SQL Injection Tutorial.
.
.
.
.
.data is one of the most vital components of information systems. Database powered web applications are used by the organization to get data from customers. SQLis the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database.
What is a SQL Injection?
SQL Injection is an attack that poisons dynamic SQLstatements to comment out certain parts of the statement or appending a condition that will always be true. It takes advantage of the design flaws in poorly designed web applications to exploit SQLstatements to execute malicious SQLcode.
In this tutorial, you will learn SQLInjection techniques and how you can protect web applications from such attacks.
- How SQL Injection Works
- Hacking Activity: SQL Inject a Web Application
- Other SQL Injection attack types
- Automation Tools for SQL Injection
- How to Prevent against SQL Injection Attacks
- Hacking Activity: Use Havji for SQL Injection
How SQL Injection Works
The types of attacks that can be performed using SQL injection vary depending on the type of database engine.
.
.
.
.
.
.
The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string.
Let’s consider a simple web application with a login form. The code for the HTML form is shown below.
HERE,
- The above form accepts the email address, and password then submits them to a PHPfile named index.php.
-It has an option of storing the login session in a cookie. We have deduced this from the remember_me checkbox. It uses the post method to submit data. This means the values are not displayed in the URL.
Let’s suppose the statement at the backend for checking user ID is as follows
SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);
HERE,
*.The above statement uses the values of the $_POST[] array directly without sanitizing them.
*.The password is encrypted using MD5 algorithm.
We will illustrate SQL injection attack using sqlfiddle. Open the URL http://sqlfiddle.com/in your web browser. You will get the following window.
Note: you will have to write the SQL statements
Step 1)Enter this code in left pane
CREATE TABLE `users` (
`id` INT NOT NULL AUTO_INCREMENT,
`email` VARCHAR(45) NULL,
`password` VARCHAR(45) NULL,
PRIMARY KEY (`id`));
insert into users (email,password) values (' m@m.com',md5('abc'));
Step 2)Enter this code in right pane
select * from users;
Step 3)Click Build Schema
Step 4)Click Run SQL. You will see the following result
Suppose user supplies admin@admin.sysand1234as the password. The statement to be executed against the database would be
SELECT * FROM users WHERE email = ' admin@admin.sys' AND password = md5('1234');
The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field.
xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ]
xxx for the password.
The generated dynamic statement will be as follows.
SELECT * FROM users WHERE email = ' xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');
HERE,
*. xxx@xxx.xxxends with a single quote which completes the string quote
*.OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned results to only one record.
*.-- ' AND … is a SQL comment that eliminates the password part.
Copy the above SQL statement and paste it in SQL FiddleRun SQL Text box......read part 2
.
.
.
.
.data is one of the most vital components of information systems. Database powered web applications are used by the organization to get data from customers. SQLis the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database.
What is a SQL Injection?
SQL Injection is an attack that poisons dynamic SQLstatements to comment out certain parts of the statement or appending a condition that will always be true. It takes advantage of the design flaws in poorly designed web applications to exploit SQLstatements to execute malicious SQLcode.
In this tutorial, you will learn SQLInjection techniques and how you can protect web applications from such attacks.
- How SQL Injection Works
- Hacking Activity: SQL Inject a Web Application
- Other SQL Injection attack types
- Automation Tools for SQL Injection
- How to Prevent against SQL Injection Attacks
- Hacking Activity: Use Havji for SQL Injection
How SQL Injection Works
The types of attacks that can be performed using SQL injection vary depending on the type of database engine.
.
.
.
.
.
.
The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string.
Let’s consider a simple web application with a login form. The code for the HTML form is shown below.
HERE,
- The above form accepts the email address, and password then submits them to a PHPfile named index.php.
-It has an option of storing the login session in a cookie. We have deduced this from the remember_me checkbox. It uses the post method to submit data. This means the values are not displayed in the URL.
Let’s suppose the statement at the backend for checking user ID is as follows
SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);
HERE,
*.The above statement uses the values of the $_POST[] array directly without sanitizing them.
*.The password is encrypted using MD5 algorithm.
We will illustrate SQL injection attack using sqlfiddle. Open the URL http://sqlfiddle.com/in your web browser. You will get the following window.
Note: you will have to write the SQL statements
Step 1)Enter this code in left pane
CREATE TABLE `users` (
`id` INT NOT NULL AUTO_INCREMENT,
`email` VARCHAR(45) NULL,
`password` VARCHAR(45) NULL,
PRIMARY KEY (`id`));
insert into users (email,password) values (' m@m.com',md5('abc'));
Step 2)Enter this code in right pane
select * from users;
Step 3)Click Build Schema
Step 4)Click Run SQL. You will see the following result
Suppose user supplies admin@admin.sysand1234as the password. The statement to be executed against the database would be
SELECT * FROM users WHERE email = ' admin@admin.sys' AND password = md5('1234');
The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field.
xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ]
xxx for the password.
The generated dynamic statement will be as follows.
SELECT * FROM users WHERE email = ' xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');
HERE,
*. xxx@xxx.xxxends with a single quote which completes the string quote
*.OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned results to only one record.
*.-- ' AND … is a SQL comment that eliminates the password part.
Copy the above SQL statement and paste it in SQL FiddleRun SQL Text box......read part 2