SQL Injectionand behind...

- Arjun M

Beating my own drums...

Arjun Gupta M

fb.com/arjungupta.m

▪ Working with Birlasoft, Security analyst at World Bank Group....just bkz I have to work

▪ I enjoy hacking ...de facto I knw ntng else

▪ Always a learner

▪ Long rides, Planting trees, Charities

▪ Indian...I take pride in this

Let’s start with DB and SQL

▪ Database is an organized collection of data.

▪ Easy to Access, Manage and Update the data.

▪ SQL / Structured Query language is the standard language to interact

with the databases.

▪ DB’s and True/False are thick friends…Lets see why, further.

SQLI and the infamous ‘

▪ SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.

– Get / Post parameters, Cookies, Referrer header, User Agent and so on…

▪ It involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data.

▪ It is caused because of Incorrectly filtering the special characters before an action is performed on the input.

▪ The infamous rouge character that we love is ‘ which breaks the syntax and lets us do the work.

Honors and greatness of SQLI

▪ SQLi was ranked first on the MITRE Common Weakness Enumeration (CWE) in 2011.

▪ Top Vulnerability in OWASP Top 10 (2010 and 2013) under Injection category.

▪ SANS Top 25 Most Dangerous Software Errors list.

Authentication bypass, complete takeover of the database.

If you are still lucky, you can get the command shell too.

Authentication Bypass

BUT HOW

How does it work…

▪ The query used by the developer to validate the login credentials is :

Select * from users where username=‘$user’ and password=‘$pwd’;

– If DB it returns one row, the user gets logged in.

▪ Instead of legit credentials, I inject “ admin’ AND ‘1’=‘1’ -- “ for username

▪ PHP interpreter will comment out the query after “ - - “ and sends the following query to DB for execution :

Select * from users where username=‘admin’ AND ‘1’=‘1’;

▪ DB processes the above query and returns one row, as the expression ‘1’=‘1’ is always True and the username also exists.

How does it work…

Behavior of the application with safe input

Another one…

Behavior of the application with Malicious input

True Condition False Condition

Different responses for True and False conditions confirms the injection vuln.

Little further...

No of columns are not 4 ...try with a lesser one

No of columns : 3

Google Dorks

▪ Inurl:.php?id=

▪ article.php?id=

▪ about.php?cartID=

▪ inurl:login.php

▪ intitle:Admin inurl:login.php site:.pk

And so on….

Thanks to

My guru

Bharat kumar

Ping me @

fb.com/arjungupta.m

▪ Audi https://github.com/Audi-1/sqli-labs

▪ The makers of DVWA