By Susam Pal
Prerequisite: SQL, HTML
SQL injection is a technique for exploiting web applications that use client-supplied data directly in SQL queries without checking for potentially harmful characters. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
Bypassing login systems: The login systems can be bypassed with what is called a single quote trick. We'll discuss the trick in detail but first, let us understand how SQL plays an important role in the login systems. Let's say there is a login page. Let us suppose we enter the login information as:
This information becomes a part of an SQL query. The following is an example of one such possible query.
SELECT * FROM Members WHERE id='hacker' AND pass='something'
The query runs against a table containing all the valid LoginIDs and the Passwords. The output is a list of records which match the information entered by the user. In this case, modifying the login information to something like this will allow us to login without knowing the correct user name and password.
LoginID: hi' OR 1=1 --
Now the resulting SQL query is:
SELECT * FROM Members WHERE id='hi' OR 1=1 --' AND pass='something'
A double dash (--) tells the MS SQL server to ignore the rest of the query. Sometimes, it may be possible to replace double dash with single hash (#).
So the condition in the WHERE clause is always true. Thus there is always an output to this query which allows the user to log in.
Viewing Extra Information: Sometimes, this vulnerability allows us to access information much more than what we are actually supposed to. The following is an example of a URL which lists information regarding "food".
The ASP file might contain the following code.
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
As we can see, our input will replace v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
Now, assume that we change the URL into something like this:
http://www.someserver.com/index.asp?category=food' OR 1=1 --
Now, our variable v_cat equals to "food' OR 1=1 -- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' OR 1=1 --'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try:
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result. Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Plugging the Loopholes: Characters like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carriage return, new line, etc. should be filtered out in all strings from:
- Input from users
- Parameters from URL
- Values from cookie