10. SQLi
//connect to database$conn = mysql_connect(“localhost”,
“username”, “password”);
//build sql statement$query = “SELECT userid FROM AppUsers
WHERE user= ‘$_POST[“username”]’ “ .“AND password =
‘$_POST[“password”]’ “ ;
//run query$result = mysql_query($query);
//ensure a user was returned$numrows = mysql_num_rows($result);
if ($numrows != 0){header(“Location: admin.php”);}else{die(‘Incorrect
username or password.’)}
11. SQLi
Impact
•Authentication Bypass: This attack allows an attacker to log on to an application without
supplying a valid username and password.
•Information Disclosure: This attack allows an attacker to obtain sensitive information that
is contained in a database.
•Alter Data: This attack involves the alteration of the contents of a database. This can be
used to deface a web page. It can also be used to insert malicious content, like JavaScript
malware.
•Delete Data: This attack allows an attacker to delete information with the intent to cause
harm or delete log or audit information that is contained in a database.
•Remote Command Execution: Performing command execution through a database can
allow an attacker to compromise the host operating system. These attacks often leverage an
existing, predefined stored procedure for host operating system command execution.
14. SQLi
Detecting SQLi
Testing by Inference Special Characters
•If I see this, then this is probably -- Comment everything after
happening at the back end. /* Begin comment
*/ End Comment
‘ Mark beginning/end of string
Try to break the application. ; End of SQL statement
“ Delimit identifiers
•Find the Inputs likely to be generating
dynamic SQL.
•Use Input that will create invalid SQL. Type Issues
•See if you get errors!
use strings instead of numbers
add unexpected spaces
