Sunday, January 2, 2011

SQL INJECTION

  • What is SQL Injection?
A SQL injection or SQLI attack consists of injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

A web application is vulnerable to an SQL injection attack if an attacker is able to insert SQL statements into an existing SQL query of the application. This is usually achieved by injecting malicious input into user fields that are used to compose the query.

  • SQLI Example:
Consider a web application that uses a query shown in Step 1 for authenticating its users.

SQL Injection Step 1:

SELECT * FROM Users WHERE User = 'john' AND Password = 'doe'

This query retrieves the ID and LastLogin fields of user john with password doe from table Users. In this example, a login page prompts the user to enter her username and password into a form. When the form is submitted, its fields are used to construct an SQL query shown in Step 2 that authenticates the user.

SQL Injection Step 2:

sqlQuery = "SELECT * FROM Users WHERE User = '$username' AND Password = '$password'"

If the login application does not perform correct input validation of the form fields, the attacker can inject strings into the query that alter its semantics. For example, consider an attacker entering user credentials such as the ones shown in Step 3.

SQL Injection Step 3:

User: ' OR 1=1 --
Password: anything

Using the provided form data, the vulnerable web application constructs a dynamic SQL query for authenticating the user as shown in Step 4.

SQL Injection Step 4:

SELECT * FROM Users WHERE User = '' OR 1=1 -- ' AND Password = 'anything'

The "--" command indicates a comment in Transact-SQL. Hence, everything after the first "--" is ignored by the SQL database engine. With the help of the first quote in the input string, the user name string is closed, while the '' OR 1=1 adds a clause to the query which evaluates to true for every row in the table. When executing this query, the database returns all user rows, which applications often interpret as a valid login.


  • SQLI Helper:
SQLI Helper is handy software to hack website by injecting SQL query to the database.

Download SQLI Helper from here.

  • Protection:
1. Web application developers need to consider malicious input data and sanitize it properly before using it to construct dynamically generated SQL queries.

2. A straight-forward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. In PHP, for example, it is usual to escape parameters using the function mysql_real_escape_string(); before sending the SQL query:

$query = sprintf("SELECT * FROM 'Users' WHERE UserName='%s' AND Password='%s'",
mysql_real_escape_string($username),
mysql_real_escape_string($password));
mysql_query($query);

3. Another way of helping developers is to implement user data encoding within the web server application environment. For example, Microsoft implemented such security checks in their .NET framework.


Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...
Posted by Rajat Das at 12:18 AM

14 comments:

  1. AnonymousJanuary 30, 2012 at 11:58 AM

    Thanks :) how do people like this stop themselves from being caught?

    ReplyDelete
  2. Rajat DasJanuary 31, 2012 at 7:33 AM

    I'm sorry... This tutorial is meant only for the security purpose... U can use this at your own risk !!!

    ReplyDelete
  3. AnonymousSeptember 26, 2014 at 5:59 AM

    i could not understand

    ReplyDelete
  4. Rajat DasNovember 20, 2014 at 5:55 AM

    which part?

    ReplyDelete
  5. UnknownFebruary 7, 2015 at 10:09 PM

    virus full

    ReplyDelete
  6. UnknownFebruary 11, 2015 at 9:32 AM

    hy can it be done to FB acount cuz i wnt 2 hack my FB fake account plz help brothr???? :'(

    ReplyDelete
  7. UnknownFebruary 11, 2015 at 9:33 AM

    hy can it be done to FB acount cuz i wnt 2 hack my FB fake account plz help brothr???? :'(

    ReplyDelete
  8. UnknownFebruary 11, 2015 at 9:34 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  9. Kavin cookSeptember 10, 2017 at 11:01 PM

    The ethical hacking salary within most companies is comfortably high (relatively speaking) and rightfully so because as aforementioned, they are saving the company a lot of money, and require specialist skills. BluePortal.org

    ReplyDelete
  10. StarJune 6, 2018 at 5:15 AM

    This blog has a positive and eager result.
    Chris

    ReplyDelete
  11. M. TahaMay 28, 2020 at 2:13 AM

    I have read your article, it is very informative and helpful for me.I admire the valuable information you offer in your articles. Thanks for posting it.. co injection molding

    ReplyDelete
  12. BestJune 2, 2020 at 5:23 AM

    Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. Cracking

    ReplyDelete

If you like this post, comment please...

Subscribe to: Post Comments (Atom)