» »Unlabelled » SQL Injection (1st in top 10 attacks)
Tuesday 3 July 2012


Introduction
SQL injection is the common website vulnerability found on the internet.Its is a flaw in Web Applications and not in database or webserver.Mostly  programmers are not aware of this threat.SQL Injection is the most prevalent vulnerability in 2010.SQL injections threats are :-


·         Tamper with database records.
·         Spoofing identity.
·         Complete disclouser of data.
·         Destruction of data.
·         Voiding machine’s critical transactions.
·         DoS on server.


By SQL injection attacker can insert SQL query  vai input data from client machine.SQL injection  take advantage of non-validated input  to pass SQL query commands through a web application for execution by database.It is a mostly used attack to either gain unauthorized access of database for retrieving information from it.SQL injectin exploit can be used to read the confidential information,or  to madify data,can perform administrative action on database.Mostly Php and ASP applications are vulnerable to SQL injections.The severity of SQL injectin attacks is limited by attacker’s skill and imagination.
The main consequences are:
  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  • Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  • Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.
  • Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack.

Blind SQL injection
In blind SQL injection when  attacker attempts to exploit ,they will get a generic page specified by the developer,rather then the SQL query error message.That makes the execution of  SQL query injection attack more difficult.But it is possible to attack the remote host by asking a series of true and false questions through SQL statements.
SQL Injection detection
·         Check if the web application connects to a database server in order to access some data.
·         List all input fields,hidden fields, and post request whose values could be used in crafting a SQL query.
·         Attempt to inject code into the input fields to generate an error.
·         Try to insert a string value where a number is expected in input field.
·         The UNION operator is used in SQL injections to joint a query to original query.
·         Detailed error message provide a wealth of information to an attacker in order to execute SQL injection.

SQL  Injection tools


·         BSQLHacker  :- Automated blind SQL injection tool.
·         SQL Power Injector :- Automated SQL injection tool.
·         Havij :- One of the best automated tool used by professionals.
·         Sqlmap:- Also another tool to find the sql injection in website.

 SQL  Based queries
Bypass User Login
The simplest SQL injection technique is bypassing form-based logins. Let's say that
the web application’s code is like this:
SQLQuery = "SELECT Username FROM Users WHERE Username = '" &
strUsername & "' AND Password = '" & strPassword & "'"
strAuthCheck = GetQueryResult(SQLQuery)
If strAuthCheck = "" Then
boolAuthenticated = False
Else
boolAuthenticated = True
End If
Here's what happens when a user submits a username and password. The query will go
through the Users table to see if there is a row where the username and password in the row
match those supplied by the user. If such a row is found, the username is stored in the variable
strAuthCheck, which indicates that the user should be authenticated. If there is no row that
the user-supplied data matches, strAuthCheck will be empty and the user will not be
authenticated.
If strUsername and strPassword can contain any characters that you want, you
can modify the actual SQL query structure so that a valid name will be returned by the query
even if you do not know a valid username or a password. How does this work? Let's say a
user fills out the login form like this:
Login: ' OR ''='
Password: ' OR ''='
This will give SQLQuery the following value:
SELECT Username FROM Users WHERE Username = '' OR ''='' AND
Password = '' OR ''=''
Instead of comparing the user-supplied data with that present in the Users table, the
query compares '' (nothing) to '' (nothing), which, of course, will always return true.
(Please note that nothing is different from null.) Since all of the qualifying conditions in the
WHERE clause are now met, the username from the first row in the table that is searched will be
selected. This username will subsequently be passed to strAuthCheck, which will ensure
our validation.

This how the syntax manipulation work and allow the attacker to get access to confidential information.Try to find and execute SQL injections but for practicing not for harming the websites.All the information is provided here is for Learning purpose.
(SUMIT SHARMA aka AceKapila)
Posted by at 22:27

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)