SQL Injection : How It Works
Introduction
Lets get started at an apparently unrelated point. Lets assume we create a table in SQL.Now there are three main parts of a database management system, like SQL. They are -
- Creating structure of table
- Entering data
- Making queries (and getting meaningful results from data)
So, when SQL is used to display data on a web page, it is common to let web users input
their own queries. For example, if you go to a shopping website to buy a smartphone, you
might want to specify what kind of smartphone you want. The site would probably be storing
data about phones in table with columns like Name, Price, Company, Screen Size, OS, etc.
Now what they do is that they allow you to create a query using some sort of user friendly
drop down based form which lets you select your budget, preferred company, etc. So
basically, you, the user, can create queries and request data from their SQL servers without
typing any code.
their own queries. For example, if you go to a shopping website to buy a smartphone, you
might want to specify what kind of smartphone you want. The site would probably be storing
data about phones in table with columns like Name, Price, Company, Screen Size, OS, etc.
Now what they do is that they allow you to create a query using some sort of user friendly
drop down based form which lets you select your budget, preferred company, etc. So
basically, you, the user, can create queries and request data from their SQL servers without
typing any code.
This automated method of creating queries for you is relatively safe (since it doesn't give you
a lot of flexibility in terms of what queries you can create, you are limited by the syntax of
queries they have decided). However, there is another method of creating queries which can
be exploited by us.
a lot of flexibility in terms of what queries you can create, you are limited by the syntax of
queries they have decided). However, there is another method of creating queries which can
be exploited by us.
A url ending in .php is a direct indication that the website/blog uses sql to deliver a lot of it's
data, and that you can execute queries directly by changing the url. Usually the data in the
SQL tables is protected and can be viewed directly only by certain people (admins etc.).
However, when we send some rogue commands to the SQL server, it doesn't understand
what to do, and returns an error.
This is a clear indication that with intelligent design of URLs, we can send queries that will
make the database 'go berserk' and malfunction, and give us all the otherwise private data
of its tables. This attack can be used to obtain confidential data like a list of username and
passwords of all users on a website.
data, and that you can execute queries directly by changing the url. Usually the data in the
SQL tables is protected and can be viewed directly only by certain people (admins etc.).
However, when we send some rogue commands to the SQL server, it doesn't understand
what to do, and returns an error.
This is a clear indication that with intelligent design of URLs, we can send queries that will
make the database 'go berserk' and malfunction, and give us all the otherwise private data
of its tables. This attack can be used to obtain confidential data like a list of username and
passwords of all users on a website.
Steps
- We have to find a website which is vulnerable to SQL injection (SQLi) attacks. Vulnerability
has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly, it should
show an error for some kind of query or the other. An error is an indication of a SQL
vulnerability.
2. After we know that a site is vulnerable, we need to execute a few queries to know what
all makes it act in an unexpected manner. Then we should obtain information about SQL
version and the number of tables in database and columns in the tables.
- Vulnerabilities are found using your own creativity along with famous dorks
Manually using some standard codes available online (and if you know SQL then you can
figure most of the stuff out yourself). For example, you can instruct the database to give you
all the data from a table by executing the command-
SELECT * FROM Users WHERE UserId = 105 or 1=1
- Now, while the first part of the query "UserID=105" may not be true for all user,
the condition
1=1 will always be true. Basically the query asks the table to return all details of users forwhom either user id = 105 or 1=1 (1 is always equal to 1, irrespective of the userId and
all other factors). Effectively, you have the username and passwords and all other information about all the users of the website.
Using some tool - Some tools help in making the process easier. You still have to use
commands but using tools is much more practical after you have an idea what is actually
happening. I don't recommend all the GUI Windows tools which are found on malware
filled websites, and never work. All throughout this blog we have used Kali Linux, and
if you really are serious about hacking, there is no reason not to have Kali Linux installed.
In Kali Linux, there is a great tool called SQLMap that we'll be using.
Now, for login, you have the following condition:
Quick cool example
Now suppose you develop a web app. Here are the credentials for login-
Username : abcd
Password : xyz
Now, for login, you have the following condition:
if ("abcd" == Username and "xyz" == Password)
LoginSuccessful
else
LoginFailed
Now if someone enters Username which is different from abcd or password which is different
from xyz, then he won't be able to login. Seems to be fine.
But wait, if a person enter username as "pqr" or 1==1 and password as "wxy" or 1==1, your
code would check credentials in the following way -
from xyz, then he won't be able to login. Seems to be fine.
But wait, if a person enter username as "pqr" or 1==1 and password as "wxy" or 1==1, your
code would check credentials in the following way -
("abcd"=="pqr" or 1==1) and ("xyz" == "wxy" or 1==1)
Let's translate that into boolean. 1==1 is true obviously, abcd==pqr is not true, nor is xyz==wxy.
So, we get,
So, we get,
(false or true) and (false or true)
which becomes
true and true
which becomes
true
So, the person logged into your web app without knowing the username or password.
PS: The example here grossly simplifies a lot of things, but taking care of all details would
make this more complicated than it has to be for a first tutorial in SQL injection
(coming tutorials are more syntactically correct).
make this more complicated than it has to be for a first tutorial in SQL injection
(coming tutorials are more syntactically correct).
 |
| The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts. |
That's it for this tutorial, you now know how SQL Injections work. It might be worth your time
learning some SQL on W3schools till I come up with some other tutorial. Also, check out the
navigation bar at the top of the blog to see if you find something that interests you. We have
a lot of tutorials for beginners in the field of hacking.
learning some SQL on W3schools till I come up with some other tutorial. Also, check out the
navigation bar at the top of the blog to see if you find something that interests you. We have
a lot of tutorials for beginners in the field of hacking.
No comments:
Post a Comment