Blog links

Basic SQL injection attack tutorial

Posted by Jassal at Thursday, November 10, 2011

SQL Injection ::
SQL(Structured Query Language) injection occurs when an attacker is able to insert a series of SQL statements into web forms, eg. login fields, or into the browser address field by manipulating data input into database behind the site, system, application.

Requirement ::

A web browser

Potential locations to exploit ::

Login fields ,Search page,Feedback form,The browser address field,etc.

Mode of Operation ::

Let's take an example of login page ('form' page) where user types a username and password for authentication.

The 'query string' generated when user logs in using username and password is something like this

var sql = "select * from users where username = ' username ' and password = ' password '";


There are two things you need to know to understand the rest of the stuff .
If you don't get them don't worry coz explanation is given at the end .

1.  closes the username text field.

2. ‘--' is the SQL convention for Commenting code, and everything after Comment is ignored. Sometimes instead of '--' ' #' is used. The hash symbol (#) tells that everything following it is a comment and to ignore it.

If the attacker specifies the following:

Username: '; drop table users--
Password:

..the 'users' table will be deleted, denying access to the application for all users. The '--' character sequence is the 'single line comment' sequence as stated
above and the ';' character denotes the end of one query and the beginning of another. The '--' at the end of the username field is required in order for this particular query to terminate without error.

The attacker could log on as any user, given that they know the users name, using the following input:

Username: admin'--

The attacker could log in as the first user in the 'users' table, with the following input:

Username: ' or 1=1--


Explanation ::
Let's see how the query string looks when attacker gives

Username:anything'or 1=1--
Password:


Something like this ::

" select * from users where username = 'anything' or 1=1--'and password ='' ";


In this query will ::
1. take the username field as anything
2. check whether 1=1 due to OR 1=1 part of anything' or 1=1-- given as input
3. ignore everything after comment dude to '--' given at the end .

Labels: , , ,

0 comments:

Post a Comment

2leep.com