Skip to main content

SQL INJECTION

SQL in Web Pages

In the previous chapters, you have learned to retrieve (and update) database data, using SQL.

When SQL is used to display data on a web page, it is common to let web users input their own search values.

Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically change SQL statements to provide the user with selected data:

Server Code

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId= " + txtUserId;

The example above, creates a select statement by adding a variable (txtUserId) to a select string. The variable is fetched from the user input (Request) to the page.

The rest of this chapter describes the potential dangers of using user input in SQL statements.

SQL Injection

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

Injected SQL commands can alter SQL statement and compromise the security of a web application.

SQL Injection Based on 1=1 is Always True

Look at the example above, one more time.

Let's say that the original purpose of the code was to create an SQL statement to select a user with a given user id.

If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:

UserId: 
105 or 1=1 in a form provided.

Server Result

SELECT * FROM Users WHEREUserId= 105 or 1=1;

The SQL above is valid. It will return all rows from the table Users, since WHERE 1=1 is always true.

Does the example above seem dangerous? What if the Users table contains names and passwords?

The SQL statement above is much the same as this:

SELECT UserId, Name, Password FROM Users WHEREUserId= 105 or 1=1;

A smart hacker might get access to all the user names and passwords in a database by simply inserting 105 or 1=1 into the input box.

SQL Injection Based on ""="" is Always True

Here is a common construction, used to verify user login to a web site:

User Name: James Morearity

Password: Blackwaters

Server Code

uName = getRequestString("UserName");
uPass = getRequestString("UserPass");

sql = 'SELECT * FROM Users WHERE Name ="' +uName + '" AND Pass ="' + uPass + '"'

Result

SELECT * FROM Users WHEREName ="John Doe" AND Pass ="myPass"

A smart hacker might get access to user names and passwords in a database by simply inserting " or ""=" into the user name or password text box:

User Name: " or ""="

Password: " or ""="

The code at the server will create a valid SQL statement like this:

Result

SELECT * FROM Users WHEREName ="" or ""="" AND Pass ="" or ""=""

The result SQL is valid. It will return all rows from the table Users, since WHERE ""="" is always true.

SQL Injection Based on Batched SQL Statements 

Most databases support batched SQL statement, separated by semicolon.

Example

SELECT * FROM Users; DROPTABLE Suppliers

The SQL above will return all rows in the Users table, and then delete the table called Suppliers.

If we had the following server code:

Server Code

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId= " + txtUserId;

And the following input:

User id: 105; DROP TABLE Suppliers

The code at the server would create a valid SQL statement like this:

Result

SELECT * FROM Users WHEREUserId = 105; DROP TABLESuppliers

Parameters for Protection

Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.

This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input.

(In fact it should be perfectly legal to input an SQL statement in a database field.)

The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters.

SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);

Note that parameters are represented in the SQL statement by a @ marker.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

Another Example

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);

Examples

The following examples shows how to build parameterized queries in some common web languages.

SELECT STATEMENT IN ASP.NET:

txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();

INSERT INTO STATEMENT IN ASP.NET:

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();

INSERT INTO STATEMENT IN PHP:

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) 
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

Finding SQLi Vulnerable Websites in a Web Server

SQL Injection (SQLi) vulnerability is not new and is one of the most dangerous vulnerabilities present in web applications . SQL injection is a very dangerous vulnerability and can lead to stealing of the data or even complete defacement of the website .

If anyone is targeting your website , it is not essential that they do so by attacking your website directly . What they can do is to look for SQL Injection vulnerability on any of the websites on your server or your IP . Once the server has been compromised , the websites hosted on it can also be compromised . Here is a trick to analyse the server for SQL injection vulnerabilities in the websites hosted on them .

During our Penetration Testing we often come across scenarios where we have to check the web sever for vulnerabilities . We might only be liable for penetration testing only the website , though sometimes other websites hosted on the same server might be vulnerable which imposes a threat to our target website too. So this post might be a guide to the penetration testers for quickly checking the web-server for any other websites hosted if vulnerable to SQL Injection .

