1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Understanding Basic SQL Injection

Discussion in 'Ethical hacking Tips' started by lionaneesh, Jul 7, 2011.

  1. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    SQL injection (also known as SQLI) is a code injection technique that occurs if the user-defined input data is not correctly filtered or sanitized of the ‘string literal escape characters’ embedded in SQL.

    Basically SQLI is a way of injecting and executing arbitrary SQL statements. The whole idea is to make the application execute our arbitrary code which was not intended. In this tutorial we’ll be looking on how a basic SQL code injection can cause the application to mess up its authentication login and which would eventually lead to data access. So what’s the waiting then let’s get started.

    Authentication Bypass (SQL injection)



    Most of the authentication scripts you’ll find on the web are not secured and despite this vulnerability first appeared in 1990’s :snore: there are still many applications vulnerable to this attack.

    How SQL injection works?

    This attack simply exploits bad filtering or sanitizing mechanism in the database layer of an application, this vulnerability gives the room to attackers to basically alter arbitrary SQL code to be executed.

    For example you have a basic SQL statement as follows:-
    Code:
      SELECT * FROM Users where Name = ‘UserInput’;
      
    Now if the page is vulnerable to this kind of attacks then an attacker have the room to alter anything to this SQL statement.
    For Example the attacker can simple add
    Code:
      ‘ or ‘1’ = ‘1
      
    Which would result in :-
    Code:
      SELECT * FROM Users where Name =  ‘’ or ‘1’ = ‘1’
      
    Now if you know some basic SQL you can simply point out that this means that now the application will be forced to get all the users in the table as the statement now includes a or condition i.e ‘1’ = ‘1’ which in any case will always be true.

    Demonstration



    To demonstrate a basic SQL authentication bypass attack I have created a set of some php scripts.

    defines.php
    Code:
      <?php
      $tableName = "badlogin";
      $dbName               = "sqlnjection";
      $sqlServer = "localhost";
      $sqlUser = "root";
      $sqlPass = ""; 
      ?>
      
    functions.php
    Code:
      <?php
    require "defines.php";
    
    function checkTable()
    {
    	global $tableName;
    	$query = "SELECT * from $tableName";
    	$result = mysql_query($query) or die(mysql_error());
    	if($result == FALSE) // Table is not created till
    	createTable();
    }
    function createTable()
    {
    	global $tableName;
    	$query = "CREATE TABLE $tableName(login char(50),pass char(50))";
    	$result = mysql_query($query);
    	$query = "INSERT INTO $tableName(login,pass) values('admin','UnCrACkAbLe')";
    	$result = mysql_query($query);
    }
    function checkCredentials($login,$pass)
    {
    	global $tableName;
    	$query = "SELECT * FROM $tableName WHERE login='$login' AND pass='$pass';";
    	//            echo "<br/>$query<br/>";
    	$result = mysql_query($query) or die(mysql_error());
    	$rowsnum = mysql_num_rows($result);
    	if($rowsnum > 0)
    	{
    		congrats();
    	}
    }
    function congrats()
    {
    	echo"<p class='warning'>Congratulations You just completed the Challenge...</p>";
    	echo"<script type='text/javascript'>alert('Mission Completed');</script>";
    	// The redirection and Points award code should go here
    }
    ?>
    
    sqlInjection.php
    Code:
    <?php
    require "defines.php";
    require "functions.php";
    ?>
    <html>
    <head>
    	<title>Bad Login</title>
    	<link href='style.css' type='text/css' rel='stylesheet'/>
    </head>
    <body>
    	<h1>Welcome to bad Login Please Enter your Credentals</h1>
    	<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    	<table align="center" class="login">
    		<tr>
    			<td>Login</td>
    			<td> : <input type="text" name="login"/></td>
    		</tr>
    		<tr>
    			<td>Password</td>
    			<td> : <input type="text" name="email"/></td>
    		</tr>	
    		<tr>
    			<td><input type="submit" name="go"/></td>
    		</tr>
    	</table>
    	</form>
    <?php   
    if( isset($_POST['login']) && isset($_POST['email']) &&	isset($_POST['go']) )
    {
    	mysql_connect("$sqlServer","$sqlUser","$sqlPass") or mysql_error();
    	mysql_select_db("$dbName") or mysql_error();
    	//checking if table exists
    	checkTable(); // checks if the table exists and create new if not found
    	checkCredentials($_POST['login'],$_POST['email']);
    }
    ?>
    
