What is SQL Injection?
SQL injection is a technique that exploits a security vulnerability occurring
in
the database layer of an application. The vulnerability is present
when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly
typed and thereby unexpectedly executed. Web pages which accepts
parameters from user, and make SQL query to the database, are targeted.
For Example, A web page with username and password, fires SQL query on
the database to check whether a user has entered valid name and/or
password or not. With SQL Injection, it is possible for us to send
crafted user name and/or password field that will change the SQL query
and thus grant us something else.
What is Required?
1) Any Web Browser
2)
Some Basic SQL (Structured Query Language) Queries such as 'SELECT',
'INSERT', 'UPDATE', 'DELETE', etc. along with their attributes (i.e
Syntax).
What you should look for?
Try
to look for pages that allow you to submit data, i.e: login page,
search page, feedback, etc. Sometimes, HTML pages use POST command to
send parameters to another ASP/ASPX page. Therefore, you may not see the
parameters in the URL. However, you can check the source code of the
HTML, and look for "FORM" tag in the HTML code. You may find something
like this in some HTML codes:
<FORM action=login.aspx method=post>
<input type=hidden name=user value=xyz>
</FORM>
Everything between the <FORM> and </FORM> tags have potential parameters that might be useful.
OR
You should look for pages like ASP, ASPX, JSP, CGI, or PHP.
Try to look especially for URL that takes parameters, like:
Is it Vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
Login: hi' or 1=1--
Pass: hi' or 1=1--
http://example.com/login.asp?id=hi' or 1=1--
You
can do this with a hidden field, just view the source HTML from the
site, save it in your hard disk, modify the URL and hidden field
accordingly.
Example:
<FORM action=http://example.com/login.asp method=post>
<input type=hidden name=abc value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login name or password.
But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:
In this URL 'category' is the variable name and 'sports' is it's value.
Here this request fires following query on the database in background.
SELECT * FROM search WHERE category='sports'
Where 'search' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.
Now, assume that we change the URL into something like this:
Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='
Countermeasures ?
Filter out character like ' " - / \ ; NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie,,,,,,!!!!
No comments:
Post a Comment
We do receive a lot of comments each day and those comments are moderated by the human being not automated robots. So, Please avoid doing spam and posting links in comments otherwise comment will not be published. We can't tolerate anymore. Thanks for understanding!