Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: sql injection

  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    30

    sql injection

    Just wondering if anyone can help me out with sql injection. I have gathered many tutorials and find many of them confusing and dont clarify which type of sql database its for. Speaking of which, is there really any difference in the syntax and commmands between oracle, mssql, etc? Anyway, if anyone could provide some good tutorials or even the names of books i should buy which go into the actual reasoning behind the injection (not just a list of old exploits) this would be really helpful.
    PS - dont just say google, because thats what ive been doing for the past month!

  2. #2
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258

    Wink

    Sql injection is a form of attack that makes use of poor input validation on a system to execute malicious sql statements on a database. The databases that you mentioned basically uses SQL. But, there are extensions specific to these databases that add programming functionality like T-SQL for MSsql and PL/SQL for Oracle .

    There will be obviously be some variations in the attack depending on the database. For eg., Mqsql's mysql_query() function does not
    permit query stacking unlike SQLite and PostgreSQL. So, In mysql you can't have an attack that makes use of a ";" to execute multiple queries.

    A good tutorial on SQL Injection
    http://www.acunetix.com/websitesecur...-injection.htm

    SQL Injection tutorial on mssql
    http://www.ngssoftware.com/papers/ad..._injection.pdf

    SQL Injection tutorial on mysql
    http://dev.mysql.com/tech-resources/...curity-ch3.pdf

    SQL Injection tutorial on oracle
    http://www.integrigy.com/security-re...on_Attacks.pdf

    Illustrated SQL Injection
    http://www.cert.org.in/knowledgebase...wp-2005-06.pdf

    And the google queries I used to get them ;-)
    "sql injection ", "sql injection filetype: pdf"

    Read them all and try your sql injection skills here
    http://hackme.ntobjectives.com/

    have Fun :-D
    Last edited by PacketThirst; March 13th, 2008 at 02:24 AM.

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    There are many different versions of SQL; however, there is a standard base that most SQL implementations support. The standard is ANSI-SQL because it is governed by ANSI Standards.

    (Side note SQL does NOT stand for anything) SQL began in an IBM laboratory in San Jose, CA. many years ago. From that Transact Sequel kind of evolved. Well Right around the time Microsoft got its hands on transact – IBM sued for the copyrights of the name Sequel and Structured Query Language. So technically, SQL doesn’t stand for anything ‘cause IBM’s lawyers say so…

    Back to the answer…

    Microsoft SQL Server uses a version of SQL know as Transact-SQL that is an extension of the ANSI-SQL standard. This means that M$SQL supports not only ANSI-SQL but system commands that are unique only to Microsoft SQL.

    There are three basic kinds of Transact-SQL

    • Data Definition Language (DDL) Statements: These allow you to create objects in the database:
    CREATE; DROP; ALTER

    • Data Control Language (DCL) Statements; These allow you to determind who can see of modify data in the database:
    GRANT; RESERVE; DENY

    • Data Manipulation Language (DML) Statements: These allow you to query and modify data in the database. And are the most important when looking for SQL injection vulnerabilities.
    SELECT; INSERT; UPDATE; DELETE

    This being said, one can inject any statement into a VALID SQL statement

    SELECT * FROM users WHERE name = 'a' OR 't'='t';If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of 't'='t' is always true.
    In the above example
    “OR ‘t=t’ is the injected string. Since the SELECT statement is valid and the evaluation of t is valid. All RDMS running any version of Transact-SQL will accept the above statement.

    Yea I know that example is intro to DB 101 but it lends to the question of what’s the difference.

    Really NONE.

    If you want to manipulate a known vulnerability at the database level, then you have to know the exact syntax. Simply because if it’s at the DB level, it’s DB specific command. However, if it’s web vulnerability, standard SELECT; UPDATE commands will work just fine.

    To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped, or parameterized statements must be used.

    Hope this helps
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Nice info Dino but...
    (Side note SQL does NOT stand for anything)
    Last I checked it stood for Smart Query List.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    and I always though SQL stood for Structured Query Language :?

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Quote Originally Posted by morganlefay
    and I always though SQL stood for Structured Query Language :?

    MLF
    Well it did right up to the IBM lawsuit but soon after the Smart Query List term came to life.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Smart Query List.

    I did not know that. I always thought that after the lawsuit; the developer community just went WTF? and left it at that.

    Kind of like that astronomical [sp] software written years ago. Its code name was Sagan [something] after Carl Sagan. When old Carl found out he sued the developers stating that they didn't have the rights to name software after him and that he did not support the development of their software.

    So the dev guys just changed the code name to BHA.. Butt Head Astronomer.

    /ot

    Thanks Horse.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    The Smart Query List wasn't a formal name as it would violate that idiotic lawsuit. It's just a label I've seen put on it by those who used it early on after the judgement.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I thought it was Simple Query Language... I usually would just say "Stupid Query Language" because I hate Databases

    I have UNIX here, Perl + text = half assed database (Yes, I do in fact understand that there is much more to it than that, however, how many people use a Database server at home? or need one?) .

    Anyway, I took a class for this crap and STILL haven't found any major uses for it in a home setting.

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    how many people use a Database server at home? or need one?) .
    I do. It's how I keep track of my frag count on various game servers. lol.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Similar Threads

  1. Shoestring SQL Injection Prevention
    By catch in forum The Security Tutorials Forum
    Replies: 27
    Last Post: August 9th, 2006, 08:01 AM
  2. SQL Tutorial – Basics
    By mikester2 in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 31st, 2005, 01:16 PM
  3. Heads Up - Cumulative Patch for Microsoft SQL Server (815495)
    By CXGJarrod in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 23rd, 2003, 10:00 PM
  4. SQL Injection
    By sambeckett in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: February 13th, 2003, 08:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •