SlideShare a Scribd company logo

business articles

C
client001competitors

The document discusses how SQL injection vulnerabilities can allow attackers to hack into websites. It begins by explaining that SQL is used to access and manipulate database data and that many websites store user login credentials in a database. It then shows how submitting malicious SQL code as input can allow an attacker to bypass authentication by manipulating the SQL query used to validate login credentials. Specifically, it demonstrates how adding OR clauses to the username or password fields allows logging in without valid credentials. The document also explains how error messages from failed SQL queries can be used to fingerprint the database structure and design further attacks.

BusinessTechnology
1 of 4
Download to read offline
How Bad Guys Hack Into Websites Using Sql Injection SQL Injection is one of the most common security vulnerabilities on the web. Here Ill try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions. If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, its an acronym for Structured Query Language (pronounced sequel). Its de facto the standard language to access and manipulate data in databases. Nowadays most websites rely on a database (usually MySQL) to store and access data. Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, thats simple, but what happens exactly on the server when he checks your credentials? The client (or user) sends to the server two strings, the username and the password. Usually the server will have a database with a table where the users data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this: SELECT * FROM users WHERE username=SUPPLIED_USER AND password=SUPPLIED_PASS For those of you who are not familiar with the SQL language, in SQL the character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user. In this example we see that the username and password supplied are inserted into the query between the and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied). Now, what happens if a user types a character into the username or password field? Well, by putting only a into the username field and living the password field blank, the query would become: SELECT * FROM users WHERE username= AND password= This would trigger an error, since the database engine would consider the end of the string at the second and then it would trigger a parsing error at the third character. Lets now what would
happen if we would send this input data: Username: OR a='a Password: OR a='a The query would become SELECT * FROM users WHERE username= OR a='a AND password= OR a='a Since a is always equal to a, this query will return all the rows from the table users and the server will think we supplied him with valid credentials and let as in the SQL injection was successful . Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table: CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128)) Theres a single row in that table with data: username: testuser password: testing email: testuser@testing.com To check the credentials I made the following query in the PHP code: $query=select username, password from users where username=.$user. and password=.$pass.; The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server). So, last time I showed you how SQL injection basically works. Now Ill show you how can we make more complex queries and how to use the MySQL error messages to get more information about
the database structure. Lets get started! So, if we put just an character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near and password= at line 1 Thats because the query became select username, password from users where username= and password= What happens now if we try to put into the username field a string like or user=abc ? The query becomes select username, password from users where username= or user=abc and password= And this give us the error message Unknown column user in where clause Thats fine! Using these error messages we can guess the columns in the table. We can try to put in the username field or email= and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with or email=testuser@testing.com in both the username and password fields and our query becomes select username, password from users where username= or email=testuser@testing.com and password= or email=testuser@testing.com which is a valid query and if that email address exists in the table we will successfully login! You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field or user.test= and you will see an error message like Unknown table user in where clause Fine! Lets try with or users.test= and we have Unknown column users.test in where clause
so logically theres a table named users . Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack. Copied with permission from: http://plrplr.com/33208/how-bad-guys-hack-into-websites-using-sql- injection/

Recommended

POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATION
sihleGumede3
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Ziaullah Khan
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian Alexandrescu
Cristian Alexandrescu
 
qrth
qrthqrth
qrth
boozsha
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 

Recommended

POWER OF VISUALIZATION
POWER OF VISUALIZATIONPOWER OF VISUALIZATION
POWER OF VISUALIZATION
sihleGumede3
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Ziaullah Khan
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Sql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian AlexandrescuSql injection course made by Cristian Alexandrescu
Sql injection course made by Cristian Alexandrescu
Cristian Alexandrescu
 
qrth
qrthqrth
qrth
boozsha
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Claas waqar
Claas waqarClaas waqar
Claas waqar
HSS-Software House
 
Android tutorials7 calculator_packageexploirer
Android tutorials7 calculator_packageexploirerAndroid tutorials7 calculator_packageexploirer
Android tutorials7 calculator_packageexploirer
Vlad Kolesnyk
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Asp
AspAsp
Asp
Adil Jafri
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
JW CyberNerd
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Magno Logan
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Powerpoint 2007
Powerpoint 2007Powerpoint 2007
Powerpoint 2007
mac8301
 
HDPE Pipe
HDPE PipeHDPE Pipe
HDPE Pipe
fuzailahmed240
 
Week 9 slides growth&business cycle [core]
Week 9 slides growth&business cycle [core]Week 9 slides growth&business cycle [core]
Week 9 slides growth&business cycle [core]
Nicooooleeee
 
ψηφιακές γειτονιές Affiliate_marketing(2)
ψηφιακές γειτονιές Affiliate_marketing(2)ψηφιακές γειτονιές Affiliate_marketing(2)
ψηφιακές γειτονιές Affiliate_marketing(2)
Christos Loufopoulos
 
Brand communities
Brand communitiesBrand communities
Brand communities
Sameer Kunal
 
Od657
Od657Od657
Od657
jeanninecarr
 
Sql Injection
Sql Injection Sql Injection
Sql Injection
Sanjeev Kumar Jaiswal
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
newbie2019
 
Mysql
MysqlMysql
Mysql
lotlot
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
Aung Khant
 

More Related Content

What's hot

Android tutorials7 calculator_packageexploirer
Android tutorials7 calculator_packageexploirerAndroid tutorials7 calculator_packageexploirer
Android tutorials7 calculator_packageexploirer
Vlad Kolesnyk
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 

What's hot (12)

Claas waqar
Claas waqarClaas waqar
Claas waqar
 
Android tutorials7 calculator_packageexploirer
Android tutorials7 calculator_packageexploirerAndroid tutorials7 calculator_packageexploirer
Android tutorials7 calculator_packageexploirer
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Asp
AspAsp
Asp
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 

Viewers also liked

Powerpoint 2007
Powerpoint 2007Powerpoint 2007
Powerpoint 2007
mac8301
 
HDPE Pipe
HDPE PipeHDPE Pipe
HDPE Pipe
fuzailahmed240
 
Week 9 slides growth&business cycle [core]
Week 9 slides growth&business cycle [core]Week 9 slides growth&business cycle [core]
Week 9 slides growth&business cycle [core]
Nicooooleeee
 
ψηφιακές γειτονιές Affiliate_marketing(2)
ψηφιακές γειτονιές Affiliate_marketing(2)ψηφιακές γειτονιές Affiliate_marketing(2)
ψηφιακές γειτονιές Affiliate_marketing(2)
Christos Loufopoulos
 

Viewers also liked (6)

Powerpoint 2007
Powerpoint 2007Powerpoint 2007
Powerpoint 2007
 
HDPE Pipe
HDPE PipeHDPE Pipe
HDPE Pipe
 
Week 9 slides growth&business cycle [core]
Week 9 slides growth&business cycle [core]Week 9 slides growth&business cycle [core]
Week 9 slides growth&business cycle [core]
 
ψηφιακές γειτονιές Affiliate_marketing(2)
ψηφιακές γειτονιές Affiliate_marketing(2)ψηφιακές γειτονιές Affiliate_marketing(2)
ψηφιακές γειτονιές Affiliate_marketing(2)
 
Brand communities
Brand communitiesBrand communities
Brand communities
 
Od657
Od657Od657
Od657
 

Similar to business articles

Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
Aung Khant
 
Scanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docx
Scanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docxScanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docx
Scanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docx
anhlodge
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011
Mostafa Siraj
 

Similar to business articles (20)

Sql Injection
Sql Injection Sql Injection
Sql Injection
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Mysql
MysqlMysql
Mysql
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
SQL Query Interview Questions
SQL Query Interview QuestionsSQL Query Interview Questions
SQL Query Interview Questions
 
Mysql
MysqlMysql
Mysql
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Scanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docx
Scanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docxScanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docx
Scanned by CamScannerModule 03 Lab WorksheetWeb Developmen.docx
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011
 
Intro to T-SQL – 2nd session
Intro to T-SQL – 2nd sessionIntro to T-SQL – 2nd session
Intro to T-SQL – 2nd session
 
