1- What is SQL Injection?
SQL Injection is a technique that exploits a flaw into the website/program, with the purpose of changing the SQL Query being made to one of it's choice, thereby allowing a compromise of the Website, the SQL Server and possibly even of the entire network.
I strongly suggest that you have the minimum knowledge of SQL before starting studying SQL Injection.
Example:
Evil Input:
' OR password ='admin
Original Server Side SQL request:
Select user From tableuser Where id = '%request%'
SQL Request sent to SQL Server:
Select user From tableuser Where id='' OR password ='admin'
What will happen is that the SQL Server will retrieve the user where the password is "admin" and then will display it to the attacker.
2- FAQ and Myths about SQL Injection
1- What can an hacker do after he finds an SQL Injection flaw?
A: Tons of things. Login without user/pass, download the databse to his computer, retrieve emails,user,passwords from a database, run code in the server computer, create admin accounts,delete the database,...
2- I use xxx SQL Server, can I be affected or not?
A: Yes of course. The SQL Injection flaws doesn't occur due to the SQL Server itself but to the webpage code.
3- I filter " , ; and ' is there any way that an hacker can find a SQL injection flaw?
A: Yes.
4- What would be the best way to prevent possible SQL Injection flaws in my website?
A: When dealing with strings, mysql_real_escape_string() is the best option.
For numeric values simple verify that the variables passed by the user are always numeric and positive.
If you want you can also create your piece of code, where you should encode ',",<,>,*,/,-,#,( and ).
In this part I told you what is SQL injection and answered some questions about it, on the following part I'll give you a list with usefull SQL injection vectors that you can use to test a website.
If you have any question about SQL Injection post a comment with it.
Last actualized 24 August 2007 11:52 GMT
Friday, March 9, 2007
SQL Injection- Part 1
Subscribe to:
Post Comments (Atom)
Blog Archive
-
►
2007
(39)
-
►
April
(9)
- Preventing CSRF using a Session ID
- Cross Site Request Forgery
- DoSing the client's browser
- RSnake's XSS Book released
- Key Characteristics that make a good CAPTCHA
- Evil Twin
- Majority of the U.S. government agencies got an "C...
- i-Pod virus went to F-Secure
- IE Cursor flaw is being used for targeted attacks....
-
►
April
(9)
17 comments:
well i have read about sql injection in many sites and what i am not clear about is that how one can inject the sql code without knowing password of the db server or web server. can u please clear this stuff???
Normally the SQL Query is something like: (The below code is only theorical and based in PHP)
$hostname="test";
$dbpass="test";
$query= "SELECT user FROM userstable WHERE password='" + $_GET["pass"]; + "' ";
$result=sql_connect($query,&hostname,$dbpass);
echo($result);
SQL Injection consist in changing the value $_GET["pass"], so that he can change the $query to do what he wants.
Example:
$query = SELECT user FROM userstable WHERE password='" + $_GET["pass"] + "' "
Variable $_GET["pass"] = 1' OR ''='
Query which is sent to the SQL Server = SELECT user FROM userstable WHERE password= '1' OR ''=''
As you can see the attacker managed to change the query to allow him to see the username without needing the username password.
Hope I helped. :)
ohh..man gd explanation..but can u show me in the step by step..for the very basic of the sql injection..pls
I'll try to explain SQL Injection and how to find/exploit it the best and simpler that I can.
Let's assume:
- that the site that we will be targeting is http://www.site.com/login.php.
- In login.php we have two textboxs (user and pass) and a button, after we fill the the textboxs we hit the button and
then a HTTP GET request is sent to login.php with the values that we entered into the textboxs(ex: www.site.com/login.php?user=OURUSER&pass=OURPASS)
- We as attackers are trying to find a SQL Injection flaw into the page.
First:
Let's start to see if the sql server send us some errors.
Code:
http://www.site.com/login.php?user='a&pass='a
Results:
After clicking into the above URL we receive a error page, more or less like this:
Microsoft OLE DB Provider for SQL Server error '#######'
Error on query SELECT id FROM tblUsers WHERE userame = ''a' AND password =''a'
/login.php, line 31
Second:
Now that you have an error page you can rerieve very important information from it.
SQL SERVER = Microsoft OLE DB Provider
Complete or partial SQL Query: SELECT * FROM tblUsers where username = ''a'
By knowing that the SQL Server belongs to Mictrosoft you know that the comment character is --.
Third:
Now that we know that the site is vulnerable and that we have the original SQL Query we can think of a input that can change the query to do our willing.
One good query would be:
SELECT * FROM tblUsers WHERE username = 'admin'--AND password='a'
The above query would result into logging in as admin without needing the password (see where the -- are)
Fourth:
Now we change the HTTP GET request to include our malicious code (admin'--).
http://www.site.com/login.php?user=adim'--&pass=a
Now we click into the URL and voila, logged in as Admin.
___________________________________
Extra Notes: The best way to learn and develope your SQL Injection knowledge is reading whitepapers and searching and testing sites.
It would also be good if you increase your knowledge into PHP/ASP bugs and General SQL.
One very good place to learn/discuss about SQL injection is Sla.ckers.org. http://sla.ckers.org/forum/list.php?16
very nice explain sir.
but how we will come to know whas is the name of the table? and where we will embbed our sql query? in login And pass fields?
You'll have to guess\brute force the name of the tables.
