' is injected before the payload OR
'1'='1'; --. The purpose of the injected single quote is to close the
string literal that encompasses the username input field.
● Then, the attacker's injected SQL code ' OR '1'='1'; -- causes the
condition '1'='1' to evaluate to true, effectively bypassing the
authentication mechanism.
Common SQLi Payloads
Error Based SQL Injection
Union-Based SQL Injection
Union-Based SQLi
● Union-based SQLI is an in-band SQLi technique that leverages the
UNION SQL operator to combine the results of two queries into a
single result set.
● Example:
In-Band SQL Injection: DEMO
● Try to input the following payloads:
o ‘
o ' or 1=1#
o ' union select all 1,2,3,4,5,6,7#
o ' union select all 1,database(),user(),system_user(),@@version,6,7#
Inferential (Blind) SQL Injection
Inferential (Blind) SQL Injection
● Blind SQLi occurs where there is no actual transfer of data via the
web application.
● Just as dangerous as in-band SQL injection.
● Attacker able to reconstruct the information by sending particular
requests and observing the resulting behavior of the DB Server.
● Takes longer to exploit than in-band SQL injection
● Two common types of blind SQLi:
o Boolean-based SQLi
o Time-based SQLi
Boolean-Based Blind SQLi
Boolean-Based Blind SQLi
● Boolean-based SQLi is a blind SQLi technique that
uses Boolean conditions to return a different result
depending on whether the query returns a TRUE or
FALSE result.
Boolean-Based Blind SQLi
Boolean-Based Blind SQLi
Boolean-Based Blind SQLi: DEMO
● Try to input the following payloads:
o 'or 1=1#
o ' or 1=1 and database()='bWAPP' #
o ' or 1=1 and substring(database(),1,1)='b' #
Time-Based Blind SQLi
Time-Based Blind SQLi
● Time-based SQLi is a blind SQLi technique that relies on pausing the
database for a specified amount of time, then returning the results,
indicating a successful SQL query execution.
● Example:
o If the first character of the administrator’s hashed password is an ‘a’,
wait for 10 seconds.
Time-Based Blind SQLi: DEMO
● Try to input the following payload:
o ' or 1=1 and sleep(1) #
Out-of-Band SQL Injection
Out-of-Band SQL Injection
● The least common type of SQL injection attack. It involves an
attacker exploiting a vulnerability in a web application to extract
data from a database using a different channel, other than the web
application itself.
● The attacker can use various techniques to extract data from the
database, such as sending HTTP requests to an external server
controlled by the attacker or using DNS queries to extract data.
Out-of-Band SQL Injection
Impact of SQL Injection Attacks
● Unauthorized access to sensitive data.
o Confidentiality – SQLi can be used to view sensitive information, such as
application usernames and passwords
o Integrity – SQLi can be used to alter data in the database
o Availability – SQLi can be used to delete data in the database
● Can sometimes be chained with other vulnerabilities to gain remote
code execution on the host operating system.
Preventing SQL Injection Attacks
● Use of Prepared Statements (Parameterized Queries): The construction of the
SQL statement is performed in two steps:
o The application specifies the query’s structure with placeholders for each user input
o The application specifies the content of each placeholder
Preventing SQL Injection Attacks
● Use of Stored Procedures: A stored procedure is a batch of statements grouped
together and stored in the database. Not always safe from SQL injection, still need to
be called in a parameterized way.
● Whitelist Input Validation: Defining what values are authorized. Everything else is
considered unauthorized. Useful for values that cannot be specified as parameter
placeholders, such as the table name.
● Escaping All User Supplied Input: Should be only used as a last resort.
Hands-On: SQL Injection Room
(is.gd/lab7a)
Bonus: RedTiger's Hackit
(is.gd/lab7b)
QUESTIONS?
THANK YOU