Scribd Logo
Upload

Welcome to Scribd!

  • Lab 01

    Uploaded by

    Ibrahim qashta
    5 views7 pages
    This document describes SQL injection and how to prevent it. It contains the following key points: 1) SQL injection occurs when untrusted user input is inserted into an SQL statement without proper validation or encoding. This can allow attackers to manipulate queries or even run unauthorized code. 2) The document demonstrates how to create a stored procedure vulnerable to SQL injection and how attackers could exploit it to retrieve data they shouldn't have access to. 3) It then shows how to prevent SQL injection by using bind variables in queries instead of concatenating user input into the SQL statement. This protects the query from being manipulated by external values.

    Original Description:

    SQL injection

    Original Title

    Lab01

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes SQL injection and how to prevent it. It contains the following key points: 1) SQL injection occurs when untrusted user input is inserted into an SQL statement without proper validation or encoding. This can allow attackers to manipulate queries or even run unauthorized code. 2) The document demonstrates how to create a stored procedure vulnerable to SQL injection and how attackers could exploit it to retrieve data they shouldn't have access to. 3) It then shows how to prevent SQL injection by using bind variables in queries instead of concatenating user input into the SQL statement. This protects the query from being manipulated by external values.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views7 pages

    Lab 01

    Uploaded by

    Ibrahim qashta
    This document describes SQL injection and how to prevent it. It contains the following key points: 1) SQL injection occurs when untrusted user input is inserted into an SQL statement without proper validation or encoding. This can allow attackers to manipulate queries or even run unauthorized code. 2) The document demonstrates how to create a stored procedure vulnerable to SQL injection and how attackers could exploit it to retrieve data they shouldn't have access to. 3) It then shows how to prevent SQL injection by using bind variables in queries instead of concatenating user input into the SQL statement. This protects the query from being manipulated by external values.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    SQL injection lab

    Chapter 2

    Description:
    • Kind of attack with adding and executing unintended code from untrusted
    source
    • Manipulate select statements
    • Run DML or even DDL
    • Run stored procedures

    Firstly, SQL plus, using spool


     Open cmd
     Sqlplus username/password@connectionstring

    SQL> Spool c:\labs\ch2\lab.txt


    SQL> Select name from v$database;
    SQL>Spool off;

    Go to c:\labs\ch2\lab.txt
    And open txt file to show the results.
    SQL injection
    Create new user (db_sec):
    Cmd> sqlplus / as sysdba – or username/password
    SQL> Spool c:\labs\ch2\lab.txt;

    Sql> create user db_sec identified by db_sec;


    Sql> grant connect, resource to db_sec;
    Sql> connect db_sec@lab/db_sec;
    Create table
    SQL> CREATE TABLE SALARY_INJECTION_TB
    (PERSON_ID NUMBER(9,0),
    PERSON_NAME VARCHAR2(120),
    SALARY NUMBER(11,3)
    );
    Insert Demo data
    insert into salary_injec on_tb values (123,'khaled',3000);
    insert into salary_injection_tb values (456,'ali',1500);
    insert into salary_injection_tb values (789,'hassan',5400);
    Sql> commit;

    Query about insert data


    SQL> select * from salary_injection_tb;
    Create procedure get salary of employee

    SQL> create or replace PROCEDURE get_salary (


    P_PERSON_NAME IN SALARY_INJECTION_TB.PERSON_NAME%TYPE,
    P_SALARY OUT SALARY_INJECTION_TB.SALARY%TYPE
    )
    IS
    query VARCHAR2(2000);
    BEGIN
    query := 'SELECT SALARY FROM SALARY_INJECTION_TB WHERE
    PERSON_NAME='''
    || P_PERSON_NAME ||''''
    ;
    DBMS_OUTPUT.PUT_LINE('Query: ' || query);
    EXECUTE IMMEDIATE query INTO P_SALARY ;
    DBMS_OUTPUT.PUT_LINE('Sal: ' || P_SALARY );
    EXCEPTION
    WHEN NO_DATA_FOUND THEN
    DBMS_OUTPUT.PUT_LINE('NO DATA FOUND');

    END;
    /

    Set server output message on


    SQL> SET SERVEROUTPUT ON;

    SQL injection
    SQL> DECLARE
    v_salary salary_injection_tb.salary%type;
    BEGIN
    GET_SALARY('ali',v_salary);
    GET_SALARY(' '' OR person_id=123 --',v_salary);
    END;
    /
    Prevent SQL injection
    SQL> create or replace PROCEDURE get_salary (
    P_PERSON_NAME IN SALARY_INJECTION_TB.PERSON_NAME%TYPE,
    P_SALARY OUT SALARY_INJECTION_TB.SALARY%TYPE
    )
    IS
    v_query VARCHAR2(2000);
    BEGIN
    v_query := 'SELECT SALARY INTO :P_SALARY FROM SALARY_INJECTION_TB
    WHERE PERSON_NAME=:P_PERSON_NAME';

    DBMS_OUTPUT.PUT_LINE('Query: ' || v_query);

    EXECUTE IMMEDIATE v_query INTO P_SALARY


    USING P_PERSON_NAME ;

    DBMS_OUTPUT.PUT_LINE('SaL: ' || P_SALARY );

    EXCEPTION
    WHEN NO_DATA_FOUND THEN
    DBMS_OUTPUT.PUT_LINE('NO DATA FOUND');
    END;
    /

    Try to inject SQL statements


    SQL> DECLARE
    v_salary salary_injection_tb.salary%type;
    BEGIN
    GET_SALARY('ali', v_salary);
    GET_SALARY(' '' OR person_id=123 --', v_salary);
    END;
    /

    DECLARE
    P_PERSON_NAME VARCHAR2(120);
    P_SALARY NUMBER;
    BEGIN
    P_PERSON_NAME := 'CCCC'' OR PERSON_ID = 123 --';

    GET_SALARY(
    P_PERSON_NAME => P_PERSON_NAME,
    P_SALARY => P_SALARY
    );

    END;
    /

    You might also like