Presentation is loading. Please wait.

Presentation is loading. Please wait.

Error-based SQL Injection

Published byAugusta Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "Error-based SQL Injection"— Presentation transcript:

1 Error-based SQL Injection

2 Error-based SQL Injection
Typical modern Web application Client Web Server Web Server may host eBusiness applications Database Server hosts databases including customers accounts, payments info, etc. Database Server

3 Error-based SQL Injection
Typical user login (authentication) 1 4 Client Web Server Client submits login request (username and password) Web application “sanitizes” the login request and creates an SQL query that is passed to the Database Server The Database Server replies The Web app authenticates the user or sends an error-message 2 3 Database Server

4 SQL Injection An SQL query asking if there is a matching pair of username and password looks like: SELECT id FROM users WHERE username = 'aillia' AND password = This SQL query should return a result like this Row id 1 154 SQL has a syntax. Using special characters including single quotes to pass values like 'aillia' is part of the syntax SQL Injection is a result of braking SQL syntax (e.g. misusing the special characters) and bad programming.

5 SQL Injection Braking SQL syntax generates runtime errors
Runtime errors play a key role in SQL Injection Example of SQL query with broken syntax SELECT id FROM users WHERE username = 'aillia ' ' AND password = Example of runtime error: msg ORA-00103, Level 15, Row 1, Line 1 Incorrect syntax near = msg ORA-00105, Level 15, Row 1, Line 1 Unclosed quotations after string ' ' .

6 SQL Injection In order for SQL Injections to succeed, ……
Attackers must brake SQL syntax by “smuggling” special characters in SQL queries they type in online forms. The poisonous SQL must modify the Web application behavior to make it do what the attacker wants. Example: aillia ' Error message shown in attackers browser with part of the SQL query revealed Oracle Enterprise 9g error '80040e14' Unclosed quotation mark after the character string like 'aillia' AND cust_password = ' ' . /portal/default.asp, line 20

7 SQL Injection Once the attacker gets a runtime error message revealing part of the SQL query, it’s an indication that there is “hole” in the Web application The attacker can, then, try to bypass the authentication by entering something like this at login: As a result, the user may be authenticated as the first user from the top of the list (first row) Row id 1 154 aillia ' OR 1=

8 SQL Injection: What happens behind the scene
Attacker’s login (aillia ' OR 1=1 -- ) becomes: SELECT id FROM users WHERE username = 'aillia ' OR 1=1 -- AND password = ‘xxxxx' Which is a “true” statement because: 1 = 1 is True and -- is a symbol used for comments in SQL syntax.

9 SQL Injection: determining the DBMS version
To get the DBMS version, the attacker may enter the following at login: The result may be an error message like the following that can reveal the DBMS version: aillia ' OR 1=(SELECT -- -- Error when converting the nvarchar value Oracle Enterprise 10g Release 2: on Windows 2003 Server R2 to data type int. /portal/default.asp, line 20

10 SQL Injection: Extracting data from a database
To extract multiple rows from the database, the attacker may enter the following at login: The result may be an error message revealing more data. But to automate extraction of more data, tools like Burp Suite or SQL Map aillia ' OR 1=(SELECT top 1 name FROM master…sysdatabases WHERE name NOT IN (SELECT top 0 name FROM master..sysdatabases)) -- --

Download ppt "Error-based SQL Injection"

Similar presentations

PHP I.

PHP I.
PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.

Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
MIS2502: Data Analytics MySQL and SQL Workbench David Schuff

MIS2502: Data Analytics MySQL and SQL Workbench David Schuff
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Creating Databases applications for the Web Reprise. Basic HTML review, forms Preview: Server side vs client side Classwork: create HTML forms and check.

Creating Databases applications for the Web Reprise. Basic HTML review, forms Preview: Server side vs client side Classwork: create HTML forms and check.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &

Similar presentations

Ads by Google