Week 7 - SQL Injection

Question 1

What is SQL Injection?

Answer 1

use of malicious user input used to generate and deploy SQL queries, allowing attackers to gain access or modify data

Question 2

Where are SQL injection attacks used?

Answer 2

typically SQL databases or any application that uses a SQL backend

Question 3

When would you use an SQL Injection Attack?

Answer 3

when user inputs are not validated and have direct access to SQL queries

Also having knowledge of the application and the structure of the database, helps with SQL injection attacks

Question 4

How would you use an SQL injection attack on username?

e.g

username = “$username” AND password = “$password”

Answer 4

username = ‘Fred’ OR ‘1’=’1’

This will always result in a true value because OR 1 = 1 will always be true. Fred can be any value

Then attacker could use common passwords (password spraying) to gain access

Question 5

What is Password Spraying?

Answer 5

A method where an attacker uses a list of common passwords to gain access to an account

Question 6

How would you use an SQL injection attack on password?

e.g

username = “$username” AND password = “$password”

Answer 6

password = ‘value’ OR ‘1’=’1’

used to access a specific account. we know a user’s username then,

This will always result in a true value because OR 1 = 1 will always be true.

Question 7

username = ‘$username’ AND password = ‘$password’”);

How can we exploit this?

if (mysql_num_rows($result)>0) { echo “Success”;

Answer 7

password = ‘ OR 1 = 1–’

two dashes comments out the rest of query, so it will look like this:

“SELECT * FROM accounts WHERE username = ‘OR 1 = 1–’;”

thus bypassing other checks, without the need to know the username and password.

Question 8

What is a UNION SQL injection?

Answer 8

allows the attacker to combine multiple SQL statements together, so that they can access other information from the database.

Question 9

How do you use UNION?

e.g

date= ‘$date’

Answer 9

date = ‘31/8/2015’ UNION SELECT ‘1/1/31’, username, password
FROM users;’

this returns one results set.

ALSO needs to be same number of columns and the same data types for each of the columns

Question 10

What is a prepared Statement?

Answer 10

a method where the SQL query is defined first and the values/parameters are passed in later. preventing direct execution of user input.

Question 11

How would you use a prepared statement?

Answer 11

String uname = “Fred Bloggs”;

String query = “SELECT fname, sname, address
FROM users WHERE user_name = ? “;
– question mark indicates where the parameter is going to be inserted.

PreparedStatement ps =
connection.prepareStatement( query );

– we create prepared statement object, which creates a prepared statement

ps.setString( 1, uname);
– we pass the username into the first question mark

ResultSet results = ps.executeQuery( );
– then we execute the query

Question 12

What is a Stored Procedure?

Answer 12

predefined SQL queries stored in the database. They are called from the application.

Question 13

How do you implement a stored procedure?

Answer 13

String custname = “egan”;

{ CallableStatement cs =
connection.prepareCall(“{call
getAccountBalance(?)}”);
– this calls the predefined SQL query from the database.

cs.setString(1, custname);
– we pass the customer name into the first question mark

ResultSet results = cs.executeQuery();
– then we execute the query

Question 14

Difference between prepared statements and stored Procedures?

Answer 14

• prepared statements are defined in the application code
• Stored procedures are precompiled in the database and executed by the application

Question 15

Why are prepared statements and stored procedures used to prevent SQL injection?

Answer 15

both separate user input from the SQL query.

user input is treated only as data, preventing it from being treated as SQL code