Que es SQL injection, explicamelo detalladamente en que consiste y las modalidades : basada en errores, tiempo, booleanos, uniones y stacked querys<\/p>\n\n\n\n
La SQL Injection<\/strong> (inyecci\u00f3n SQL) es una t\u00e9cnica de ataque cibern\u00e9tico que explota vulnerabilidades en la forma en que una aplicaci\u00f3n interact\u00faa con su base de datos. Los atacantes insertan c\u00f3digo SQL malicioso en las consultas que una aplicaci\u00f3n web realiza a su base de datos, lo que puede permitirles acceder, modificar o eliminar datos sin autorizaci\u00f3n1.<\/p>\n\n\n\n Para prevenir ataques de SQL Injection, es importante seguir buenas pr\u00e1cticas de seguridad, como:<\/p>\n\n\n\n Vamos a crear un laboratorio de prueba para practicar los ataques de SQL Injection:<\/p>\n\n\n\n Instalamos las herramientas que vamos a utilizar:<\/p>\n\n\n\n Comprobamos que est\u00e1n corriendo los servicios mariadb y apache2<\/p>\n\n\n\n Vamos a crear la base de datos con su tabla y columnas que nos servir\u00e1 para hacer las consultas mysql<\/p>\n\n\n\n La primera vez al conectar con mysql -u root -p, podemos darle a enter sin escribir nada.<\/p>\n\n\n\n Los componentes principales de mysql son las bases de datos , tablas y columnas. Cada base de datos tiene tablas y cada tabla tiene columnas. As\u00ed que las consultas b\u00e1sicas para visualizar esto son: show databases; use database; show tablas; describe tabla; select * from tabla; select campo, campo from tabla. <\/p>\n\n\n\n Vamos a crear nuestra propia base de datos con los campos usuario , password, … para que desde un script en php establezcamos una conexi\u00f3n con dicha base de datos, y podamos realizar SQL Injection<\/strong><\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" La inyecci\u00f3n SQL es una de las vulnerabilidades web m\u00e1s comunes y peligrosas. Aprende c\u00f3mo los atacantes explotan fallos en la validaci\u00f3n de datos para manipular tu base de datos MySQL, y qu\u00e9 medidas de seguridad cr\u00edticas (como las consultas preparadas) debes implementar en tu c\u00f3digo PHP para proteger la integridad de tu WordPress.<\/p>\n","protected":false},"author":1,"featured_media":818,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kadence_starter_templates_imported_post":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[63],"tags":[226,225,227,224,230,232,228,229,231],"class_list":["post-237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","tag-apache2","tag-mariadb","tag-php-mysql","tag-sql-injection","tag-sql-injection-basada-en-booleanos","tag-sql-injection-basada-en-consultas","tag-sql-injection-basada-en-errores","tag-sql-injection-basada-en-tiempo","tag-sql-injection-basada-en-uniones"],"yoast_head":"\nModalidades de SQL Injection<\/h3>\n\n\n\n
\n
\n
'; DROP TABLE users; --<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
'; IF (1=1) { WAITFOR DELAY '0:0:5' --<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
'; AND 1=1 UNION SELECT username, password FROM users --<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
UNION<\/code> para combinar los resultados de m\u00faltiples consultas SQL. Esto puede ser usado para extraer datos de diferentes tablas.<\/li>\n\n\n\n'; UNION SELECT username, password FROM users --<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
'; DROP TABLE users; SELECT * FROM users --<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\nPrevenci\u00f3n de SQL Injection<\/h3>\n\n\n\n
\n
Laboratorio de prueba para SQL Injection<\/h3>\n\n\n\n
