Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Sql injection presentation
1. SQL Injection
> SQL Injection allows a user to specified query to execute in
Database.
> SQL queries run in Database.
> Most of time it alters the original database.
2. SQL attack Steps
>Searching for a Vulnerable point.
>Fingerprinting the backend database.
>Retrieving data of interest- tables, username/password
etc.
>After information Handy=>
● OS take over
● Data change
● Webserver take over
3. Problems
>The attacker can delete, Modify or even steal your data.
>Compromises the safety, security and trust of user data.
>Compromises the ability to stay in business.
4. Hacking on login Page
Username:
Password:
1. Enter in username and password this text 'or''=' , this should
logged in and show username but not password.
2. Enter username admin and password 'or'1'='1
Like this there are many code to put for login:-
'or'x'='x ')or('x'='x and1=1 'or0=0-- “or0=0--
== and1=1-- etc.
Submit
5. Statement Injection
Attacker inputs abcd as a username and ';drop table xyz--' as a
password in the login form.
Then query is like this:-
Select * from user_details where userid='abcd' and
password=';drop table xyz'
Attacker using this query delete the table.
Some sites for test:-
http://demo.testfire.net
http://testphp.vulnweb.com
http://testasp.vulnweb.com
7. URLs Rules
●No paratheses or anular brackets in the URL.
●URL should not end with two or more dashes(--)
●URL should not end with “/*”.
●No schema, table or column names should be
part of your URL.
8. Escape and validate Inputs
Escape all Inputs:-
Whether supplied via Post data or via url.
Anything goes to DB is escaped.
Validate all inputs:-
Validating a free form Text fields for allowed chars(Numbers,
latters, whitespace, ._-)
9. Quick Fixes
When have large setup or lots of code, then put some SQL
injection detetion pattern in Load balancer.
And check easily and quickly.