What is SQL Injection:
I have gone through many SQL Injection tutorials before writing this post. One thing was common at every place, that was the queries coming from the readers. Many people doesn't know what actually SQL Injection is. They think that they can easily enter into the database and make some changes, or they can simply inject some query and will have the username and password of the administrator. Well !!! till some extent the concept is true but it is not that much easy.
So first we need to learn what is SQL Injection or better we should know what is SQL... SQL, the Structured Query Language, is the standard for accessing databases. Most web applications today use an SQL database to store persistent data for the application. It is likely that any web application you are testing uses an SQL database in the backend. Like many languages, SQL syntax is a mixture of database instructions and user data. If a developer is not careful, the user data could be interpreted as instructions, and a remote user could perform arbitrary instructions on the database. So, whenever we want any data to be accessed from any application our request goes in the form of SQL queries. Suppose for example, in any online library if we want to access any particular book then our request will go in form of following language,
"SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";So, in the above case the application takes the bookname from the user and searches it in the TABLE named my_library and if after matching returns that particular page. So it means if that particular name doesn't match it should not return anything, but in actual scenario there is nothing stopping an attacker from injecting SQL statements in the bookname field to change the SQL query. Let’s re-examine the SQL query string.
"SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";The code expects the bookname string to be data. However, an attacker can input any characters he or she pleases. Imagine if an attacker entered the bookname ’OR 1=1 -- then the query string would look like this:
SELECT booktitle FROM my_library WHERE " + " bookname= ' ' OR 1=1 -- 'Note:- The double dash (--) tells the SQL parser that everything to the right is a comment.
The SELECT statement now acts much differently, because it will now return booktitle where the bookname is a zero length string (' ') or where 1=1; but 1=1 is always true! So this statement will return all the booktitle from my_library. In this case, the attacker placed SQL instructions ('OR 1=1 --) in the bookname field instead of data.
Choosing Appropriate SQL Injection Code:
To inject SQL instructions successfully, the attacker must turn the developer’s existing SQL instructions into a valid SQL statement. Generally query like these work.
- ' OR 1=1 --
- ') OR 1=1 --
Error executing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT (title, body) FROM blog_table WHERE cat='OR 1=1' at line 1The particular error message shows the whole SQL statement. In this case, it appears that the SQL database was expecting an integer, not a string, so the injection string OR 1=1 --, without the proceeding apostrophe would work.
However, the attacker could inject other queries. For example, setting the username to this,
' OR 1=1; DROP TABLE user_table; --
would change this query to this,SELECT id FROM user_table WHERE username=' ' OR 1=1; DROP TABLE user_table; -- ' AND password = PASSWORD('x');which is equivalent to this:
SELECT id FROM user_table WHERE username=' ' OR 1=1; DROP TABLE user_table;This statement will perform the syntactically correct SELECT statement and erase the user_table with the SQL DROP command.
So, that's all for the first tutorial of SQL Injection, in upcoming tutorials we will see more types of SQL Injections and some more commands and tools to exploit this vulnerability, till then keep practicing.
Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the application.
No comments:
Post a Comment