SQL Injection
                                                                  What is SQL?
The word SQL stands for structure query language.A language that can communicate with Database.
SQL  injection is the act of  injection your own, custom-crafted SQL  commands into a web-script so  that you can manipulate the database any  way you want. Some example  usages of SQL injection: Bypass login  verification, add new admin  account, lift passwords, lift credit-card  details, etc.; you can access anything that's in the database.
Example Vulnerable Code - login.php (PHP/MySQL)
Here's an example of a vulnerable login code
Here's an example of a vulnerable login code
 PHP CODE
$user = $_POST['u'];$pass = $_POST['p'];
if (!isset($user) || !isset($pass)) {
    echo(");
} else {
    $sql = "SELECT `IP` FROM `users` WHERE `username`='$user'             AND `password`='$pass'";
    $ret = mysql_query($sql);
    $ret = mysql_fetch_array($ret);
    if ($ret[0] != "") {
        echo("Welcome, $user.");
    } else {
        echo("Incorrect login details.");
    }
}?>Basically what this code does,   is take the username and password input, and takes the users's IP from   the database in order to check the validity of the username/password   combo.
Testing Inputs For Vulnerability
Just throw an "'" into the inputs, and see if it outputs an error; if so, it's probably injectable. If it doesn't display anything, it might be injectable, and if it is, you will be dealing with blind SQL injection which anyone can tell you is no fun. Else, it's not injectable.
The Example Exploit
Let's say we know the admin's username is Administrator and we want into his account. Since the code doesn't filter our input, we can insert anything we want into the statement, and just let ourselves in. To do this, we would simply put "Administrator" in the username box, and "' OR 1=1--" into the password box; the resulting SQL query to be run against the database would be "SELECT `IP` FROM `users` WHERE `username`='Administrator' AND `password='' OR 1=1--'". Because of the "OR 1=1", it will have the ability to ignore the password requirement, because as we all know, the logic of "OR" only requires one question to result in true for it to succeed, and since 1 always equals 1, it works; the "--" is the 'comment out' character for SQL which means it ignores everything after it, otherwise the last "'" would ruin the syntax, and just cause the query to fail.
 ######################################################
-------------------------------------------------------------------------------------------
....................................................................................................................
 
0 comments:
Post a Comment