hello, guyz i have found many of users who want to lrn some basics of sql injections. so i m bringing a tutorial for you to understend about sql injections , though we have discussed a lot about it in previous posts Here.
This article is also beneficial for s too as it will refresh their concepts that what rlly we have to do and look into website URL if we want to website or its database using SQL injection. So Guys rd on very basic SQL injection tutorial.
Our first question arises :
What are SQL Injections?Basically SQL Injections or simply called Structured Query Language Injection is a technique that s the loop hole in the database layer of the appliion. This happens when user mistakenly or purposely(s) enters the special escape characters into the username authentiion form or in URL of the website. Its basically the coding standard loop hole. Most website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. For better understanding, suppose you opened a website and went to his Sign in or log in page. Now in username field you have entered something sayDevendraand in the box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically calledBlind SQL.
Some basic Requirements for SQL Injection:1. You need a web browser to open URL and viewing source .2. Need a good editor like Notepad ++ to view the source in colored format so that you can sily distinguish between the things.3. And very basic knowledge of some SQL queries like SELECT, INSERT, UPDATE, DELETE etc..
What you should look into website to detect is it vulnerable to SQL injection attack or not[vulnerability assessment] ?First of all you can those websites using SQL injection that allows some input fields from which can provide input to website like log in page, srch page, feedback page etc. Nowadays, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source of the HTML, and look for "FORM" tag in the HTML . You may find something like this in some HTML :
< F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>Everything between the < f o r m > and < / f o r m > parameters (remove spaces in words) contains the crucial information and can help us to determine things in more detailed way.
There isalternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or P try to look for the URL's in which parameters are passed. Example is shown below:http://example.com/login.asp?id=10
Now how to detect that this URL is vulnerable or not:Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:http://example.com/login.asp?id=hi' or 1=1--
You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:
< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t type=hidden name=abc value="hi' or 1=1--">
< / F O R M >
If your luck is favoring you, you will get the login into the website without any username or .
But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:
http://example.com/srch.asp?egory=In this URL 'egory' is the variable name and '' is it's value.
Here this request fires following query on the database in background.SELECT * FROM TABLE-NAME WHERE egory=''Where'TABLE-NAME'is the name of table which is alrdy present in some database.
So, this query returns all the possible entries from table 'srch' which comes under the egory ''.
Now, assume that we change the URL into something like this: http://example.com/srch.asp?egory=' or 1=1--
Now, our variable 'egory' equals to "' or 1=1-- ", which fires SQL query on database something like: SELECT * FROM srch WHERE egory='' or 1=1--'
The query should now select everything from the 'srch' table regardless if egory is equal to '' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='
How to protect you own websites from SQL injection?[cyber security]
Filter out character like ' " - / \ ; , etc. in all strings from: *Input from users *Parameters from URL *Values from cookieThat's all for today,I hope it rlly helped you to clr your basics about website or website database using SQL injection.If you have any queries ask me in form of comments.
No comments:
Post a Comment