What Is SQL Injection & How Does It Work
SQL injection is most common methodology employed by a hacker to exploit vulnerabilities in software applications. Vulnerabilities are basically weak links in the software that exposes unauthorized data/information to a user. SQL injection occurs when the user input is incorrectly filtered for embedded SQL statements.
SQL injection vulnerabilities have three forms:
Incorrectly filtered special characters: escape characters
This form of SQL injection occurs when the user manipulates the SQL statements using characters such as ā. For instance consider that you need to enter username and password while logging into your account. The SQL statement generated will be:
āSELECT * FROM users WHERE password = āā + password + āā;ā
Now suppose the userName and/or password so entered areā ā or ā1ā=ā1ā. So the SQL statement reaching the back end will be:
āSELECT * FROM users WHERE password =ā āor ā1ā=ā1 ā;ā
Look closely at this statement. It is deciphered by the database as select everything from the table āuserā having field name equal to ā ā or 1=1. During authentication process, this condition will always be valid as 1 will always equal 1. Thus this way the user is given unauthorized access.
List of Some Important inputs used by hackers to use SQL Injection technique are:
a) ā or āaā=āa
b) ā or 1=1 ā
c) ā or 1=1; ā
d) ā; select * from *; ā
e) ā (Single quote)(Here we look at the error)
f) ā; drop table users ā
On some SQL servers such as MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of āusernameā in the statement below would cause the deletion of the āusersā table as well as the selection of all data from the ādataā table (in essence revealing the information of every user):
aā;DROP TABLE users; SELECT * FROM data WHERE name LIKE ā%
Incorrectly handling input data type
This form of SQL injection occurs when the user input is not strongly typed i.e. , the input by the user is not checked for data type constraint. For example consider a field where you are asked to enter your phone number. Since the phone number input is of numeric data type, therefore the input must be checked whether it is numeric or not. If not checked, then the user can send alphanumeric input and embedded SQL statements. Consider the following SQL statement:
āSELECT * FROM user WHERE telephone = ā+ input +ā;ā
Now if I can input alphanumeric data say ā11111111;DROP TABLE userā then I have embedded an SQL statement to delete the entire table āuserā. This might prove detrimental to the company!!!
If you happen to know the database table name and column names, then any user can perform SQL injection using the following inputs:
1. ā having 1=1 ā
2. ā group by user.id having 1=1 ā
3. ā group by users.id, users.username, users.password, users.privs having 1=1ā
4. ā union select sum(users.username) from usersā
5. ā union select sum(id) from users ā
Vulnerabilities inside the database server
Sometimes vulnerabilities can exist within the database server software itself, as was the case with the MySQL serverās real_escape_chars() functions.
If the database server is not properly configured then the access to the database can easily be found out by the hacker.
The hacker can get information regarding the database server using the following input:
ā union select @@version,1,1,1ā
1. Extended Stored Procedure Attacks
2. sp_who: this will show all users that are currently connected to the database.
3. xp_readmail, , , , ,@peek=āfalseā : this will read all the mails and leave the message as unread.
In the same way there is a list of such extended stored procedures that can be used by the hacker to exploit vulnerabilities existing in software application at the database layer.
So guys I think now you should absolutely aware of what SQL injection is so in my next post we will discus how to hacks website' database or website form this method.
