SQL injection attacks
2:58

SQL injection attacks

Culture
[ Music ] ^M00:00:09 >> In the book, "Daemon," Brian Gragg uses an SQL injection attack to hack into a server in order to join a secret society run by a dead man. Good book. SQL injection attacks are real, though. I've consulted with several experts, who remain anonymous, in order to help give you a very basic explanation of what they are. Let's start with blog software, as an example. A lot of people run it, but they don't really understand how it works. And that's okay, as long as you regularly update and don't expose administrative functions to the Internet. When you type your log in ID and password into a web page, it is passed as a string of text into a variable. And that variable is then interpreted as part of a command. Let's say the statement's like this, a select command looking for a user name. This tells the application to select from a table called "users" the name that equals the string "user name." So, let's say you type your user name "4thelulz," the string will look like this. And only the name "4thelulz" will be selected. Normal SQL injection is often detected by fuzzing a parameter with malicious characters like this. So you've got your example log in sending some post-data that's malicious, and the application will return a 500 internal server error, and SQL error, or both. Now, a clever hacker could enter something like, "a' or 't' = 't, with the apostrophes, as the user name. Then that's gonna turn the command to this. And the request is gonna look like this. Do you see how the single quotes are used to surround what becomes an argument? Since "t" always equals "t," the selection comes back as evaluated "true," even though a real user name has not been entered. This could work for a password, too. Now, the problem here is allowing multiple statements within one call. Your query API should not allow this. The injection attack in Daemon is what is sometimes known as a "magic string." This one's clever because unlike the injection we just talked about, a magic string can potentially give you admin access, not just generic user access. The attacker simply enters 'or 1 = 1. As far as an example, here's your login, and the post data is passed as so. This causes the statement to be interpreted as this. Where it's saying "name = blank or 1 = 1." Well, this selects for all the users in the table and allows you to be logged in at the user at the top of the table because 1 always equals 1. There are many more injection types than this, including blind SQL injections and vulnerabilities inside the server, but this should give you a fair idea of what these attacks are and how they work. The experts I consulted recommending using manual code reviews and enforcing the use of parameterized statements to ward off these kinds of attacks. Thanks for watching Hacks. Stay safe out there. ^M00:02:54 [ Music ]

Up Next

Hacks@Home: How to install a smart plug
hackshome-how-to-install-a-smart-plug0

Up Next

Hacks@Home: How to install a smart plug

Worst hacks of the year
gettyimages-527099783

Worst hacks of the year

Tweak MiFi to charge
hk_MiFiUSB720.jpg

Tweak MiFi to charge

Elevator hacks
hk_elevators720.jpg

Elevator hacks

Share your purchased iPhone apps on multiple devices
hk_shareapps720.jpg

Share your purchased iPhone apps on multiple devices

Add an external hard drive to your TiVo HD
hk_tivoexternal720.jpg

Add an external hard drive to your TiVo HD

Why AT&T blocked 4Chan
hk_ATT4Chan720.jpg

Why AT&T blocked 4Chan

Break into Gmail
hk_GmailSecurity720.jpg

Break into Gmail

Make your own batteries
hk_MakeBatteries720.jpg

Make your own batteries

Tech Shows

The Apple Core
apple-core-w

The Apple Core

Alphabet City
alphabet-city-w

Alphabet City

CNET Top 5
cnet-top-5-w

CNET Top 5

The Daily Charge
dc-site-1color-logo.png

The Daily Charge

What the Future
what-the-future-w

What the Future

Tech Today
tech-today-w

Tech Today

Latest News All latest news

Why Samsung Keeps Making Foldable Phones
foldablephone-explainer-clean

Why Samsung Keeps Making Foldable Phones

Everything We Expect Samsung to Announce
sideopen

Everything We Expect Samsung to Announce

New Device Uses Levitation for Touch-Free Building
levitation-1

New Device Uses Levitation for Touch-Free Building

Would a Solar Car Change Your Life?
solar-evs-00-05-39-10-still164

Would a Solar Car Change Your Life?

Chef Reviews Plant-Based Steak, Bacon, Chicken Breast and More
bacon

Chef Reviews Plant-Based Steak, Bacon, Chicken Breast and More

Ask Farnoosh: Recession-Proof Finances by Paying Down Debt or Boosting Savings?
farnooshcms

Ask Farnoosh: Recession-Proof Finances by Paying Down Debt or Boosting Savings?

Most Popular All most popular

New Device Uses Levitation for Touch-Free Building
levitation-1

New Device Uses Levitation for Touch-Free Building

Make Your iPhone Faster by Clearing the Cache
cachecnet

Make Your iPhone Faster by Clearing the Cache

Why Samsung Keeps Making Foldable Phones
foldablephone-explainer-clean

Why Samsung Keeps Making Foldable Phones

Would a Solar Car Change Your Life?
solar-evs-00-05-39-10-still164

Would a Solar Car Change Your Life?

Everything We Expect Samsung to Announce
sideopen

Everything We Expect Samsung to Announce

SpyraTwo hands-on: The ultimate water gun
spyratwo-2

SpyraTwo hands-on: The ultimate water gun

Latest Products All latest products

MacOS Ventura Public Beta: The 3 Best New Features
thumb1

MacOS Ventura Public Beta: The 3 Best New Features

What You Should Know About the Nothing Phone 1
nothingphone1-cms

What You Should Know About the Nothing Phone 1

New WatchOS 9 Features Coming Soon to Apple Watch
p1050672

New WatchOS 9 Features Coming Soon to Apple Watch

PlayStation Plus: Picking the Best Tier
p1099227-mov-06-55-54-22-still003

PlayStation Plus: Picking the Best Tier

E Ink Tablets: Everything You Need to Know
eink-website

E Ink Tablets: Everything You Need to Know

Moto G 5G Review: A $400 Phone That May Have Everything You Need
clip0001-00-00-25-15-still001

Moto G 5G Review: A $400 Phone That May Have Everything You Need

Latest How To All how to videos

How to Clean Your Keyboard's Sticky Keys
3keyboards

How to Clean Your Keyboard's Sticky Keys

How to Play Games from PlayStation Plus on PC
psstill

How to Play Games from PlayStation Plus on PC

How to Delete or Disable Your Instagram Account
phoneonorange

How to Delete or Disable Your Instagram Account

Fix Your iPhone Screen With Apple's Self-Service Repair Kit
dsc00641

Fix Your iPhone Screen With Apple's Self-Service Repair Kit

How to Buy a Budget Laptop in 2022
budgetlaptops-00-08-35-15-still001

How to Buy a Budget Laptop in 2022

Google Pay: How to Set Up and Use
googlepay-inhand

Google Pay: How to Set Up and Use