SQL Injection Attacks Marcelle Lee
History - Web ServersOutward-facingAccessible to the publicDesigned to accept
requestsDesigned to serve up
resources on demand
Topology - DMZ
Example - UMBC
Reconnaissance - nslookup
130.85.12.160
Reconnaisance - whois
Reconnaissance - nmap port scan
Apache httpd 2.4.6 ((Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16
mod_perl/2.0.9dev Perl/v5.16.3)
OWASP - Top 10
OWASP - Injection Breakdown
SQL InjectionSQL - Structured Query LanguageUsed to access and/or modify a databaseExample is authentication on a web serverCommon commands are SELECT, UPDATE, DELETE,
INSERT INTO, and DROP TABLE
SQL Query with JavaScript CodeString username = req.getParameter("username");
String password = req.getParameter("password");
String query = "SELECT id FROM user_table WHERE " +
"username = '" + username + "' AND " +
"password = PASSWORD('" + password + "')";
ResultSet rs = stmt.executeQuery(query);
int id = -1; // -1 implies that the user is unauthenticated.
while (rs.next()) {
id = rs.getInt("id");
}
SQL Injection StatementSELECT id FROM user_table WHERE username = '' OR 1=1 -- '
Testing - http://SQLZOO.net/hack
Web Application Scanners
ZAP Scanner
ZAP Scanner - Results
Qualys Scanner
Qualys Scanner - Results
Hackmaggedon Statistics - August 2015