December 4, 2010
MySQL Injection for absolute beginners (PART 1)
Do you like this story?
DISCLAIMER:THIS TUTORIAL IS SOLELY FOR EDUCATIONAL PURPOSE FOR PROTECTING YOUR OWN CODE FROM SQL INJECTIONS. YOU WILL HAVE TO TAKE THE FULL RESPONSIBILITY FOR ANY ACTION U DO AFTER READING THIS TUTORIAL.
Background
This article entitled "MySQL Injection for absolute beginners" intends to provide the complete knowledge and work-how of SQL injection specially targeted on MySQL database except the stacked query parts.
Intro
In this tutorial, I will demonstrate the infamous MySQL injection in newbie perspective so that all the newbies become able to become successful SQL injector. But, be sure to check various PHP & MySQL functions in various sites which will help you a lot...
Now lets begin our walkthrough of SQL injection.
What Is Database?
Just general info.. Database is the application that stores a collection of data. Database offers various APIs for creating, accessing and managing the data it holds. And database(DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. DB may hold various critical informations like usernames, passwords, credit cares,etc. So, DB need to be secured but many DB servers running are insecured either because of their vulnerability or because of poor programming handles. To name few DB servers, MySQL(Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite, etc.
What Is SQL Injection?
SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough..
Bypassing Logins
Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the legitimate user. If the login script is not properly sanitized by the programmer, u may have luck to enter the site. U might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection??
Let's see an example, where the username admin with the password sam207 can login to the site. Suppose, the SQL query for this is carried out as below:
Code:
SELECT USER from database WHERE username='admin' AND password='sam207'
And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the script is not sanitized. This opens a door for the hackers to gain illegal access to the site.
In this example, the attacker can enter the following user data in the login form:
username:a or 1=1--
password:blank
So, this would make our query as:
Code:
SELECT USER from database WHERE username='a' or 1=1-- AND password=''
Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*.
So our above query becomes:
Code:
SELECT USER from database WHERE username='a' or 1=1
Now this query evaluates true even if there is no user called 'a' because 1=1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel.
There can be various other username and password combinations to play with the vulnerable sites. U can create ur own new combinations for the site login.
Few such combinations are:
Code:
username:' or 1='1 password:' or 1='1
username:' or '1'='1' password:' or '1'='1'
username:or 1=1 password:or 1=1
and there are many more cheat sheets. Just google. In fact, you can create your own such combinations to bypass logins..
That's all about bypassing logins.
Please if you find any bug or error on the code please comment on the box below
NEXT (PART TWO)
Background
This article entitled "MySQL Injection for absolute beginners" intends to provide the complete knowledge and work-how of SQL injection specially targeted on MySQL database except the stacked query parts.
Intro
In this tutorial, I will demonstrate the infamous MySQL injection in newbie perspective so that all the newbies become able to become successful SQL injector. But, be sure to check various PHP & MySQL functions in various sites which will help you a lot...
Now lets begin our walkthrough of SQL injection.
What Is Database?
Just general info.. Database is the application that stores a collection of data. Database offers various APIs for creating, accessing and managing the data it holds. And database(DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. DB may hold various critical informations like usernames, passwords, credit cares,etc. So, DB need to be secured but many DB servers running are insecured either because of their vulnerability or because of poor programming handles. To name few DB servers, MySQL(Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite, etc.
What Is SQL Injection?
SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough..
Bypassing Logins
Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the legitimate user. If the login script is not properly sanitized by the programmer, u may have luck to enter the site. U might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection??
Let's see an example, where the username admin with the password sam207 can login to the site. Suppose, the SQL query for this is carried out as below:
Code:
SELECT USER from database WHERE username='admin' AND password='sam207'
And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the script is not sanitized. This opens a door for the hackers to gain illegal access to the site.
In this example, the attacker can enter the following user data in the login form:
username:a or 1=1--
password:blank
So, this would make our query as:
Code:
SELECT USER from database WHERE username='a' or 1=1-- AND password=''
Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*.
So our above query becomes:
Code:
SELECT USER from database WHERE username='a' or 1=1
Now this query evaluates true even if there is no user called 'a' because 1=1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel.
There can be various other username and password combinations to play with the vulnerable sites. U can create ur own new combinations for the site login.
Few such combinations are:
Code:
username:' or 1='1 password:' or 1='1
username:' or '1'='1' password:' or '1'='1'
username:or 1=1 password:or 1=1
and there are many more cheat sheets. Just google. In fact, you can create your own such combinations to bypass logins..
That's all about bypassing logins.
Please if you find any bug or error on the code please comment on the box below
NEXT (PART TWO)
About the Author:
Ifeanyi Emeka is the founder of this blog and also writes for Tech Forked. He is passionate about tech stuffs and loves customizing blogger themes.
Popular This Week
MySQL Injection for absolute beginners (PART 1)
2010-12-04T11:36:00Z
dfgdfg
MySQL|MySQL Injection for dummies|mysql injection prevention|
Subscribe to:
Post Comments (Atom)