SQL Injection is one of the most common security vulnerabilities on the net. Here I will try to explain in detail this sort of vulnerabilities with cases of bugs in PHP and possible solutions.
If you are not as confident with programming languages and web technologies you may be wondering exactly what SQL remain for. Well, it’s an acronym for Structured Query Language (pronounced”sequel”). It is”de facto” the typical language to gain access and manipulate information in databases.
Nowadays most websites rely on a database (usually MySQL) to store and access information.
Our example will be a common login type. Internet users see these login kinds every day, you put your username and password in and the host checks the credentials you supplied. Ok, that’s easy, but what occurs just on the waiter when he checks your qualifications?
The customer (or user) sends to the host two strings, both the username and the password used.
Generally the host is going to have a database using a table where the user’s information are stored. This dining table has at least two columns, you can keep the username and you for the password. After the server receives the username and password cords he will question the database to determine whether the supplied credentials are legitimate. He will utilize an SQL statement for this may look like that:
SELECT * FROM users WHERE username=’SUPPLIED_USER’ AND password=’SUPPLIED_PASS’
For those who are not knowledgeable about the SQL language, in SQL the’ character is used as a delimiter for string variables. Here we use it to delimit the username and password sequences provided by the user.
In this case we see that the username and password supplied are placed into the question involving the’ and the whole question is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and also contains the password that was supplied).
Now, what happens when a person types a’ character to the password or username field? Well, by placing just a’ to the username field and also living the password field blank, the question would become:
SELECT * FROM users WHERE username=”‘ AND password”
This could trigger a mistake, since the database engine could think about the end of the string at the moment’ and it might trigger a parsing error at the next’ character. Let’s now what would happen if We’d send this input information:
Username:’ OR’a’=’a
Accounts:’ OR’a’=’a
The question would become
SELECT * FROM users WHERE username=” OR ‘a’=’a’ AND password=” OR ‘a’=’a’
Since it’s always equivalent to a, this question will return all the rows in the table users and the host will”believe” we supplied him with valid credentials and allow as in – the SQL shot was powerful:-RRB-.
Today we will find a few more advanced methods. . My case will be dependent upon a PHP and MySQL platform. In my MySQL database I made the following table:
CREATE TABLE users (
username VARCHAR(128),
Document VARCHAR(128),
email VARCHAR(128))
There is a single row at this table with information:
username: testuser
Password: testing
email: testuser@testing.com
To check on the credentials I made the next query at the PHP code:
$ query=”select username, password from users where username='”. $ user.”‘ and password='”. .”‘” ;
The server can also be configured to print out errors triggered by MySQL (that is useful for debugging, but should be prevented to a production server).
So, last time that I showed you how SQL injection essentially functions. Now I will show you how can we create more intricate queries and the way to use the MySQL error messages to get more information about the database structure.
Lets get started! So, if we put just an’ character in the username field we now get an error message like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near”” and password”‘ at line 1
That’s because the question became
Select username, password from users where username=”‘ and password”
What happens now when we try to enter the username field a string like’ or user=’abc?
The question becomes
Select username, password from users where username=” or consumer ‘abc’ and password”
And that give us the error message
Unknown column’user’ in’where clause’
That’s alright! Employing these error messages we can guess the columns in the table. We can try to put in the username field’ or email=’ and since we get no error message, so we are aware that the email column exists in this table. If we all understand the email address of an individual, we can now just strive with’ or email=’testuser@testing.com in both the username and password areas and our query becomes
Select username, password from users where username=” or email=’testuser@testing.com’ and password” or email=’testuser@testing.com’
Which can be a valid question and if this email address exists in the table we will successfully login!
You can also utilize the error messages to assume the table name. Since in SQL you can use the table.column notation, you can Attempt to put in the username field’ or user.test=’ and you will see an error message like
Unknown table’user’ in where clause
Fine! Let’s try with’ or’ users.test=’ and we have
Unknown column ‘users.test’ in ‘where clause’
So logically there is a table named users:-RRB-.
Basically, if the host is configured to provide out the error messages, you can use them to enumerate the database structure and then you may have the ability to use these informations in an attack.
Customer Reviews
Thanks for submitting your comment!