You should put your SQL Query almost everywhere, just think were data is being returned from a sql server and test it. Pass and USer fiels are always good place to test, but they tend to be more protected than other plasces.
Thanks for your quickest reply sir, But i still have question.
How we can guess the name of the table? it could be any name like "dfjeisv4w" then it is not easy task to guess the name of tables and the same problem arise with the name of the coloumns.
can i protect my site by using table names and coloumns names like "cfdjid597ds"?
i want to try these technique on my own web site for security issues.
but i don't know where i should start and where to put my SQL query?
should it be in the QueryString like.
Suppose an example...
i have two php pages in my server
for taking the values from users abouve their. (FirstName, LastName, Address, PhoneNo)
these are the coloumns. And the table name is (Table1). Once user insert data into the required fields in the "http://mysite.com/form.php" the action of this page is "member.php" if the data is valid inserted by the user in the required fields of form.php
then "member.php" page returb Successfully Saved Your Record In The Database.
so how this page can in inject? where Sql query should be added in the Form Fields? or where?
Most of the time the names of the tables and columns are easy to guess because they are similar to tbluser, user ,users, accounts,pass,tblpass,id ,...
It'd be a good idea to use such strange names on tablescolumns however they're very unpratical and can/will cause lots of programming mystakes on bigger projects.
In your example the fields from "http://mysite.com/form.php" are the ones that can be used to do SQL INjection, because those are the fields that are going to be used to construct the sql query that is going to be sent to the sql server.
If the values of form.php aren't properly validated you/hacker can insert a new SQL Query into the old one, by passing it trough the form fields.
Example:
Default Query:
INSERT INTO tbl_info
VALUES ('&USERINPUT&')
Userinput = ' + (SELECT password FROM tblUsers Where user = 'Admin') + '
Result: INSERT INTO tbl_info
VALUES ('' + (SELECT password FROM tblUsers Where user = 'Admin') + '');
The Default Query is the sql query which is "premade" in the php, the userinput is an evil sql query and the Resutl is the actual query that is sent to the sql server, whcih as you can see will create a value on tbl_info with the password of the admin.
As I said on my last post, think where a SQL Query might being made (login,new accounts,search,...) and then try to get an error/unexpected behaviour(if you want see part 2 for more info)
First of all thanks for your quickest reply.
And Sorry for irritating you again and again. But i found u the only solving my problem.
if im irritating u be frank and let me know.
my question again arise after reading all theses posts again and again. I just want to see how it works with my naked eyes. because in near future in going to develope some websites. thats y im taking security at first priorty.
Example Needed From You:
can u give me an example of two php pages? the first page should show up 2 or 3 fields and second page which process the data entered in the fields. i will upload those pages on my server and and then tell me how i can inject those pages?
with step by step example.
One more question:
if i filter all these SQL statements before processing SQL query on my server. can i protect my site from SQL injection from this?
Thanks
Feel free to ask anything you want, i'm here to help.
I'm still coding the php examples you asked but I guess it won't take long.
About the other question.
You should escape all thes string variables with mysql_real_escape_string()http://www.php.net/mysql_real_escape_string
And you should also verify that all the numeric variables are really numeric and not string.
i have seen it with my naked eyes in the other site i googled for that.
and i was in the admin panel. but how can i deal with those errors i see in some pages. actuly i want to deal with the database of the site by manipulating the SQL of my own in the error pages. Suggest me how can i start it? with error pages
Sql Errors are very usefull because most of the time they give you part of the SQL Query, the Sql Server(MSSQL,MySQL,Oracle,...) and a specific error.
Knowing this info, you can reduce your "Sql Injection vectors list".
Example: If the Sql Server is MSSQL, I can't escape using //,/*,# only with --.
If the variable is located beetween two quotes, I'll need to escape off the quotes.
And so on...
If you think it's easier to you,create some sort of txt file with sentences like the ones above, based on the error page you're trying to exploit.
Im currently creating a test plan for security testing. Do you have a sample of a test plan for all possible vulnerability risks?
Thanks
Can you tell me if the below is secured of SQL injections or not;
http://www.elitmus.com
@ archie:
sorry but i don't have any test plan sample handy, that I can show you.
@anoymous:
yesterday I gave a quick look to the site and I managed to trigger some errors which may indicate a possible entry point for sql injection.
one exemple is http://www.elitmus.com/hireme/candidate?option=CandidateNewRegister'
Thanks for all the info, but I don't even know where to start the injection. Where exactly am I supposed to put it? In the URL?
Basically, I'm trying to login to the admin account on my invisionfree site to test this vulnerability. Where do I start?
First of all, sorry for the late response.
What you're looking for are variables that are used to build the DB query.
Example:
http://site.com/do_something_in_the_DB.php?this_variable_is_used_to_build_a_DB_Query=John&this_one_is_not=something
Of course the variables won't have such names, so you have to try to guess the inner works of the php.
As you said that you're testing an admin page, I think that the variables that you should focus on are the one with the username and the other with the password.
Because they'll be used to build the query that verifies if the username/password are correct.
Yes you're supposed to put the sql injection in the url.
variable_that_is_used_in_the_db=' OR ''='
(Per example)
Hope you understand, if you still have any doubt feel free to post and I'l do my best.
PS: Depending in the version Invision won't have a SQL Injection issue.However it is always a good option to start.
Post a Comment