How_bad_guys_hack_into_websites_using_SQL_Injection by paydot888


									How bad guys hack into websites using SQL Injection

Word Count:

SQL injections are one of the most common vulnerability around the
internet today. There are literally thousands of vulnerable websites
around. This article explains how these attacks work.

sql injection, sql, security

Article Body:
SQL Injection is one of the most common security vulnerabilities on the
web. Here I'll try to explain in detail this kind of vulnerabilities with
examples of bugs in PHP and possible solutions.

If you are not so confident with programming languages and web
technologies you may be wondering what SQL stay for. Well, it's an
acronym for Structured Query Language (pronounced "sequel"). It's "de
facto" the standard language to access and manipulate data in databases.

Nowadays most websites rely on a database (usually MySQL) to store and
access data.

Our example will be a common login form. Internet surfers see those login
forms every day, you put your username and password in and then the
server checks the credentials you supplied. Ok, that's simple, but what
happens exactly on the server when he checks your credentials?

The client (or user) sends to the server two strings, the username and
the password.

Usually the server will have a database with a table where the user's
data are stored. This table has at least two columns, one to store the
username and one for the password. When the server receives the username
and password strings he will query the database to see if the supplied
credentials are valid. He will use an SQL statement for that that may
look like this:


For those of you who are not familiar with the SQL language, in SQL the '
character is used as a delimiter for string variables. Here we use it to
delimit the username and password strings supplied by the user.

In this example we see that the username and password supplied are
inserted into the query between the ' and the entire query is then
executed by the database engine. If the query returns any rows, then the
supplied credentials are valid (that user exists in the database and has
the password that was supplied).

Now, what happens if a user types a ' character into the username or
password field? Well, by putting only a ' into the username field and
living the password field blank, the query would become:

SELECT * FROM users WHERE username=''' AND password=''

This would trigger an error, since the database engine would consider the
end of the string at the second ' and then it would trigger a parsing
error at the third ' character. Let's now what would happen if we would
send this input data:

Username: ' OR 'a'='a
Password: ' OR 'a'='a

The query would become
SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR

Since a is always equal to a, this query will return all the rows from
the table users and the server will "think" we supplied him with valid
credentials and let as in - the SQL injection was successful :).

Now we are going to see some more advanced techniques.. My example will
be based on a PHP and MySQL platform. In my MySQL database I created the
following table:

username VARCHAR(128),
password VARCHAR(128),
email VARCHAR(128))

There's a single row in that table with data:

username: testuser
password: testing

To check the credentials I made the following query in the PHP code:

$query="select username, password from users where username='".$user."'
and password='".$pass."'";

The server is also configured to print out errors triggered by MySQL
(this is useful for debugging, but should be avoided on a production

So, last time I showed you how SQL injection basically works. Now I'll
show you how can we make more complex queries and how to use the MySQL
error messages to get more information about the database structure.
Lets get started! So, if we put just an ' character in the username field
we get an error message like
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '''' and
password=''' at line 1

That's because the query became

select username, password from users where username=''' and password=''
What happens now if we try to put into the username field a string like '
or user='abc ?
The query becomes

select username, password from users where username='' or user='abc ' and

And this give us the error message
Unknown column 'user' in 'where clause'

That's fine! Using these error messages we can guess the columns in the
table. We can try to put in the username field ' or email=' and since we
get no error message, we know that the email column exists in that table.
If we know the email address of a user, we can now just try with ' or
email=' in both the username and password fields and
our query becomes

select username, password from users where username='' or
email='' and password='' or

which is a valid query and if that email address exists in the table we
will successfully login!

You can   also use the error messages to guess the table name. Since in SQL
you can   use the table.column notation, you can try to put in the username
field '   or user.test=' and you will see an error message like
Unknown   table 'user' in where clause

Fine! Let's try with ' or users.test=' and we have
Unknown column 'users.test' in 'where clause'

so logically there's a table named users :).

Basically, if the server is configured to give out the error messages,
you can use them to enumerate the database structure and then you may be
able to use these informations in an attack.

To top