Geekstuff4all

KIck start your journey
SQL Injection in Detail – Hacking Technique



SQL Injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

SQL Injection Discovery Technique:

It  is not compulsory  for an attacker  to visit  the web pages using a browser  to  find  if SQL  injection  is possible on  the site. Generally attackers build a web crawler to collect All URLs available on each and every web page of the site. Web crawler is also used to insert illegal characters into the query string of a URL and check for any error result sent by the server.  If  the  server  sends  any  error message  as  a  result,  it  is  a  strong  positive Indication that the illegal special meta character will pass as a part of the SQL query, and hence  the  site  is  open  to  SQL  Injection  attack.  For example Microsoft Internet Information Server by default shows an ODBC error message if an any Meta character or Single quote is passed to SQL Server. The Web crawler only searches the response text for the ODBC messages.

Example for SQL Injection in Web Applications

1. Consider this form where we are authenticating a user with his username and password details

HTML Code for the form:




Output:


2. We are sending the username and password details to checklogin.php where we are comparing these details with database using SQL query.
3. Let us look at the structure of checklogin.php

In this file the statements 2 & 3 are for connecting to SQL and database named test.
The statements 4 and 5 for storing the two values of the form sent by login.php into two variable $user and $pass.
The statement 6 is SQL query for selecting a complete row from users table in the database with two column values user and pass equivalent to $user and $pass respectively.

Select * from users where user=’$user’ and pass=’$pass‘;
mysql_query() returns true if query executes successfully else returns null
Table users in test database looks like this
How the login page works….


The login page seems to work properly but it is vulnerable to attacks.
The two variables $user and $pass in checklogin.php are the vulnerable components through which an hacker can attack your database
When you enter the password as ‘or ‘1’=’1 in most websites, there’s a chance you can gain access.
How does it happen? Look at the code when we execute that query
SELECT * FROM users WHERE user = ‘admin’AND pass = ‘ ‘ or ‘1’=’1’


Through this the hacker is able to enter into any user’s profile and access any data.
He can even destroy, modify, and create tables in the entire database.
Consider this password field ‘or’1’=’1’;DROP TABLE users
This input will delete users table if it exists. He can even modify and delete records from database.