Vulnerability: SQL injection. Part 1.



  • Vulnerability: SQL injection. Part 1.
    Hello! I will talk about the common SQL injection vulnerability.

    What is SQL injection?
    SQL injection (SQL injection or SQL injection) is one of the most dangerous ways to hack a site. Hacking with SQL injection is based on embedding arbitrary SQL code in a database query. The most common cause of an SQL injection type of attack is the incorrect processing of input data sent to SQL queries.

    If simpler, then this is an attack on the database, which will allow you to perform some action that was not planned by the script creator.

    Example:
    Example 1

    Substitute the quotation mark in the news ID.

    test.com/index.php?id=1 '

    If our request does not have filtering, then it will look like this:

    $ id = $ _GET ['id'];
    $ query = "SELECT * FROM news WHERE id = $ id";
    

    The script should understand it like this:

    SELECT * FROM news WHERE id = 1 '
    

    If we get an error:

    Warning: mysql_fetch_array () expects parameter 1 to be resource,
    boolean given in F: \ TestWeb \ domains \ test.com \ index.php on line 16

    We found the first view - Numerical input parameter.

    If the error did not return:

    There is no SQL injection here - quotation marks are filtered out, or conversion to (int) is just worth it
    Disabled error output.

    Example 2

    We select news by username, and do not filter. We send a request with a quote:

    test.com/index.php?user=GreyTeam '

    We found the second view - String input parameter.

    Exploiting SQL Injection:

    Each time with any application, wherever SQL injection is used, the following three basic implementation rules are used:

    Balancing.
    Implementation.
    Commenting out.

    Balancing is the number of opening and closing quotes and brackets should be the same so as not to cause a syntax error. When examining errors, you need to determine if they are used, and if used, then what quotation marks and brackets are.

    Implementation is an addition to the request, depending on the information that we want to receive.

    Commenting - cuts off the final part of the request so that it does not violate the syntax.

    Comments are as follows:

    -
    #
    / *
    

    You can change the logic of the request if you insert:

    Test 'OR 1 -
    

    It will look like this:

    SELECT `name`,` status`, `books` FROM` members` WHERE name = 'Demo' OR 1 - 'AND password =' ​​111 '
    We see that - 'AND password =' ​​111 'is commented out.
    

    If you remove the comment:

    SELECT `name`,` status`, `books` FROM` members` WHERE name = 'Demo' OR 1
    

    Now we used a logical OR. A logical OR returns true if at least one of the expressions is true. In this case, the second expression 1 is always true. Consequently, all table entries will fall into the results.

    In a web application, you can achieve a result when the data of all users is displayed, despite the fact that the attacker did not know their usernames or passwords. In our example, after the Test value entered, we put a single quote (') so that the query remains correct in terms of syntax.

    Requests may look different.

    Numeric input parameter.

    SELECT * FROM table_name WHERE id = 1
    _____________________________________
    SELECT * FROM table_name WHERE id = '1'
    _____________________________________
    SELECT * FROM table_name WHERE id = "1"
    _____________________________________
    SELECT * FROM table_name WHERE id = (1)
    _______________________________________
    SELECT * FROM table_name WHERE id = ('1')
    _______________________________________
    SELECT * FROM table_name WHERE id = ("1")
    

    String input parameter.

    SELECT * FROM table_name WHERE id = '1'
    _____________________________________
    SELECT * FROM table_name WHERE id = "1"
    _______________________________________
    SELECT * FROM table_name WHERE id = ('1')
    _______________________________________
    SELECT * FROM table_name WHERE id = ("1")
    

    The main signs of an SQL injection are error output or no output when you enter a single or double quote. These characters can cause an error in the application itself, so to be sure that you are dealing with SQL injection, and not with another error.



  • For environment i recommend xampp


Log in to reply
 


LIVE Chat
Login in your account to Start Chat