COMP6443 25T1 - Week 4
SQL and Injection
TrashPanda, 11th March 2025
What’s happening in Cyber Security?
Any Questions?
https://questions.quoccacorp.com
Some notes from Tutors
• We re considering enumer tion nd brute force to be di erent things
ff
a
ff
a
a
a
a
• You re llowed to brute force o line
Last Week in Review
Content
• We st rted with d t b ses!
a
f
a
a
a
a
SQLite3 d t b se vi python nd l sk
a
a
a
a
a
a
a
a
• We c n interf ce with
Stepping Back
What does a database look like?
• Bunch of t bles with columns
• These columns c n point to e ch other
between t bles, hence the rel tions
• There re m ny types of rel tions
• One to one
• One to m ny
• M ny to one
a
a
a
a
a
a
a
a
a
a
a
a
• M ny to M ny
Stepping Back
What does a database look like?
• E ch entry usu lly h s unique
identifer, known s prim ry key
(or sometimes prim ry key set)
• Foreign keys re wh t en bles
pointing cross t bles
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
• You c n h ve other restrictions on
d t like “NOT NULL” where n
entry MUST exist
What’s that in code?
SQL
CREATE TABLE person (
name TEXT,
phone_number INTEGER,
email_address TEXT
);
CREATE TABLE address ( …
What about a real
database?
They can get pretty complicated…
SQL Commands
•SELECT – Selecting from
•INSERT – Putting into
t ble
t ble
•UPDATE – Upd ting n entry
•DELETE – Deleting n entry
•JOIN – Combining two t bles into one big t ble – more columns
•UNION – Combining two select queries into one long t ble – More rows
•WHERE – Add
constr int to
query where the cl use is true
a
a
a
a
a
a
a
a
a
a
a
a
a
a
•LIMIT – Limit to only N results
Let’s Build It!
Injection
SQL Injection
Mixing data and control
We re ble to insert CONTROL ch r cters into our DATA
This is referred to s INJECTION
Ex mple:
SELECT usern me FROM users WHERE
usern me == 'request.d t ["usern me"]' AND
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
P ssword == 'request.d t ["p ssword"]'; -- I'll implement h shing eventu lly...
Demos!
Schema Dumping…
•
•
Schema Dumping…
•
•
HTTPS://DEV.MYSQL.COM/DOC/MYSQL-INFOSCHEMA-
EXCERPT/8.0/EN/INFORMATION-SCHEMA.HTML
Remediation
Prepared Statements and Paramaterised Queries
• Forces the d t b se to expect
speci ic type of query by cre ting
model
• If the query received is outside the expected mode, return n error
a
a
a
a
a
a
a
f
f
a
a
a
a
a
a
a
a
• P r mterised queries re simil r except they’re de ined in the SQL d t b se inste d of the
querying code.
Other Methods
These work sometimes but there’s always bypasses
• Esc pe ll control ch r cters
• This is gener lly good pr ctice reg rdless, but there's lw ys
w y round it
• Allow Listing
• This is where you explicitly de ine wh t t bles re llowed to be viewed
• E.g. Gr nting select permissions for
user on the courses t ble, but not on the gr des t ble
• Not lw ys helpful s you c n le k d t within the s me t ble – user p sswords for ex mple
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
f
a
a
a
a
w y round the whitelisting
a
a
a
a
a
a
a
a
a
a
a
• Alw ys
Real world examples of SQLi
• Tesl vulner bility—in 2014, security rese rchers publicized th t they were ble to bre ch the
website of Tesl using SQL injection, g in dministr tive privileges nd ste l user d t .
• Fortnite vulner bility—Fortnite is n online g me with over 350 million users. In 2019, SQL
injection vulner bility w s discovered which could let tt ckers ccess user ccounts. The
vulner bility w s p tched.
• Turkish government— nother APT group, RedH ck collective, used SQL injection to bre ch the
Turkish government website nd er se debt to government gencies.
• 7-Eleven bre ch— te m of tt ckers used SQL injection to penetr te corpor te systems t
sever l comp nies, prim rily the 7-Eleven ret il ch in, ste ling 130 million credit c rd numbers.
• https://brightsec.com/blog/sql-injection- tt ck/
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
•
It happens!
• Some SQL providers will llow you to cre te
• Which me ns you c n run select on
ile, sometimes you c n get RCE.
ile by using the "into_out ile" comm nd
st tic string nd put th t into
ile. If you c n ccess the
• https://k yr n.io/blog/web-vulner bilities/sqli-to-rce/
• Or you could just run the "Give me RCE" comm nd. Yes. Th t's
thing.
a
a
a
f
f
a
a
a
a
a
a
a
a
a
f
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
• https://le rn.microsoft.com/en-us/sql/rel tion l-d t b ses/system-stored-procedures/xpcmdshell-tr ns ct-sql?view=sql-server-ver16
a
f
SQLi to RCE
0
