 Welcome everyone for the afternoon session which will start with a demo and will be followed by a lab So we have for this demo SQL injection What Nikhil is going to show you is one vulnerable application. He has already installed it and he's going to attack it So he's going to describe this application and describe to some extent what is expected of you in the lab Also, don't forget that this lab involves via shark where you will look at The transfer of information between a client and a server Which has been encrypted using SSL the handshake as well as a record layer protocol. So With that I let Nikhil start his demo on SQL injection Good afternoon everyone Today I will give a quick overview of SQL injection and then I will show you the demo of SQL injection So what is an SQL injection? SQL injection is a type of software vulnerability oftenly found in web application It occurs when a web application uses the input user input to retrieve some data or information from the database and without Sanitizing the user input properly It means that the user input is placed as it is in the SQL query before that query is submitted to the database So therefore the user may enter some malicious SQL statements that will be placed in the SQL query And then the SQL query will be executed on the server side a successful SQL injection exploit can read sensitive data from the database such as user name or password modify the database such as creating or deleting the entry from the database or Drop the database table entirely and many more So I will now show you the demo of SQL injection For this I am going to use one application known as dvw a damn vulnerable web application So this is a web application Damn vulnerable web application. This web application is Deliberately made vulnerable to different types of attacks such as accesses attack SQL injection attacks CSRF attacks, etc So that the beginners can learn and understand these attacks So we'll now log in into this dvw application user name is admin and password is password by default So on the home page you can see that there are different types of attacks on the left side of the window Here you can see there is CSRF attack. There is SQL injection attack. There is accesses reflected accesses stored attacks This web application provides three different types of security levels low medium and high In the security level low it is very easy to hack into it in the security level medium It is somewhat difficult and when the security level is set to high it is very difficult to break So initially we are we are going to set the security level to low Just select the security level low and submit so here you can see security level is set to low Is everyone able to see that? Now we will go to the SQL injection part over here Now here you can see that This application suppose this application is asking for the secret idea of the user It means that the when the user enters a secret ID some information will be displayed related to that user Here this ID secret ID is very confidential to the user It means that one user doesn't know the secret idea of another user. It is very confidential Only one user knows the secret idea of his phone. There is a database stored on the server side Yeah, oh, sorry. Yeah, and there you can edit the schema like you can edit the name of number of columns name of the columns and entries in it Now suppose my secret ID is four to three four and Enter so here you can see that it is displaying the secret ID First name Nick Hill master name and credit card number. This is my credit card number Okay, so what's happening is there is a database already stored on the server This application takes the secret ID from the user such as that ID in the database and displays all the records Corresponding to that idea. So we will have a look at the source code of the server So here you can see You can see the source code by clicking on on this view source button So this is the source code of the server here the user input is assigned to this variable ID and then this variable ID is Placed directly into the SQL query This is the SQL query select first name last name credit card number from table users where condition user ID is equal to This ID and this ID is placed between single codes I'll write this query on a page credit of select first name last name credit card number from table name users Where user ID is equal to This ID between in between double single codes. So when I enter my input as 4 2 3 4 This is placed over here. That is the user ID is now 4 2 3 4 and this is searched against the record in the database and when it finds the match it will it shows the It shows all the record it shows all the entries corresponding to this ID Now this is what I have shown you how this Application osmosis it asks for secret ID and displays the information now suppose I am an attacker and I want to look at the credit card number of another user So how can I start with I can enter some random secret? Yes, I was one two three four Nothing is shown over here suppose. I enter two three eight nine Again, there is nothing shown over here. So because it is not showing any information because there is no record stored in the Database corresponding to this ID So we cannot continue with this method because it may not it may not give us the result that we want So for this purpose, I am going to do SQL injection over here Now when you have to whenever you have to check whether an application is vulnerable to SQL injection or not You should start by entering a single code in the input field So suppose I enter over here one and then code So let's see what happens now Now it is saying something You have an error in SQL syntax error So it is it is saying that there is a SQL syntax error at this line number At line one in my SQL server Why this is giving an error because the on the server side that database has received an input and it has thrown and thrown an Error and that error is shown to the user So why this is why this is why this has shown thrown an error. So now the input was one quote Therefore the user ID was quote one quote and then quote and Obviously, this is a wrong syntax and therefore it had given a syntax error So now if a web application Shows such kind of error to the user then it may be possible that it is vulnerable to SQL injection attack Also this error Shows information some information about the server