presentations/introduction-to-sql-injection/sql_injection.md

58 lines
968 B
Markdown
Raw Normal View History

2024-04-11 15:41:37 +02:00
% Introduction to SQL Injection
% Stefan Friese
% 11 April, 2024
---
# Topics
* How an SQL Injection is Created
* How to Exploit an SQL Injection
* SPOILER: How to Prevent an SQL Injection in the Next Presentation
---
## How Does it Happen
An SQL injection occurs when two things come together.
---
### Number 1
An SQL Query as a string embedded in other languages
```python
sql_query =
cursor.execute(
"SELECT * FROM user_data where username = 'admin' and password = 's3cur3P4ssw0rd'"
)
```
---
### Number 2
User input is possible as a part of said SQL query
```python
sql_query =
cursor.execute(
"SELECT * FROM user_data where username = '%s' and password = '%s'",
% (username, password)
)
```
---
## How to Exploit an SQL Injection
* Close the string through an ending quote
* Continue the query with your own SQL code
2024-04-11 15:41:37 +02:00
---
# The End
<img src="./images/exploits_of_a_mom.png" alt="Convoluted Code" width="50%" height="auto%">