Wednesday, August 01, 2012

What is SQL Injection? Web Application Vulnerability


WebApplication(Website) stores the information in database such as user info, admin info, and passwords. When the developer fails to handle escape characters and type, it results in vulnerable database. Hacking or accessing the database using this vulnerability is known as SQL injection.


What an attacker can do?

  • Bypassing Logins
  • Accessing secret data
  • Modifying contents of website
  • Shutting down the database server

When Database is vulnerable?

When the developer fails to validate the Inputs, this vulnerability occurs. So the application runs the query without validating client’s input.

Validation of escape characters ( ' )
The database is vulnerable when the developer input is not filtered for escape characters. For instance, assume you are getting username and password from user using the form. In order to check the username and password, you have to get the information associated with user name by the following query.

statement=”select * from `users` where `usrnam`= ' “+username+” ' ;”;
In the above query, username is the variable which gets the user name from user as input.

The above query will retrieve the data if the username is available in database. The variable “username” gets the input from user and directly passed to the SQL statement without filtering the escape characters. Hackers can input the following code instead of username to breach the database:
' OR '1'='1
When the hackers input one of the above codes as user name, the SQL query becomes

Select * from users where username=' ' or '1'='1'

Here username=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.
The above code can be enhanced with comment to block the rest of the statements of the query. The SQL support three different types of comments. They are /*, --, {{. So the enhanced malicious code with the comment is

' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
When the hackers input one of the above codes as user name, the SQL query becomes

Select * from users where username=' ' or '1'='1'--'

This query does the same. At the same time it will neglect the query behind the comment operator.
The user can do anything with database using this vulnerability. For example he can insert new user entry into the database. For Example, by giving the following input as the username:

hello'; insert into users value('us12', 'pas12'); select * from users where '1'='1';

So the above query will becomes
Select * from users where username=' hello'; insert into users value('us12', 'pas12'); select * from users where '1'='1';

This query will insert the us12 as user. At the same time it displays the list of users information.

Validation of Data Type

When the developer fails to check for the data type of input, it will arise the Vulnerability of Database.
Let us consider this query.

Statement=”Select * from `userid` where `id`=”+inputId+”;” ;

Here Id refers a number data. But the inputId is given directly without checking for the type. So attacker can enter any type of data, he can enter a string.
For example if he input as

1; drop table `userid`;
The query will become as
Select * from `userid` where `id`=1; drop table `userid`;

If you get the input from user and pass it directly, it causes to Vulnerability of Your Web application. Attackers can do anything with your database using this vulnerability. If he get the admin id and passwords, he is able to Deface your site. So you have to prevent from sql injection. How? Wait ..!!!wait i will post.

Here is practical Example for SQL Injection. This post is for Webmasters. They should know about the Vulnerability of your web Application to prevent hacking website. 

0 on: "What is SQL Injection? Web Application Vulnerability"