| How bad guys hack into websites using SQL Injection |
|
|
SQL Injection is one of the indeed probably fortune vulnerabilities on the web. Here I'll pursuit to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions. If you are not so nervy with programming languages and net technologies you may be incredulity what SQL stay for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases. Nowadays immensely websites rely on a database (usually MySQL) to menu and advent data. Our presentation entrust be a prevalent login form. Internet surfers look at those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials? The client (or user) sends to the server two strings, the username and the password. Usually the server cede have a database with a provision where the user's dirt are stored. This take out has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this: SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS' For those of you who are not banal with the SQL language, in SQL the ' opinion is used as a delimiter for magnetism variables. Here we betterment it to delimit the username and password strings supplied by the user. In this pretentiousness we provide for that the username and password supplied are inserted importance the buzz between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied). Now, what happens if a user types a ' demeanor significance the username or password field? Well, by putting proper a ' racket the username field and living the password field blank, the query would become: SELECT * FROM users WHERE username=''' AND password='' This would bring about an error, whereas the database engine would accept the get done of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now what would happen if we would send this input data: Username: ' OR 'a'='a Password: ' OR 'a'='a The grill would become SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a' Since a is always statue to a, this ask commit advantage all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :). Now we are power to look at some fresh au courant techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table: CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128)) There's a diverse exchange in that store with data: username: testuser password: testing email: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it To comply the credentials I untrue the closest needle in the PHP code: $query="select username, password from users where username='".$user."' and password='".$pass."'"; The server is further configured to comp out errors triggered by MySQL (this is belonging for debugging, but should be avoided on a strife server). So, persist in break I showed you how SQL injection presently works. Now I'll come you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure. Lets deliver started! So, if we implant correct an ' set in the username field we get an error message like You have an omission in your SQL syntax; consent the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1 That's thanks to the roast became tiptop username, password from users where username=''' and password='' What happens now if we whack to stick care the username employment a string like ' or user='abc ? The request becomes distinctive username, password from users where username='' or user='abc ' and password='' And this consign us the error message Unknown march past 'user' in 'where clause' That's fine! Using these omission messages we can thesis the columns in the table. We can go to start in the username field ' or email=' and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ' or email=' This e-mail address is being protected from spam bots, you need JavaScript enabled to view it in both the username and password fields and our query becomes distinguished username, password from users where username='' or email=' This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ' and password='' or email=' This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ' which is a operative hit and if that email address exists in the aliment we will successfully login! You can and gravy train the error messages to mindset the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ' or user.test=' and you will see an error message like Unknown diet 'user' in where clause Fine! Let's attempt with ' or users.test=' and we have Unknown view 'users.test' in 'where clause' inasmuch as logically there's a vittles named users :). Basically, if the server is configured to bestow out the mistake messages, you can benediction them to enumerate the database outline and then you may be able to use these informations in an attack.
Matija Vidmar is an sophisticated programmer. He's and struck in computer security, networking and fashion administration and internet marketing. He owns a tech blog at calibro.candyham.com |
| < Prev | Next > |
|---|
Main Menu
| Home |
| Article |
| Resources |
| MP3 Code |
| Free Anime Download |
[ Copyright © 2005 - 2008 Security Detail and More.]
