Windows LiveWindows Live
 
 
Darren's profile! Welcome !PhotosBlogListsMore Tools Help

Blog
    October 12

    Another on SQL Injection


     Concept:
     Every time you browse the internet to look at a web site there are many things going
     on in the background to bring you that site.  Most of the more sophisticated sites
     or services use DATABASES to store site content and what-not.  This content is
     accessed by sending the web server SQL code.  It is nothing more than a request for
     content.  But it is possible to change the normal request to one of your own design.
     This could allow you to get different information in the database than what you would
     normally have gotten.

     What is a SQL Injection:
     A SQL Injection is the manipulation of SQL code by inserting crafted commands
     into the variables of that SQL code.  This could potentially allow you to gain access
     to information that you would normally not have access to.

     How does it work:
     For demonstrational purposes you can think of it working like this:  You have a site
     that allows you to enter text into an input box, like a login/password setup.  When
     you click Submit, your information is passed to another file that processes that
     information (like a .php or .asp file).  That file generates an line of SQL code and
     puts your information in it.  It then sends that SQL code to the database server,
     which replies back with its respected information.  That page then processes that new
     information and sends the results back to you.
     To do a SQL Injection, you would write specially crafted SQL code in the Input
     Boxes of the site.  When you submitted your malicious string to the next page, that
     page puts your code into the rest of the SQL statement.  If you crafted your string
     correctly the resulting SQL logic will be modified... and hopefully still be valid.

     Examples of Injection:
     You go to a site that prompts you for a User Name and Password.  You know that the
     User Name and Password are stored in a database.  Lets also say, for simplicities
     sake, you have an idea of what the SQL statement looks like.
     Here is an example of such a code:
       SELECT User.Message FROM User
       Where((User.Login = '$myLogin') AND ('$myPassword' = User.Password));
     As you can probably tell, this code will return a "Message" if the Login equals the
     correct User Name and Password equals the correct Password.
     $myLogin & $myPassword are the INPUT variables from the Text Boxes.
     So how do I do a SQL Injection on this?
     First, notice that your $myLogin is getting processed first.  That is where we will
     start.  What would happened if you let your User Name equal "') AND ('"?
       $myLogin = ') AND ('
     Your new SQL String would look like this:
       SELECT User.Message FROM User
       Where((User.Login = '') AND ('') AND ('$myPassword' = User.Password));
     Ok, now you might be getting the idea how this all works now. But LOGIC tells us that
     the SQL statement we just created is not valid and will create an error, plus it
     doesn't do us any good at all!  Can you guess what we can put into $myLogin to make
     the SQL statement valid and logically bypass us needing a password at all!?!?
     Exploit:
       $myLogin = root') OR (User.Login = 'root
     Exploited SQL Code:
       SELECT User.Message FROM User
       Where((User.Login = 'root') OR (User.Login = 'root') AND ('$myPassword' = User.Password));
     Look at what we did here.  We let User.Login = root so we can get the Message that
     the root user would get.  We added an OR statement to logically relieve us from
     needing a valid $myPassword.
     
    Think of it like this:
     (login = root) or ((login = anything) and (password = anything))
     Since User.Login contains "root" is TRUE we get that user's Message even though the
     second part of that logical argument is FALSE.

     SQL Injections on unknown SQL Code:
     Most of the time you will not be able to see the SQL code that the .php or .asp files
     create.  Due to insecure programming habits, you might be able to get it to show
     you the SQL though.  And obtaining partial SQL code is possible by inserting invalid
     strings in most cases.  But no matter what, a good understanding of SQL code is needed
     to attempt SQL Injections.  Most vulnerable code can also be exploited by a lot
     of trial and error.
     
    .
    9:06 PM | Blog it | Computers and Internet

    Comments (2)

    Please wait...
    Sorry, the comment you entered is too long. Please shorten it.
    You didn't enter anything. Please try again.
    Sorry, we can't add your comment right now. Please try again later.
    To add a comment, you need permission from your parent. Ask for permission
    Your parent has turned off comments.
    Sorry, we can't delete your comment right now. Please try again later.
    You've exceeded the maximum number of comments that can be left in one day. Please try again in 24 hours.
    Your account has had the ability to leave comments disabled because our systems indicate that you may be spamming other users. If you believe that your account has been disabled in error please contact Windows Live support.
    Complete the security check below to finish leaving your comment.
    The characters you type in the security check must match the characters in the picture or audio.

    To add a comment, sign in with your Windows Live ID (if you use Hotmail, Messenger, or Xbox LIVE, you have a Windows Live ID). Sign in


    Don't have a Windows Live ID? Sign up
    Manga Witchwrote:
    Heya - Glad you liked the page - you're welcome to pinch all the pics off it! That's what most of the others do....lol
    Oct. 20
    Manga Witchwrote:
    Heya - Liking the site...thanks for paying a visit.
     
    I may just come back here...lol
    Oct. 20

    Trackbacks

    The trackback URL for this entry is:
    http://nism-o.spaces.live.com/blog/cns!F484BCA9EE782E9!170.trak
    Weblogs that reference this entry
    • None