- What is SQL Injection?
A SQL injection or SQLI attack consists of injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
A web application is vulnerable to an SQL injection attack if an attacker is able to insert SQL statements into an existing SQL query of the application. This is usually achieved by injecting malicious input into user fields that are used to compose the query.
- SQLI Example:
Consider a web application that uses a query shown in Step 1 for authenticating its users.
SQL Injection Step 1:
SELECT * FROM Users WHERE User = 'john' AND Password = 'doe'
This query retrieves the ID and LastLogin fields of user john with password doe from table Users. In this example, a login page prompts the user to enter her username and password into a form. When the form is submitted, its fields are used to construct an SQL query shown in Step 2 that authenticates the user.
SQL Injection Step 2:
sqlQuery = "SELECT * FROM Users WHERE User = '$username' AND Password = '$password'"
If the login application does not perform correct input validation of the form fields, the attacker can inject strings into the query that alter its semantics. For example, consider an attacker entering user credentials such as the ones shown in Step 3.
SQL Injection Step 3:
User: ' OR 1=1 -- Password: anything
Using the provided form data, the vulnerable web application constructs a dynamic SQL query for authenticating the user as shown in Step 4.
SQL Injection Step 4:
SELECT * FROM Users WHERE User = '' OR 1=1 -- ' AND Password = 'anything'
The "--" command indicates a comment in Transact-SQL. Hence, everything after the first "--" is ignored by the SQL database engine. With the help of the first quote in the input string, the user name string is closed, while the '' OR 1=1 adds a clause to the query which evaluates to true for every row in the table. When executing this query, the database returns all user rows, which applications often interpret as a valid login.
- SQLI Helper:
SQLI Helper is handy software to hack website by injecting SQL query to the database.
Download SQLI Helper from here.
1. Web application developers need to consider malicious input data and sanitize it properly before using it to construct dynamically generated SQL queries.
2. A straight-forward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. In PHP, for example, it is usual to escape parameters using the function mysql_real_escape_string(); before sending the SQL query:
$query = sprintf("SELECT * FROM 'Users' WHERE UserName='%s' AND Password='%s'", mysql_real_escape_string($username), mysql_real_escape_string($password)); mysql_query($query);
3. Another way of helping developers is to implement user data encoding within the web server application environment. For example, Microsoft implemented such security checks in their .NET framework.
For educational purpose only...Do not misuse it...