like what database is being used on the server side here My SQL server is been is used now once we have this Information about the database that is used on the server and how the query is processed What will happen if the input is one or one quote One quote The input is one quote then our condition then quote one quote equal to quote one So What will happen when? This is given as an input then the user ID will be user ID will look like Here there are two quotes already Here this is the input one quote or quote one quote equal to quote one So, what do you think what should be the output? Is there anything is there any syntax error or something else? So, what do you think what will happen? Yeah, right because now the user ID Has this or or conjunction where the first part may or may not be true, but the second part is always going to be true So, let's try and put this attack vector in the web application So, this is one quote or quote one quote equal to quote one And let's see what it's trying As you can see it is showing all the records that are stored in the database the secret ID The first name last name deepfuck swell. It's his credit card number Again another user Naman Jain his credit card number. So why this has happened because Because the SQL query was select first name last name credit card number from users where user ID was this Here as I said the second part is always true Therefore when this user ID is matched against the records in the database It is going to be true for all the records and therefore it displays all the records that are stored in the database Similarly, we can have another attack vector that will again display all the records that are stored in the database like one or One equal to one semi column and then hash So The SQL queries Select first name last name credit card number from users Where user underscore ID is so now the input is one quote or one equal to one semi column hash Therefore the user ID will become One quote then one one quote or one equal to one semi column hash and then quote So is there any syntax error again over here the user ID is quote one quote or one equal to one semi column then hash and Then single code Is there any error or it will this attack vector will work? three quotes there because of this one Yeah, that's fine. Here the semi colon over here will End the SQL query and the hash part will comment out whatever is going to be after it So the final query will be something select first name last name credit card number from users where user ID is user ID equal to quote one quote or one equal to one semi colon and And again, this is going to be true for all the records in there and therefore it will show all those So, let's see And again, it shows all the records that are showed in the database as you can see It shows it shows all the records that are showed in it. We'll try it one second one or one quote or One equal to one semi colon and then hash and then submit So again, it shows all the records that are stored So this was all the security level me Security level low. Now we'll change the security level to medium and try to again Get all the records or do some similar kind of attack security level medium Back to the SQL injection now Before proceeding at anyone has any doubts Should I explain this code? This is a PHP code. I have not used I have not created this. This is the source code stored on the server This is the source code of the server This is the source code of the web application I'm just an user of this web application Is there any way that if I have built one SQL scanner and is there any way that I have to if I have to check that whether that scanner is Working properly if it is whether it is defending again all kind of SQL attacks or not Then is there any way or application available? Are you asking about tools or tool? Yes. Yes. Yeah, there are tools actually. We are going to talk about it tomorrow So you can find what are the vulnerabilities that are there now? We'll move to the security level to medium Submit Again SQL injection now we will try The same attack that we used in the previous case and let's see whether it works or not. So the attack factor was one quote Or quote one quote Equal to port one. Okay. Let's see what it gives now Now it is showing an error Again, it is saying there is an SQL syntax error in my SQL server For this one. So this was our input actually quote or one quote one. So I'll write it down on the paper the input was one quote or quote one quote equal to quote one and It is showing this error error at this point So what is that error is? Yeah, they're actually escaping those special characters. So this is the error if you see that The server has appended a backslash Before every quote that has entered in the input So that it means that the server is using some kind of protection mechanism protection to prevent this SQL injection So is there it means that now we can't enter this special characters one quote or you we can't enter this kind of attack Can you think of an attack vector that will bypass this security mechanism? We have given you a small exercise on this SQL injection on how to find out the Column name number of columns even bypassing this security mechanism mechanism and Think of the attack data and do it in the live session So what is the info Okay, one slash then quote Assummented again Okay, fine. Okay, so you meant to say that one before the quote there is a slash or Slash slash quote one Again slash equal equal to yeah, I submit it So again it is throwing another At the same point Can you tell me the attack vector input Enclose the single quote into the double quote Into a pair of double quotes Okay, put a single quote in the pair of double quotes You can try as this many attack vectors as you want in the lab session and if you need an again, there is an error because It tries to escape that double quotes also So you can try such attack vectors in the lab session and if you need any help then any of the TS will help you Code is different because there is some defense mechanism that is been so The change in the code is this one my SQL real escape string This function is applied to the user input So what what it does is it happens backslash before every special character that is occurring in the That we finished the presentations I think we can head to the labs and try it all these attack vectors and the rest of the assignments