This post talks about SQL injection, SQL injection test, SQL injection prevention mechanism, SQL injection attack example,SQL injection types.
Injection attacks persist on many technologies. This happens when no strict separation between computer instruction and user input.
Typical structure of a program is:
|input| __________ |output|
—-| internal logic |—
So a program expects an input for the system to run and there if the proper restriction is not put then the attacker can interrupt the system.
injection refers to an instruction to the existing query.
The injection technology requires three components:
1. Technology Identification:
2. Transmission Process
3. Input that is prone to attack
This is a process where attackers gain knowledge about the system by web language or hardware processing. Web language can be identified by seeing the webpage but more details can be obtained by viewing
1. Error page
3. view page source
Every technology if loosely coded can be cracked by a smart hacker. The tools we use are:
3. THC- amap
How we use to send data to the server. Remember our college days!! where we use to develop web-based projects….exactly get and post.
get send the user input to the server through URL
post sends the user input through SSL that is through secure mechanism
so if get is used people can easily manipulate. Now hackers are smarter they can also manipulate
1. Hidden HTML forms
2. HTTP headers
Input that is prone to attach checkout the error page:
say there is a login page with id and password as input. The mechanism is user gives input as id and password and clicks on submit button
The form sends the data in a secure manner
Further visit: 2 Best Methods to Attach MDF file to SQL Server
now the server catches the information by
string username=req.getparameter("user_name") string password=req.getparameter("password")
the query might be
select id from user_table where user_name='username' and password='password'
the structure of SQL query will be
srting query="select if from user_table where"+"username='"+ username+" 'and"+ "password='"+password+"'and resultset rs=stmt.executequery(query) ind id=-1 while(rs.next(1)) id=rs.getInt(id)
if the coder has not excluded these following variability points in the backend in SQL
1.’ or 1=1 —
2. ‘) or 1=1–
can trap the SQL
the select id from user_table where username=’ ‘ or 1=1– ‘and ‘ password =password
in SQL after — everything is ignored …basically it tells SQL parser that everything right to this is a comment and SQL engine ignores that …
so query became
select id from user_table where username=’ ‘ or 1=1
select statement will return either a zero-length string or where 1=1 true
so 1=1 is always true so it will give all the username
The important point here even if the ‘ or 1=1 fails to check the application it might give an error message–
1.Many ids are matching with the same criteria on the XYZ table
2.Error in query execution on table EMP_table
3.Even sometimes it reports the procedures on the error message with table.
This is a requirement of a hacker….so he will succeed.
Most of the web forms have no mechanisms in place to block user input. So this is a scope for a test engineer.
Just remember two things.
1. It will not give a tabulated output
2. This is a mechanism by inserting query inside of another query