Monday, 25 February 2013


What is SQL Injection?

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Web pages which accepts parameters from user, and make SQL query to the database, are targeted. For Example, A web page with username and password, fires SQL query on the database to check whether a user has entered valid name and/or password or not. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

What is Required?
1) Any Web Browser
2) Some Basic SQL (Structured Query Language) Queries such as 'SELECT', 'INSERT', 'UPDATE', 'DELETE', etc. along with their attributes (i.e Syntax).

What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

Everything between the
tags have potential parameters that might be useful.


You should look for pages like ASP, ASPX, JSP, CGI, or PHP.
Try to look especially for URL that takes parameters, like:

Is it Vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
Login: hi' or 1=1--
Pass: hi' or 1=1--' or 1=1--

You can do this with a hidden field, just view the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.

If luck is on your side, you will get login without any login name or password.

But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:
In this URL 'category' is the variable name and 'sports' is it's value.
Here this request fires following query on the database in background.
SELECT * FROM search WHERE category='sports'
Where 'search' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:' or 1=1--
Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

Countermeasures ?
Filter out character like ' " - / \ ; NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie


Post a Comment