Skip to main content

SQL Injection


If we take a stand alone software or a web base application or a web site the thing that is functioning behind them is the database. These databases are running in the database servers such as My SQL, oracle, Microsoft SQL server, etc. To operate the database the developer/designers/administrators are using SQL (Structured Query Language). Databases running for the organizations/systems having the main resources such as user details, transaction details, administrator details, etc. As general in hacking the first step is to collect the resources to identify the vulnerability of the system. This SQL injection helps the hacker/intruders to directly target the system database to collect the resources. Example, if the hacker can access the user login table in the organization/system database he can get their passwords and email accounts too.

Lets see how SQL Injection working?
SQL Injection is a normal SQL query. Attackers typing that query to bypass the authentication. In simple way we can say, the SQL Injections is the attack by injecting the code/query in the place where the field is directly interacting with the database. SQL Injections are specially make use of the login method to bypass the system. Lets see how the login is helping to inject the malicious query code.
When we are having a user login/administrator login for a system, we have need to ask for their username and password. After designed the interface we are redirection the string values entered by the client/user to the back end of the system to check whether the entered username and password is correct. To check the validity we have need to check the values from the database of the system. This is the place which is directly talks to the database. As I have already said, this is the vulnerability for the hackers to make use of it. The back end code is as follows.

Sample Code - 1:
Uname=textBox1.Text; //John-sample username
Upassword=textBox2.Text; //abc123-sample password
query= 'SELECT * FROM User WHERE name=“ ' + Uname + ' ” AND password=“ ' + Upassword + ' ” ' ;

Result - 1:
SELECT * FROM User WHERE name= “John” AND password= “abc123

This code is the vulnerable code for the hackers to enter into the database. Because by using some basic Boolean method we can change the entire code. Example 1=1 is always true. Lets try that on the code.

Sample Code – 2:
Uname=textBox1.Text; // 000” OR “1”= “1 - as username
Upassword=textBox2.Text; // ” OR “”= “ - as password

Result - 2:
SELECT * FROM User WHERE name = “000” OR “1”= “1” AND password= “” OR “”= “

Note:
  1. In SQL query single quotation /double quotation  will automatically create for the string values. So we have need to have an attention on that.
  2. "" = "" is always True.

From those 2 results you can identify the weakness/vulnerability in the login SQL query and this is known as the SQL Injection. There are some SQL Injection cheat sheets available on the Internet and from them you can find the some other codes which can be use inside the place which is directly interacting/talking with the database.

Example:
Sample Code – 3:
Uname=textBox1.Text; // 105”; DROP TABLE Login; # - as username

Result – 3:
SELECT * FROM User WHERE name= “105”; DROP TABLE Login; #

Note: Here "#" means comments in SQL. The reason for using that is here to omit the closing double quotation of the query, because we wrote an extra query to drop a table (use semicolon to write more than one SQL query). If we use comment sing there, the things after that will not be executed. Comments vary/differ according to the versions and servers. 
Example "--" or "/* */" or "//"can be use there 

I think you can under stand what is happening here. By this code you can delete the “Login” table of the system. Because this query is directly executed by the database.

But to do those kinds of injections you have need to know the correct table name and the correct database name of the system. For that you have to use some tools/own codes to get the content of the database. If you have interested just click here to know, how to know the DB name and that content. But don't do beyond that because knowing the vulnerability is only the task of ethical hacking. If you go beyond to that limit you are a criminal. So be aware yourself.

Up to now we have seen only a type of the SQL Injection attack (authentication bypass) but there are few more type of attacks such as  information disclosure, compromised data integrity, compromised availability of data and remote command execution.

 So, this SQL Injection is a threat for the software developers and for the system administrators to prevent their system from this attack (parameter SQL query will protect authentication bypass).  For the hackers this SQL Injection method is a easiest method to learn and to hack a system. So hackers make use of it. 

©IT Today

Comments

Post a Comment

Popular posts from this blog

How OIDC run on top of OAuth - Demo by a maven web application

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...
Post a Comment
Read more

Bandit Wargame – Documentation

Basically wargames are providing the basic knowledge on the security concepts. It is a game that contain many tricks to break the borders to gain the access especially passwords (commands are mostly on the Linux CLI). You can find many wargames through the Internet and they are very interest and fun full too. “Bandit” is also a wargame which is for the beginners. You all can access that through the link given bellow. And this article is an document for this game. I have used Ubuntu as the operating system. Bandit – Clickhere . Level 0: Case study → Clickhere Here we have need to connect the host through the SSH (secure socket shell) server. The informations are provided as follows. Host name: bandit.labs.overthewire.org Port No: 2220 User name: bandit0 Password: bandti0 There are many ways to connect through the SSH server. Method 1: Download and run the “PuTTY SSH client”. ( https://the.earth.li/~...
Post a Comment
Read more

Introduction to OAuth

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...
Post a Comment
Read more