First Thing we need to do is to get the IP address of the Website . For this you can simply Ping the website using command prompt in Windows or Terminal in Linux.

Now at this step we are aware of two things : The Domain of the website and IP address of the Website .

We need the help of an external tool here . What we exactly want is to Identify the websites hosted on this IP address. Luckily we have a website to our rescue . Yougetsignal.com . 

Please click on this link to find the other websites hosted on this web server .

This windows will give you the list of all the domains hosted on this web-server . All we need to do to find which of these websites is vulnerable to SQL Injection .

Open Bing Search Engine : 

In Search box type ip:x.x.x.x php?id= and click on search icon.
Must replace x.x.x.x with your selected server IP.

After that bing will search the sites which have extension php?id= like this  www.site.com/index.php?id=  and it will give u a list of sites which ends with this extension php?id= .

Now select any of one site and add ‘ after the url to check wheather site is vulnerable to SQL injection or not. If site is vunerable then its good if not then check other site from search result.

If found any site vulnerable to sql then Hack it using SQL Exploiter tools.

Else you can simple search for Google Dork files, which is a collection of websites vulnerable to SQL injection.

Labels:

Comments

Post a Comment

Popular posts from this blog

SNIFF GSM USING HACKRFX

​TOOLS  USED: •  ha ckrf_kali • brategnuradio-companion • gr-gsmgqrx • wireshark INSTALL REQUIREMENTS: First thing, you want to make sure you have all the required software installed, you can install most of them and their dependencies using your distribution package manager. Let’s start with the libraries and tools for the hackrf itself, on a Debian/Ubuntu distro you’ll install them like so: sudo  apt-get install  hackrf   libhackrf -dev libhackrf0 Once these libraries are installed, you can plug your hackrf into one of your USB ports and execute the  hackrf_info  command, at this point you should see something like the following: # hackrf_info Found  HackRF  board. Board ID Number: 2 ( HackRF  One) Firmware Version: 2014.08.1 Part ID Number: 0x00574746 0x00574746 Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f4339e1 You will now install  gnuradio  which is the software we’ll use to decode the RF signals,  gqrx  a tool to visualize signal power on certain frequencies
Post a Comment
Read more

MORE ABOUT RANSOMWARES. PART 1

 Not long ago, a man committed suicide after an automatically generated notice from a computer virus threatened him with jail unless he paid a ransom thousands of dollars. The year was 2014. As incredible as the story seems, it marked the first known time a computer virus actually killed somebody. The next generations stole cash from users around the globe, and Cryptolocker raised the stakes – holding data of hundreds of thousands of users hostage. Despite successive short-lived take downs, the malware has made a comeback as CTB (Curve-Tor-Bitcoin) Locker. This challenging breed of malware is continuously improving, reaching new levels of complexity as smartphones and tablets are increasingly used to store crucial personal and enterprise-level documents. Bitdefender, the anti-malware solutions provider, zooms in on the subject to show how this type of virus works and to tell users how to prevent being locked out and extorted. What is ransomware? Ransomware is a type of malware th
Post a Comment
Read more

TERMINAL ON ANDROID- TERMUX

Let Termux be our topic today. It is an Android application which is a Terminal Emulator distributed by Fredrik Fornwall. It creates exactly the same working environment of Linux Terminal on Android. Take a try. It can be installed from Google Play Store. Navigate from here . After the environment is set, go to App settings from the System Settings and give the App Storage permission.  Basic linux command like cd, ls, pwd, cat, touch and many more or almost all can be made here on this prompt. To install packages like Python or Pip type in packages install <packageName> It's that simple.  Similarly, to execute a program or a package, type <packageName> then, the corresponding help will be appear. Rest is with you. This is how an installation screen appears to be.. Now, about storage. As the initial step, type in termux-setup-storage Typing pwd gives the current working directory and it will be something like /data/data/com.termux/files/
Post a Comment
Read more