Sql injection
Sql injectionSql injection
Sql injection
 
DBMS LAB FILE1 task 1 , task 2, task3 and many more.pdf
DBMS LAB FILE1 task 1 , task 2, task3 and many more.pdfDBMS LAB FILE1 task 1 , task 2, task3 and many more.pdf
DBMS LAB FILE1 task 1 , task 2, task3 and many more.pdf
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
ORACLE PL/SQL TUTORIALS - OVERVIEW - SQL COMMANDS
ORACLE PL/SQL TUTORIALS - OVERVIEW - SQL COMMANDSORACLE PL/SQL TUTORIALS - OVERVIEW - SQL COMMANDS
ORACLE PL/SQL TUTORIALS - OVERVIEW - SQL COMMANDS
 
Sql injection
Sql injectionSql injection
Sql injection
 
Android database tutorial
Android database tutorialAndroid database tutorial
Android database tutorial
 
SQL cheat sheet.pdf
SQL cheat sheet.pdfSQL cheat sheet.pdf
SQL cheat sheet.pdf
 
JDBC – Java Database Connectivity
JDBC – Java Database ConnectivityJDBC – Java Database Connectivity
JDBC – Java Database Connectivity
 

Recently uploaded

What is paper chromatography, principal, procedure,types, diagram, advantages...
What is paper chromatography, principal, procedure,types, diagram, advantages...What is paper chromatography, principal, procedure,types, diagram, advantages...
What is paper chromatography, principal, procedure,types, diagram, advantages...
srcw2322l101
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Dubai Multi Commodity Centre
 
Constitution of Company Article of Association
Constitution of Company Article of AssociationConstitution of Company Article of Association
Constitution of Company Article of Association
seri bangash
 
Stages of Startup Funding - An Explainer
Stages of Startup Funding - An ExplainerStages of Startup Funding - An Explainer
Stages of Startup Funding - An Explainer
Alejandro Cremades
 
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptxBlinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Saksham Gupta
 
Inside the Black Box of Venture Capital (VC)
Inside the Black Box of Venture Capital (VC)Inside the Black Box of Venture Capital (VC)
Inside the Black Box of Venture Capital (VC)
Alejandro Cremades
 
NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...
NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...
NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...
Khaled Al Awadi
 
PitchBook’s Guide to VC Funding for Startups
PitchBook’s Guide to VC Funding for StartupsPitchBook’s Guide to VC Funding for Startups
PitchBook’s Guide to VC Funding for Startups
Alejandro Cremades
 

Recently uploaded (20)

Pitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckPitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deck
 
A Brief Introduction About Jacob Badgett
A Brief Introduction About Jacob BadgettA Brief Introduction About Jacob Badgett
A Brief Introduction About Jacob Badgett
 
Potato Flakes Manufacturing Plant Project Report.pdf
Potato Flakes Manufacturing Plant Project Report.pdfPotato Flakes Manufacturing Plant Project Report.pdf
Potato Flakes Manufacturing Plant Project Report.pdf
 
Series A Fundraising Guide (Investing Individuals Improving Our World) by Accion
Series A Fundraising Guide (Investing Individuals Improving Our World) by AccionSeries A Fundraising Guide (Investing Individuals Improving Our World) by Accion
Series A Fundraising Guide (Investing Individuals Improving Our World) by Accion
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024
 
Creative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team PresentationsCreative Ideas for Interactive Team Presentations
Creative Ideas for Interactive Team Presentations
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdfDaftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (2024).pdf
 
What is paper chromatography, principal, procedure,types, diagram, advantages...
What is paper chromatography, principal, procedure,types, diagram, advantages...What is paper chromatography, principal, procedure,types, diagram, advantages...
What is paper chromatography, principal, procedure,types, diagram, advantages...
 
