Saturday, January 12, 2008

Basic SQL injection



An SQL injection attack consists of insertion of an SQL query via the input data from the client to the application.A successful SQL injection exploit can read data from the database, modify database data , execute administration operations on the database (such shutdown the DBMS), and in some cases issue commands to the operating system.

SQL Injection attacks are of three types:

  • Inband: data is extracted using the same channel that is used to inject the SQL code. This is the most straightforward kind of attack, in which the retrieved data is presented directly in the application web page
  • Out-of-band: data is retrieved using a different channel (e.g.: an email with the results of the query is generated and sent to the tester)
  • Inferential: there is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behaviour of the DB Server
Example:


For example a web page executes the following query
SELECT * FROM Users WHERE Username='$username' AND Password='$password'

suppose we write the following in the username and password field of the form

$username = 1' or '1' = '1
$password = 1' or '1' = '1

The resultant query will be

SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'

clearly this will always return true and hence whole database will be shown to the user
(the database table used in this particular query)

But sometimes the DBA is clever he may write query like this one

SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password')))

In this case, there are two problems, one due to the use of the
parenthesis and one due to the use of MD5 hash function. First of all
we resolve the problem of the parenthesis. That simply consist of
adding a number of closing parenthesis until we obtain a corrected
query. To resolve the second problem we try to invalidate the second
condition.

The resulting query will be
$username = 1' or '1' = '1'))/*
$password = abc

Note:In Oracle use "--" instead of "/*"

the resulting query will be

SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password')))

This was basic SQL injection but you will rarely find a website on which these injection
techniques will be working. Watch out for advanced SQL injection techniques in new posts.


आशीष कुमार



0 comments: