SQL Injection is one of the most common security vulnerabilities in the web. Here I will try to explain in detail this type of vulnerability, with examples of errors in PHP and possible solutions.
If you are not sure of programming languages ??and Internet technologies, you may be wondering what SQL stay. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It is "de facto" standard language for accessing and manipulating data in databases.
Today most web sites are based on a database (usually MySQL) to store and access data.
Our example is a form of common access. Internet surfers see the login formS every day, you put your username and password and then the server checks the credentials you supplied. Ok, that's simple, but what exactly happens when the server checks the credentials?
The customer (or user) server sends two strings, the user name and password.
Usually, the server will have a database with a table where user data is stored. This table has at least two columns, one to store the username and one for the password. When the server receives chains username and password to query the database to see if the supplied credentials are valid. They will use a SQL statement for those who can look like this:
SELECT * FROM users WHERE username = 'SUPPLIED_USER' and password = 'SUPPLIED_PASS'
For those of you who are not familiar with SQL language, SQL, the character "is used as delimiter string variables. Here we use it to define the username and password string supplied by the user.
In this example we see that the username and password provided in the query are inserted between it and the whole query is then executed by the database engine. If the query returns all rows, then the supplied credentials are valid (the user exists in the database and the password is provided).
Now what happens if a user types a character "in the username or password field? Well, to name just a 'user name in the field and experience the field blank, the query would be:
SELECT * FROM users WHERE username ='''y''password =
This would result in an error because the database engine is considered the end of the string in the second and then would result in a parse error in the third person. Now let's see what would happen if you send us these inputs:
Username: 'OR' a '=' a
Password: 'OR' a '=' a
The query would become
SELECT * FROM users WHERE username =''OR 'a' = 'a' and password =''OR 'a' = 'a'
Since a is always equal to one, this query returns all rows in the table of users and the server "thinks" that came with valid credentials and that, as in - the SQL injection was successful:).
Now let's see some more advanced techniques .. My example is based on PHP and MySQL platform. In my MySQL database I created the following table:
Create users MESA (
username VARCHAR (128),
password VARCHAR (128),
email VARCHAR (128))
Not a single row in that table with the data:
Username: testuser
password: test
email: testuser@testing.com
To check the credentials did the following query in PHP code:
$ Query = "select username, password from users in the user name ='".$ user." 'AND password ='".$ pass ."'";
The server is also configured to print the errors caused by MySQL (this is useful for debugging, but should be avoided in a production server).
Therefore, the last time I showed you how SQL injection works basically. Now I'll show you how we can make more complex queries and the use of MySQL error messages for more information about the database structure.
Let's start! Therefore, if we put just a character in the username you receive an error message like
You have an error in SQL syntax, see the manual that corresponds to your MySQL server version for the right syntax to use near''de''''y password = 'at line 1
That's because the query became
select username, password from users where username ='''and password =''
What happens now if we try to put in the username field a string like "or user = 'abc?
The query becomes
Select username, password from users where username =''or user = 'abc' and password =''
And this gives the error message
Unknown column 'user' in 'where clause'
That's fine! The use of these error messages we can guess the columns of the table. We can try to put in the field Username or e-mail = 'and we have no error message, we know that existing email column in the table. If you know the email address of a user, we can now deal only with '= or e-mail' testuser@testing.com both the username and passwords and it becomes our consultation
select username, password from users in the user name or e-mail =''= 'and password =''testuser@testing.com or email = "testuser@testing.com'
it is a valid query and if the email address exists in the table to be connected to success!
You can also use the error messages to guess the name of the table. Since in SQL can be used table.column notation, you can try to put in the username field "or user.test = 'and see an error message like
Unknown table 'user' in the clause
Very good! Let's try "or users.test = 'and we did
"Users.test 'Unknown column' where clause '
so logically there is a table named users:).
Basically, if the server is configured to raise awareness of the error messages can be used to enumerate the database structure and then you may be able to use this information in an attack.
Topic: How bad guys hack into websites using SQL Injection (Read 1885 times)
