SQL injection attacks
[ Music ]
^M00:00:09
>> In the book, "Daemon," Brian Gragg uses an SQL injection attack to hack into a server in order to join a secret society run by a dead man. Good book. SQL injection attacks are real, though. I've consulted with several experts, who remain anonymous, in order to help give you a very basic explanation of what they are. Let's start with blog software, as an example. A lot of people run it, but they don't really understand how it works. And that's okay, as long as you regularly update and don't expose administrative functions to the Internet. When you type your log in ID and password into a web page, it is passed as a string of text into a variable. And that variable is then interpreted as part of a command. Let's say the statement's like this, a select command looking for a user name. This tells the application to select from a table called "users" the name that equals the string "user name." So, let's say you type your user name "4thelulz," the string will look like this. And only the name "4thelulz" will be selected. Normal SQL injection is often detected by fuzzing a parameter with malicious characters like this. So you've got your example log in sending some post-data that's malicious, and the application will return a 500 internal server error, and SQL error, or both. Now, a clever hacker could enter something like, "a' or 't' = 't, with the apostrophes, as the user name. Then that's gonna turn the command to this. And the request is gonna look like this. Do you see how the single quotes are used to surround what becomes an argument? Since "t" always equals "t," the selection comes back as evaluated "true," even though a real user name has not been entered. This could work for a password, too. Now, the problem here is allowing multiple statements within one call. Your query API should not allow this. The injection attack in Daemon is what is sometimes known as a "magic string." This one's clever because unlike the injection we just talked about, a magic string can potentially give you admin access, not just generic user access. The attacker simply enters 'or 1 = 1. As far as an example, here's your login, and the post data is passed as so. This causes the statement to be interpreted as this. Where it's saying "name = blank or 1 = 1." Well, this selects for all the users in the table and allows you to be logged in at the user at the top of the table because 1 always equals 1. There are many more injection types than this, including blind SQL injections and vulnerabilities inside the server, but this should give you a fair idea of what these attacks are and how they work. The experts I consulted recommending using manual code reviews and enforcing the use of parameterized statements to ward off these kinds of attacks. Thanks for watching Hacks. Stay safe out there.
^M00:02:54
[ Music ]
Up Next
Hacks@Home: How to install a smart plug
Up Next
Hacks@Home: How to install a smart plug
Worst hacks of the year
Worst hacks of the year
Tweak MiFi to charge
Tweak MiFi to charge
Elevator hacks
Elevator hacks
Share your purchased iPhone apps on multiple devices
Share your purchased iPhone apps on multiple devices
Add an external hard drive to your TiVo HD
Add an external hard drive to your TiVo HD
Why AT&T blocked 4Chan
Why AT&T blocked 4Chan
Break into Gmail
Break into Gmail
Make your own batteries
Make your own batteries
Tether your iPhone on OS 3.0
Tether your iPhone on OS 3.0
Tech Shows
Latest News All latest news
What to Expect at Apple's May 7 iPad Event
What to Expect at Apple's May 7 iPad Event
Did a Week With the Apple Watch Make Me Use My iPhone Less?
Did a Week With the Apple Watch Make Me Use My iPhone Less?
How Google Tests the Cameras in Its Pixel Phones
How Google Tests the Cameras in Its Pixel Phones
Boston Dynamics' New Electric Atlas vs. Tesla's Optimus
Boston Dynamics' New Electric Atlas vs. Tesla's Optimus
What is the Fediverse?
What is the Fediverse?
The Missing Piece to Apple's Eco-Friendly Mission
The Missing Piece to Apple's Eco-Friendly Mission
Most Popular All most popular
First Look at TSA's Self-Screening Tech (in VR!)
First Look at TSA's Self-Screening Tech (in VR!)
Samsung Galaxy S24 Ultra Review: More AI at a Higher Cost
Samsung Galaxy S24 Ultra Review: More AI at a Higher Cost
'Circle to Search' Lets Users Google From Any Screen
'Circle to Search' Lets Users Google From Any Screen
Asus Put Two 14-inch OLEDs in a Laptop, Unleashes First OLED ROG Gaming Laptop
Asus Put Two 14-inch OLEDs in a Laptop, Unleashes First OLED ROG Gaming Laptop
Samsung Galaxy Ring: First Impressions
Samsung Galaxy Ring: First Impressions
Best of Show: The Coolest Gadgets of CES 2024
Best of Show: The Coolest Gadgets of CES 2024
Latest Products All latest products
2025 Audi Q6, SQ6 E-Tron: Audi's Newest EV Is Its Most Compelling
2025 Audi Q6, SQ6 E-Tron: Audi's Newest EV Is Its Most Compelling
Hands-On with Ford's Free Tesla Charging Adapter
Hands-On with Ford's Free Tesla Charging Adapter
Nuro R3 is an Adorable Self-Driving Snack Bar
Nuro R3 is an Adorable Self-Driving Snack Bar
First Look: The $349 Nothing Phone 2A Aims to Brighten Your Day
First Look: The $349 Nothing Phone 2A Aims to Brighten Your Day
Best of MWC 2024: Bendable Screens, AI Wearables and More
Best of MWC 2024: Bendable Screens, AI Wearables and More
This Concept Laptop from Lenovo Has a Transparent Display
This Concept Laptop from Lenovo Has a Transparent Display
Latest How To All how to videos
Tips and Tricks for the AirPods Pro 2
Tips and Tricks for the AirPods Pro 2
How to Watch the Solar Eclipse Safely From Your Phone
How to Watch the Solar Eclipse Safely From Your Phone
Windows 11 Tips and Hidden Features
Windows 11 Tips and Hidden Features
Vision Pro App Walkthrough -- VisionOS 1.0.3
Vision Pro App Walkthrough -- VisionOS 1.0.3
Tips and Tricks for the Galaxy S24 Ultra
Tips and Tricks for the Galaxy S24 Ultra
TikTok Is Now on the Apple Vision Pro