    </body>
    </html>
    
    Constructing the Attack String :-

    Our main purpose for this scenario is to check is to exploit the vulnerability in the above set of pages and gain access to ‘admin’ account , We can simply do that by the following ways :-

    1. Giving “admin'#” as a username to the application , This means that after writing admin as a username we used ‘#’ to comment any other code after that.
    2. Giving “admin” as username and “ ‘ or ‘1’ = ‘1 “ as password. This would trick the application to use an ‘or always true’ condition which would eventually result in authentication bypass.
    That’s all for this tutorial , Stay tuned for more
     
  2. alssadi

    alssadi Banned

    Joined:
    Dec 11, 2010
    Messages:
    41
    Likes Received:
    3
    Trophy Points:
    0
    Occupation:
    Creative director & web developer
    Location:
    Dubai
    Home Page:
    incredible post love it , and very helpful
     
  3. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    My Pleasure.
     
  4. Mr.sp41t3r

    Mr.sp41t3r New Member

    Joined:
    Jun 14, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    0
    Thanks You :)
     
  5. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    Welcome! :D
     
  6. Scripting

    Scripting John Hoder

    Joined:
    Jun 29, 2010
    Messages:
    421
    Likes Received:
    57
    Trophy Points:
    0
    Occupation:
    School for life
    Location:
    /root
    Really good, but It might be more advanced :)
     
  7. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    MY Please , and the coming articles will be more advanced for sure.
     
  8. Eldadmika

    Eldadmika New Member

    Joined:
    Aug 11, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    tanx. and i need more explanation on sql..
     
  9. JohnAadam

    JohnAadam New Member

    Joined:
    Oct 19, 2011
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    0
    can you suggest what should i choose to do sql injection whether to do it manual or to do it with tools like havij 1.15 .:crazy::confused:
     
  10. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    Tools like Havij , SQLMAP always fail for advanced SQL injections which you'll mostly find on Real World Websites , Using tools like these may allow you to exploit basic and easy SQL injections but often these type of tools misses a lot of them! So i suggest you to stick with manual SQLI testing , and if you are scanning a whole subnet of servers i suggest you to edit some scripts yourself. :)
     
  11. icecube_media

    icecube_media Banned

    Joined:
    Oct 19, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    0
    this is some nice information but what if admin page is not accessible of a website ??
     
  12. JohnAadam

    JohnAadam New Member

    Joined:
    Oct 19, 2011
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    0
    Haa ... the same condition happen with me .

    I got admin username and password but could not found the log in page . :crazy:

    That was a freeky think i tried a lot of think but failed :wacky:
     
  13. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    There are many possible ways of finding a admin panel , I'll write a tutorial on it if possible.
     
  14. JohnAadam

    JohnAadam New Member

    Joined:
    Oct 19, 2011
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    0
    Can you give the link if possible . But i have tried it in Havij were 400 admin log in pages were tested.
     
  15. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    Havij is Just a Automated tool! Finding admin pages , Just dont rely on that! There are several factors which involve a number of steps!
     
  16. JohnAadam

    JohnAadam New Member

    Joined:
    Oct 19, 2011
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    0
    OK i take your advice ... can you post the link....
    Please accept me on gtalk . I had send u an invitation.
     
  17. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    I accepted u on GTALK , I'll get back to u as i have got some time to spare! :) Thanks
     

Share This Page