Learn SQL injection – Noob to Advanced [Video]

What is SQL Injection?
An SQL injection is a Common and famous method of hacking at present. Using this method an unauthorized person can access the database of the website. An attacker can get all details from the Database.

What an attacker can do?

* ByPassing Logins
* Accessing secret data
* Modifying contents of the website
* Shutting down the My SQL server

Download top 99 sqli videos

DOWNLOAD




SQL is a standardized language used to access and manipulate databases to build customizable data views for each user. SQL queries are used to execute commands, such as data retrieval, updates and record removal. Different SQL elements implement these tasks, e.g., queries using the SELECT statement to retrieve data, based on user-provided parameters.

A typical eStore’s SQL database query may look like the following:

SELECT ItemName, ItemDescription

FROM Item

WHERE ItemNumber = ItemNumber

From this, the web application builds a string query that is sent to the database as a single SQL statement:

sql_query= “

SELECT ItemName, ItemDescription

FROM Item

WHERE ItemNumber = ” & Request.QueryString(“ItemID”)

A user-provided input can then generates the following SQL query:

SELECT ItemName, ItemDescription

FROM Item

WHERE ItemNumber = 999

As you can gather from the syntax, this query provides the name and description for item number 999.

SQL INJECTION EXAMPLE

An attacker wishing to execute SQL injection manipulates a standard SQL query to exploit non-validated input vulnerabilities in a database. There are many ways that this attack vector can be executed, several of which will be shown here to provide you with a general idea about how SQLI works.

As a result, the corresponding SQL query looks like this:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemNumber = 999 OR 1=1

And since the statement 1 = 1 is always true, the query returns all of the product names and descriptions in the database, even those thay you may not be eligible to access.Attackers are also able to take advantage of incorrectly filtered characters to alter SQL commands, including using a semicolon to separate two fields.

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemNumber = 999; DROP TABLE USERS

As a result, the entire user database could be deleted.

Another way SQL queries can be manipulated is with a UNION SELECT statement. This combines two unrelated SELECT queries to retrieve data from different database tables.

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemID = ‘999’ UNION SELECT Username, Password FROM Users;

Using the UNION SELECT statement, this query combines the request for item 999’s name and description with another that pulls names and passwords for every user in the database.

Download this Top 99 Sql injection video – Noob to advanced

DOWNLOAD

Leave a Reply

Your email address will not be published. Required fields are marked *