the internet. When at first i randomly typed any password. then it gave an sql
error that " zero row selected" and incorrect password. So I thought of using
SQL string injection . SQL is poor in security issues surrounding is the login
and url strings. So idea is you give these values in login form :
user : ' OR 1=1–
password : ' OR 1=1–
and voila you are
in. the other possible strings for password are :
- ' OR a=a–
- ' or 0=0 #
- ") or ("a"="a
- ') or ('a'='a
So whats the funda
behind this :
When you click "login" or "enter" on webpage the variables 'userid' and 'password'
are to sql. The underlying query is :
SELECT * from auth_db
where username = ' $userid ' AND password = '$password'
So if you have
entered username = admin and password = test123 then query executed will be
:
SELECT * from auth_db where username = ' admin ' AND password = 'test123 '
So in auth_db ,
if userid and password are correct than corresponding row will be selected and
as no of rows returned is > 0 you will be granted access. But if password
is incorrect than it will retun zero rows and permission won't be granted. But
if you use SQL string injection like if you put ' OR 1=1– as password and username
both than query executed will be :
SELECT * from auth_db
where username = ' ' OR 1=1– ' AND password = '' OR 1=1– '
Because a pair
of hyphens designate the beginning of a comment in SQL, the query becomes simply
becomes :
SELECT * from auth_db
where username = '' OR 1=1
The expression
1=1 is always true for every row in the table, and a true expression or'd with
another expression will always return true. So, assuming there's at least one
row in the Users table, this SQL will always return a nonzero count of records.So
you are logged in now. And if in some cases But many times sql tries to parse
= character in input strings and didn't allow to do so, hence trick is using
:
' OR userid LIKE '%%
So resultant query
will be
SELECT * from auth_db
where username = ' ' OR userid LIKE '%% ' AND password = '' OR userid LIKE '%%
'
So every string matches '%%' so it returns non zero number of and you are granted
access.
Not all SQL injection attacks involve forms authentication. All it takes is
an application with some dynamically constructed SQL and untrusted user input.
Most SQL-compliant databases, including SQL Server, store metadata in a series
of system tables with the names sysobjects, syscolumns, sysindexes, and so on.
This means that a hacker could use the system tables to ascertain schema information
for a database to assist in the further compromise of the database. For example,
the following text entered into the txtFilter textbox might be used to reveal
the names of the user tables in the database:
' UNION SELECT id, name, '', 0 FROM sysobjects WHERE xtype ='U' --
The UNION statement
in particular is useful to a hacker because it allows him to splice the results
of one query onto another. In this case, the hacker has spliced the names of
the user tables in the database to the original query of the Products table.
The only trick is to match the number and datatypes of the columns to the original
query. The previous query might reveal that a table named Users exists in the
database. So after this with multiple queries you can get control over database.
********************************************************************************
WARNING: the information provided is for educationally purposes only and not
to be used for malicious use. i hold no responsibility
********************************************************************************
![[Valid Atom 1.0]](valid-atom.png "Validate my Atom 1.0 feed")
Tidak ada komentar:
Posting Komentar