Introduction to SQL injection

What is SQL injection? It is a type of input manipulation vulnerability. As the name suggests, it is a vulnerability where the attacker manipulates the web application in order to inject arbitrary SQL code into the application database. This vulnerability affects mainly web applications that use DBs to store and retrieve data.

Nowadays, most web applications use a DB, thus the united web apps affected by this vulnerability are huge. The main cause for this problem is when the web application uses data that is coming from an untrusted source to dynamically construct a SQL query. If the injection is successful, attackers can:

  • Extract arbitrary data
  • Insert tampered data into the database
  • Bypass authentication authorizations, and access controls
  • Take control of the server by executing OS commands

As you can see, it allows you to do a lot of things in the web application, which, for an attacker, is pretty good.

Imagine we have a login form in our web application. This login form will be handled by our server-side code, which will obtain the username and the password from the POST content. It will be assigned to the variables, a name, and pass. Then, these two variables will be used to dynamically construct the SQL statement:

$name=$_POST("UserName");
$pass=$_POST("UserPass");

sql="SELECT * FROM Users WHERE Username='$name' and password='$pass'"

sql="SELECT * FROM Users WHERE Username='admin' and password='superRoot'"

When our users provide valid usernames and passwords such as admin and superRoot, the login will be successful. But what will happen if a user provides special characters and structure to his/her input?

Let's imagine the same example, but this time, the attacker inserts a ' or 1=1 as the name and password. What will happen here? The resulting SQL query is valid. It will return all rows from the table users, since 1=1 is always true. This means that it will return all the results in the user's table:

$name=$_POST("UserName");
$pass=$_POST("UserPass");

sql="SELECT * FROM Users WHERE Username='$name' and password='$pass'"

sql="SELECT * FROM Users WHERE Username='' or '1'='1'' and password='' or '1'='1''"

In the case of this login screen, it will log the attacker in with the first users of the table. Many times, the first user is admin, except if there are some users called Aaron and Charl, and so on.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.59.187