apt install mariadb-server apache2 php-mysql<\/code><\/pre>\n\n\n\nsystemctl status apache2\n\n~# systemctl status apache2\n\u25cf apache2.service - The Apache HTTP Server\n Loaded: loaded (\/usr\/lib\/systemd\/system\/apache2.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-12-09 10:22:41 UTC; 21min ago\n Invocation: fcdbf07c016a4e8f9b6a7eba53ebc183\n Docs: https:\/\/httpd.apache.org\/docs\/2.4\/\n Main PID: 101574 (apache2)\n Tasks: 55 (limit: 1110)\n Memory: 7.3M (peak: 7.5M)\n CPU: 187ms\n CGroup: \/system.slice\/apache2.service\n \u251c\u2500101574 \/usr\/sbin\/apache2 -k start\n \u251c\u2500101576 \/usr\/sbin\/apache2 -k start\n \u2514\u2500101577 \/usr\/sbin\/apache2 -k start\n\n~# systemctl status mariadb\n\u25cf mariadb.service - MariaDB 11.4.3 database server\n Loaded: loaded (\/usr\/lib\/systemd\/system\/mariadb.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-12-09 10:22:36 UTC; 22min ago\n Invocation: 0e663c8377c74f15becc832ea34b1594\n Docs: man:mariadbd(8)\n https://mariadb.com\/kb\/en\/library\/systemd\/\n Main PID: 101138 (mariadbd)\n Status: \"Taking your SQL requests now...\"\n Tasks: 9 (limit: 7327)\n Memory: 89.4M (peak: 93.6M)\n CPU: 2.101s\n CGroup: \/system.slice\/mariadb.service\n \u2514\u2500101138 \/usr\/sbin\/mariadbd\n<\/code><\/pre>\n\n\n\n~# mysql -uroot -p\nEnter password: \nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MariaDB connection id is 31\nServer version: 11.4.3-MariaDB-1 Ubuntu 24.10\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nSupport MariaDB developers by giving a star at https:\/\/github.com\/MariaDB\/server\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [(none)]> <\/code><\/pre>\n\n\n\nMariaDB [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| mysql |\n| performance_schema |\n| sys |\n+--------------------+\n4 rows in set (0.001 sec)\n\nMariaDB [(none)]> use mysql;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [mysql]> show tables;\n+---------------------------+\n| Tables_in_mysql |\n+---------------------------+\n| column_stats |\n| columns_priv |\n| db |\n| event |\n| func |\n| general_log |\n| global_priv |\n| gtid_slave_pos |\n| help_category |\n| help_keyword |\n| help_relation |\n| help_topic |\n| index_stats |\n| innodb_index_stats |\n| innodb_table_stats |\n| plugin |\n| proc |\n| procs_priv |\n| proxies_priv |\n| roles_mapping |\n| servers |\n| slow_log |\n| table_stats |\n| tables_priv |\n| time_zone |\n| time_zone_leap_second |\n| time_zone_name |\n| time_zone_transition |\n| time_zone_transition_type |\n| transaction_registry |\n| user |\n+---------------------------+\n31 rows in set (0.001 sec)\n\nMariaDB [mysql]> describe user;\n+------------------------+---------------------+------+-----+----------+-------+\n| Field | Type | Null | Key | Default | Extra |\n+------------------------+---------------------+------+-----+----------+-------+\n| Host | char(255) | NO | | | |\n| User | char(128) | NO | | | |\n| Password | longtext | YES | | NULL | |\n| Select_priv | varchar(1) | YES | | NULL | |\n| Insert_priv | varchar(1) | YES | | NULL | |\n| Update_priv | varchar(1) | YES | | NULL | |\n| Delete_priv | varchar(1) | YES | | NULL | |\n| Create_priv | varchar(1) | YES | | NULL | |\n| Drop_priv | varchar(1) | YES | | NULL | |\n| Reload_priv | varchar(1) | YES | | NULL | |\n| Shutdown_priv | varchar(1) | YES | | NULL | |\n| Process_priv | varchar(1) | YES | | NULL | |\n| File_priv | varchar(1) | YES | | NULL | |\n| Grant_priv | varchar(1) | YES | | NULL | |\n| References_priv | varchar(1) | YES | | NULL | |\n| Index_priv | varchar(1) | YES | | NULL | |\n| Alter_priv | varchar(1) | YES | | NULL | |\n| Show_db_priv | varchar(1) | YES | | NULL | |\n| Super_priv | varchar(1) | YES | | NULL | |\n| Create_tmp_table_priv | varchar(1) | YES | | NULL | |\n| Lock_tables_priv | varchar(1) | YES | | NULL | |\n| Execute_priv | varchar(1) | YES | | NULL | |\n| Repl_slave_priv | varchar(1) | YES | | NULL | |\n| Repl_client_priv | varchar(1) | YES | | NULL | |\n| Create_view_priv | varchar(1) | YES | | NULL | |\n| Show_view_priv | varchar(1) | YES | | NULL | |\n| Create_routine_priv | varchar(1) | YES | | NULL | |\n| Alter_routine_priv | varchar(1) | YES | | NULL | |\n| Create_user_priv | varchar(1) | YES | | NULL | |\n| Event_priv | varchar(1) | YES | | NULL | |\n| Trigger_priv | varchar(1) | YES | | NULL | |\n| Create_tablespace_priv | varchar(1) | YES | | NULL | |\n| Delete_history_priv | varchar(1) | YES | | NULL | |\n| ssl_type | varchar(9) | YES | | NULL | |\n| ssl_cipher | longtext | NO | | | |\n| x509_issuer | longtext | NO | | | |\n| x509_subject | longtext | NO | | | |\n| max_questions | bigint(20) unsigned | NO | | 0 | |\n| max_updates | bigint(20) unsigned | NO | | 0 | |\n| max_connections | bigint(20) unsigned | NO | | 0 | |\n| max_user_connections | bigint(21) | NO | | 0 | |\n| plugin | longtext | NO | | | |\n| authentication_string | longtext | NO | | | |\n| password_expired | varchar(1) | NO | | | |\n| is_role | varchar(1) | YES | | NULL | |\n| default_role | longtext | NO | | | |\n| max_statement_time | decimal(12,6) | NO | | 0.000000 | |\n+------------------------+---------------------+------+-----+----------+-------+\n47 rows in set (0.002 sec)\n\nMariaDB [mysql]> select User, Password from user;\n+-------------+----------+\n| User | Password |\n+-------------+----------+\n| mariadb.sys | |\n| root | invalid |\n| mysql | invalid |\n+-------------+----------+\n3 rows in set (0.002 sec)<\/code><\/pre>\n\n\n\nMariaDB [mysql]> create database SQLInjection;\nQuery OK, 1 row affected (0.001 sec)\n\nMariaDB [mysql]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| SQLInjection |\n| information_schema |\n| mysql |\n| performance_schema |\n| sys |\n+--------------------+\n5 rows in set (0.001 sec)\n\nMariaDB [mysql]> use SQ\nSQL SQL_NO_CACHE SQL_TSI_MINUTE SQL_TSI_YEAR \nSQL_BIG_RESULT SQL_SMALL_RESULT SQL_TSI_MONTH SQLEXCEPTION \nSQL_BUFFER_RESULT SQL_THREAD SQL_TSI_QUARTER SQLSTATE \nSQL_CACHE SQL_TSI_DAY SQL_TSI_SECOND SQLWARNING \nSQL_CALC_FOUND_ROWS SQL_TSI_HOUR SQL_TSI_WEEK SQRT \nMariaDB [mysql]> use SQLInjection;\nDatabase changed\nMariaDB [SQLInjection]> show tables;\nEmpty set (0.001 sec)\n\nMariaDB [SQLInjection]> create table users(id int(32), username varchar(32), password varchar(32));\nQuery OK, 0 rows affected (0.042 sec)\n\nMariaDB [SQLInjection]> show tables;\n+------------------------+\n| Tables_in_SQLInjection |\n+------------------------+\n| users |\n+------------------------+\n1 row in set (0.001 sec)\n\nMariaDB [SQLInjection]> describe users;\n+----------+-------------+------+-----+---------+-------+\n| Field | Type | Null | Key | Default | Extra |\n+----------+-------------+------+-----+---------+-------+\n| id | int(32) | YES | | NULL | |\n| username | varchar(32) | YES | | NULL | |\n| password | varchar(32) | YES | | NULL | |\n+----------+-------------+------+-----+---------+-------+\n3 rows in set (0.001 sec)\n\nMariaDB [SQLInjection]> # Vamos a introducir datos\nMariaDB [SQLInjection]> insert into users(id, username, password) values(1, 'admin', 'admin123');\nQuery OK, 1 row affected (0.002 sec)\n\nMariaDB [SQLInjection]> insert into users(id, username, password) values(2, 'david', 'david1234');\nQuery OK, 1 row affected (0.002 sec)\n\nMariaDB [SQLInjection]> insert into users(id, username, password) values(3, 'Hacker', 'hacker321');\nQuery OK, 1 row affected (0.003 sec)\n\nMariaDB [SQLInjection]> # Mostrar todos los campos de la tabla o ciertos campos de la tabla\nMariaDB [SQLInjection]> select * from users;\n+------+----------+-----------+\n| id | username | password |\n+------+----------+-----------+\n| 1 | admin | admin123 |\n| 2 | david | david1234 |\n| 3 | Hacker | hacker321 |\n+------+----------+-----------+\n3 rows in set (0.001 sec)\n\nMariaDB [SQLInjection]> select username from users;\n+----------+\n| username |\n+----------+\n| admin |\n| david |\n| Hacker |\n+----------+\n3 rows in set (0.001 sec)<\/code><\/pre>\n\n\n\n