Header Ads

SQL Injection

SQL Injection
Injection attacks persists on many technologies.This happens when no strict separation between computer instruction and user input.
Typical structure of a program is:

|input|   __________   |output|
-----| internal logic |-----

So a program expects an input for system to run and there if proper restriction is not put then attacker can interrupt the system.
 injection refers to an instruction to the existing query.

The injection technology requires three components:
1. Technology Identification:
2. Transmission Process
3. Input that are prone to attack

1. Technology Identification:  This is  process where attacker gain knowledge about the system by web language or hardware processing. Web language can be identified by seeing the webpage but more details can be obtained by viewing
1. Error page
2. Javascript error details
3. view page source
Every technology if loosely coded can be cracked by a smart hacker. The tools we use are:
1. nessus
2. nmap
3. THC- amap
Transmission Process:
How we use to send data to server.Remember our college days!! where we use to develop web based projects....exactly get and post.
get send the user input to server through url
post sends the user input through SSL that is through secure mechanism

so if get is used people can easily manipulate. Now hackers are more smart they can aso manipulate
1. Hidden html forms
2. HTTP headers
3. cookie

even the backend asyncronous javascript and xml(AJAX) can be manipulated.few days back orkut was supporting these codes.
tools are
1. webscarab
2. Burp

3.Input that are prone to attach checkout the error page:

say there is a login page with id and password as input.The mechansm is user gives an input as id and password and clicks on sbmit button
The form send the data in a secure manner
' form name=form1,method=post()
now server catches the information  by
string username=req.getparameter("user_name")
string password=req.getparameter("password")
the query might be
select id from user_table where user_name='username' and password='password'
the structure of sql query will be
srting query="select if from user_table where"+
"username='"+ username+" 'and"+
"password='"+password+"'
and resultset rs=stmt.executequery(query)
ind id=-1
while(rs.next(1))
id=rs.getInt(id)

now
if the coder has not excluded these following vernability points in the backend in SQL

1.' or 1=1 --
2. ') or 1=1--
can trap the SQL
the select id from user_table where username=' ' or 1=1-- 'and ' password =password
in SQL after -- everything is ignored ...basicallt it tells sql parser that everything right to this is a comment and sql engine ignores that ...
so query became
select id from user_table where username=' ' or 1=1
select statement will return either zero length string or where 1=1 true
so 1=1 is always true so it will give all the username
The important point here even if the ' or 1=1 fails to check the application it might give error message----
1.Many ids are matching with the same criteria on XYZ table
2.Error in qery execution on table EMP_table
3.Even sometimes it reports the procedures on error message with table.
This is requirement of a hacker....so he will succeed.

Most of the web forms have no mechanisms in place to block user input. So this is a scope for test engineer.
Just remember two things..
1. It will not give a tabulated output
2. This is a mechanism by inserting query inside of another query






                                                                                            contd...
Powered by Blogger.