SQL Injection Attacks Marcelle Lee

History - Web ServersOutward-facingAccessible to the publicDesigned to accept

requestsDesigned to serve up

resources on demand

Topology - DMZ

Example - UMBC

Reconnaissance - nslookup

130.85.12.160

Reconnaisance - whois

Reconnaissance - nmap port scan

Apache httpd 2.4.6 ((Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16

mod_perl/2.0.9dev Perl/v5.16.3)

OWASP - Top 10

OWASP - Injection Breakdown

SQL InjectionSQL - Structured Query LanguageUsed to access and/or modify a databaseExample is authentication on a web serverCommon commands are SELECT, UPDATE, DELETE,

INSERT INTO, and DROP TABLE

SQL Query with JavaScript CodeString username = req.getParameter("username");

String password = req.getParameter("password");

String query = "SELECT id FROM user_table WHERE " +

"username = '" + username + "' AND " +

"password = PASSWORD('" + password + "')";

ResultSet rs = stmt.executeQuery(query);

int id = -1; // -1 implies that the user is unauthenticated.

while (rs.next()) {

id = rs.getInt("id");

}

SQL Injection StatementSELECT id FROM user_table WHERE username = '' OR 1=1 -- '

Testing - http://SQLZOO.net/hack

Web Application Scanners

ZAP Scanner

ZAP Scanner - Results

Qualys Scanner

Qualys Scanner - Results

Hackmaggedon Statistics - August 2015