The document discusses how SQL injection vulnerabilities can allow attackers to hack into websites. It begins by explaining that SQL is used to access and manipulate database data and that many websites store user login credentials in a database. It then shows how submitting malicious SQL code as input can allow an attacker to bypass authentication by manipulating the SQL query used to validate login credentials. Specifically, it demonstrates how adding OR clauses to the username or password fields allows logging in without valid credentials. The document also explains how error messages from failed SQL queries can be used to fingerprint the database structure and design further attacks.
1. How Bad Guys Hack Into Websites Using Sql Injection
SQL Injection is one of the most common security vulnerabilities on the web. Here Ill try to explain
in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions.
If you are not so confident with programming languages and web technologies you may be
wondering what SQL stay for. Well, its an acronym for Structured Query Language (pronounced
sequel). Its de facto the standard language to access and manipulate data in databases.
Nowadays most websites rely on a database (usually MySQL) to store and access data.
Our example will be a common login form. Internet surfers see those login forms every day, you
put your username and password in and then the server checks the credentials you supplied. Ok,
thats simple, but what happens exactly on the server when he checks your credentials?
The client (or user) sends to the server two strings, the username and the password.
Usually the server will have a database with a table where the users data are stored. This table
has at least two columns, one to store the username and one for the password. When the server
receives the username and password strings he will query the database to see if the supplied
credentials are valid. He will use an SQL statement for that that may look like this:
SELECT * FROM users WHERE username=SUPPLIED_USER AND
password=SUPPLIED_PASS
For those of you who are not familiar with the SQL language, in SQL the character is used as a
delimiter for string variables. Here we use it to delimit the username and password strings supplied
by the user.
In this example we see that the username and password supplied are inserted into the query
between the and the entire query is then executed by the database engine. If the query returns
any rows, then the supplied credentials are valid (that user exists in the database and has the
password that was supplied).
Now, what happens if a user types a character into the username or password field? Well, by
putting only a into the username field and living the password field blank, the query would
become:
SELECT * FROM users WHERE username= AND password=
This would trigger an error, since the database engine would consider the end of the string at the
second and then it would trigger a parsing error at the third character. Lets now what would
2. happen if we would send this input data:
Username: OR a='a
Password: OR a='a
The query would become
SELECT * FROM users WHERE username= OR a='a AND password= OR a='a
Since a is always equal to a, this query will return all the rows from the table users and the server
will think we supplied him with valid credentials and let as in the SQL injection was successful .
Now we are going to see some more advanced techniques.. My example will be based on a PHP
and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users (
username VARCHAR(128),
password VARCHAR(128),
email VARCHAR(128))
Theres a single row in that table with data:
username: testuser
password: testing
email: testuser@testing.com
To check the credentials I made the following query in the PHP code:
$query=select username, password from users where username=.$user. and password=.$pass.;
The server is also configured to print out errors triggered by MySQL (this is useful for debugging,
but should be avoided on a production server).
So, last time I showed you how SQL injection basically works. Now Ill show you how can we make
more complex queries and how to use the MySQL error messages to get more information about
3. the database structure.
Lets get started! So, if we put just an character in the username field we get an error message like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near and password= at line 1
Thats because the query became
select username, password from users where username= and password=
What happens now if we try to put into the username field a string like or user=abc ?
The query becomes
select username, password from users where username= or user=abc and password=
And this give us the error message
Unknown column user in where clause
Thats fine! Using these error messages we can guess the columns in the table. We can try to put
in the username field or email= and since we get no error message, we know that the email
column exists in that table. If we know the email address of a user, we can now just try with or
email=testuser@testing.com in both the username and password fields and our query becomes
select username, password from users where username= or email=testuser@testing.com and
password= or email=testuser@testing.com
which is a valid query and if that email address exists in the table we will successfully login!
You can also use the error messages to guess the table name. Since in SQL you can use the
table.column notation, you can try to put in the username field or user.test= and you will see an
error message like
Unknown table user in where clause
Fine! Lets try with or users.test= and we have
Unknown column users.test in where clause
4. so logically theres a table named users .
Basically, if the server is configured to give out the error messages, you can use them to
enumerate the database structure and then you may be able to use these informations in an
attack.
Copied with permission from: http://plrplr.com/33208/how-bad-guys-hack-into-websites-using-sql-
injection/