Powers and Functions of CPCB - The Water Act 1974.pdf
Powers and Functions of CPCB - The Water Act 1974.pdfPowers and Functions of CPCB - The Water Act 1974.pdf
Powers and Functions of CPCB - The Water Act 1974.pdf
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
 
Constitution of Company Article of Association
Constitution of Company Article of AssociationConstitution of Company Article of Association
Constitution of Company Article of Association
 
Stages of Startup Funding - An Explainer
Stages of Startup Funding - An ExplainerStages of Startup Funding - An Explainer
Stages of Startup Funding - An Explainer
 
8 Questions B2B Commercial Teams Can Ask To Help Product Discovery
8 Questions B2B Commercial Teams Can Ask To Help Product Discovery8 Questions B2B Commercial Teams Can Ask To Help Product Discovery
8 Questions B2B Commercial Teams Can Ask To Help Product Discovery
 
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptxBlinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
Blinkit: Revolutionizing the On-Demand Grocery Delivery Service.pptx
 
Aspire Time & Life Leadership Workshop 2024
Aspire Time & Life Leadership Workshop 2024Aspire Time & Life Leadership Workshop 2024
Aspire Time & Life Leadership Workshop 2024
 
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
 
Engagement Rings vs Promise Rings | Detailed Guide
Engagement Rings vs Promise Rings | Detailed GuideEngagement Rings vs Promise Rings | Detailed Guide
Engagement Rings vs Promise Rings | Detailed Guide
 
Inside the Black Box of Venture Capital (VC)
Inside the Black Box of Venture Capital (VC)Inside the Black Box of Venture Capital (VC)
Inside the Black Box of Venture Capital (VC)
 
NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...
NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...
NewBase 17 May 2024 Energy News issue - 1725 by Khaled Al Awadi_compresse...
 
PitchBook’s Guide to VC Funding for Startups
PitchBook’s Guide to VC Funding for StartupsPitchBook’s Guide to VC Funding for Startups
PitchBook’s Guide to VC Funding for Startups
 

business articles

  • 1. How Bad Guys Hack Into Websites Using Sql Injection SQL Injection is one of the most common security vulnerabilities on the web. Here Ill try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions. If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, its an acronym for Structured Query Language (pronounced sequel). Its de facto the standard language to access and manipulate data in databases. Nowadays most websites rely on a database (usually MySQL) to store and access data. Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, thats simple, but what happens exactly on the server when he checks your credentials? The client (or user) sends to the server two strings, the username and the password. Usually the server will have a database with a table where the users data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this: SELECT * FROM users WHERE username=SUPPLIED_USER AND password=SUPPLIED_PASS For those of you who are not familiar with the SQL language, in SQL the character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user. In this example we see that the username and password supplied are inserted into the query between the and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied). Now, what happens if a user types a character into the username or password field? Well, by putting only a into the username field and living the password field blank, the query would become: SELECT * FROM users WHERE username= AND password= This would trigger an error, since the database engine would consider the end of the string at the second and then it would trigger a parsing error at the third character. Lets now what would
  • 2. happen if we would send this input data: Username: OR a='a Password: OR a='a The query would become SELECT * FROM users WHERE username= OR a='a AND password= OR a='a Since a is always equal to a, this query will return all the rows from the table users and the server will think we supplied him with valid credentials and let as in the SQL injection was successful . Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table: CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128)) Theres a single row in that table with data: username: testuser password: testing email: testuser@testing.com To check the credentials I made the following query in the PHP code: $query=select username, password from users where username=.$user. and password=.$pass.; The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server). So, last time I showed you how SQL injection basically works. Now Ill show you how can we make more complex queries and how to use the MySQL error messages to get more information about
  • 3. the database structure. Lets get started! So, if we put just an character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near and password= at line 1 Thats because the query became select username, password from users where username= and password= What happens now if we try to put into the username field a string like or user=abc ? The query becomes select username, password from users where username= or user=abc and password= And this give us the error message Unknown column user in where clause Thats fine! Using these error messages we can guess the columns in the table. We can try to put in the username field or email= and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with or email=testuser@testing.com in both the username and password fields and our query becomes select username, password from users where username= or email=testuser@testing.com and password= or email=testuser@testing.com which is a valid query and if that email address exists in the table we will successfully login! You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field or user.test= and you will see an error message like Unknown table user in where clause Fine! Lets try with or users.test= and we have Unknown column users.test in where clause
  • 4. so logically theres a table named users . Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack. Copied with permission from: http://plrplr.com/33208/how-bad-guys-hack-into-websites-using-sql- injection/