Hans
Security
Magazine
Vol I

Grab It Now

Article

COUNT
1851

SQL Injection (1st of 10 attacks)

Posted On : Jul 03rd 2012 by Sumit Sharma

 SQL Injection

 

SQL injection is the common website vulnerability found the internet.Its is a flaw in Web Applications and not in database or webserver.Mostly  programmers are not aware of this threat.SQL Injection is the most prevalent vulnerability in 2010.SQL injections threats are :-

  • Tamper with database records.
  • Spoofing identity.
  • Complete disclouser of data.
  • Destruction of data.
  • Voiding machine’s critical transactions.
  • DoS on server.

By SQL injection attacker can insert SQL query  vai input data from client machine.SQL injection  take advantage of non-validated input  to pass SQL query commands through a web application for execution by database.It is a mostly used attack to either gain unauthorized access of database for retrieving information from it.SQL injectin exploit can be used to read the confidential information,or  to madify data,can perform administrative action on database.Mostly Php and ASP applications are vulnerable to SQL injections.The severity of SQL injectin attacks is limited by attacker’s skill and imagination.

The main consequences are:

  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  • Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  • Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
  • Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.

 

Blind SQL injection

In blind SQL injection when  attacker attempts to exploit ,they will get a generic page specified by the developer,rather then the SQL query error message.That makes the execution of  SQL query injection attack more difficult.But it is possible to attack the remote host by asking a series of true and false questions through SQL statements.

SQL Injection detection

  • Check if the web application connects to a database server in order to access some data.
  • List all input fields,hidden fields, and post request whose values could be used in crafting a SQL query.
  • Attempt to inject code into the input fields to generate an error.
  • Try to insert a string value where a number is expected in input field.
  • The UNION operator is used in SQL injections to joint a query to original query.
  • Detailed error message provide a wealth of information to an attacker in order to execute SQL injection.

 

SQL  Injection tools

  • BSQLHacker  :- Automated blind SQL injection tool.
  • SQL Power Injector :- Automated SQL injection tool.
  • Havij :- One of the best automated tool used by professionals.
  • Sqlmap:- Also another tool to find the sql injection in website.

SQL  Based queries

Bypass User Login

The simplest SQL injection technique is bypassing form-based logins. Let's say that

the web application’s code is like this:

SQLQuery = "SELECT Username FROM Users WHERE Username = '" &

strUsername & "' AND Password = '" & strPassword & "'"

strAuthCheck = GetQueryResult(SQLQuery)

If strAuthCheck = "" Then

boolAuthenticated = False

Else

boolAuthenticated = True

End If

Here's what happens when a user submits a username and password. The query will go

through the Users table to see if there is a row where the username and password in the row

match those supplied by the user. If such a row is found, the username is stored in the variable

strAuthCheck, which indicates that the user should be authenticated. If there is no row that

the user-supplied data matches, strAuthCheck will be empty and the user will not be

authenticated.

If strUsername and strPassword can contain any characters that you want, you

can modify the actual SQL query structure so that a valid name will be returned by the query

even if you do not know a valid username or a password. How does this work? Let's say a

user fills out the login form like this:

Login: ' OR ''='

Password: ' OR ''='

This will give SQLQuery the following value:

SELECT Username FROM Users WHERE Username = '' OR ''='' AND

Password = '' OR ''=''

Instead of comparing the user-supplied data with that present in the Users table, the

query compares '' (nothing) to '' (nothing), which, of course, will always return true.

(Please note that nothing is different from null.) Since all of the qualifying conditions in the

WHERE clause are now met, the username from the first row in the table that is searched will be

selected. This username will subsequently be passed to strAuthCheck, which will ensure

our validation.

 

This how the syntax manipulation work and allow the attacker to get access to confidential information.Try to find and execute SQL injections but for practicing not for harming the websites.All the information is provided here is for Learning purpose.

Sumit Sharma



 

SQL Injection - Anti Hacking

Powered By: Sevenza SEO