| Web News |
Wipro chief sees rise in Indian R&D
Fueled by a steady stream of engineers emerging from
its schools, India will continue to increase its share of the research and development services market, according to the chairman of one of the country's largest outsourcing firms...
Fighting Piracy
Legit software companies target a sharp cut in India''s piracy rate over the next few years...
Coming soon: a new high-speed wireless boadband
Often referred to as "wi-fi on steroids", Wimax or Wireless Interoperability of Microwave Access, is a low cost wireless broadband technology that could solve Indias problem of poor Internet penetration...
|
|
| Recent
Articles |
NetAlter Plans SOA-Based Browser
Mumbia, India's NetAlter Software Ltd has been working for a year toward the development of browser based on a service-oriented architecture platform.
Google India Code Jam
The Google Blog writes about the Google India Code
Jam, where 15,000 competed in the software coding contest.
Decoding Web Hosting Reviews: From Java To Windows
In an earlier article, we explained how web hosting
reviews identify web hosting companies by the services they offer.
Easy
Content Management With Server Side Includes
Content Management systems are an invaluable backend aspect of a webpage now-days. I honestly see very few websites that can really say they don't need some sort of Content Management system...
Subcontracting
Your SEO And Web Development
Web development for the SEO (search engine optimization) expert includes using copywriters to generate SEO articles.
Microsoft
Wants India Workers To Go Home
Other tech companies would love to see business-savvy Indian workers join their initiatives in India, but Microsoft drew the most interest at a Silicon Valley recruiting event.
Creating Rollover Effects Using CSS List Menus
Ever seen those fancy links where they change their appearance as soon as you place your mouse cursor on them?
How PHP Can Help Save You Time And Mistakes
Here's a really simple way...to maintain and speed up your web site development.
For Automated Sites PHP And MySQL Are A Perfect Match
You've decided to automate your web site. Now what? Here are some ideas to help you choose how to automate your site.
Take Advantage Of Simple JavaScript Optimization
Coding projects, anyone? Well, if you find yourself buried in some such projects like this either a small and simple one or a really large one, then JavaScript is here to the rescue...
The Importance Of HTML / XHTML Validation
In Part One I discussed the Benefits of HTML
Validation. Part One can be viewed here. For Part Two I will discuss...
Advanced Web Design Principles (Visitor To Customer Conversion)
Regardless of our connection speed, Internet users expect information to be readily obtainable, pages to download quickly and solutions at the click of the mouse....
Can Invisible Text In CSSs Slip Under Search Engine Radar?
I'm literally inundated with questions on the subject of invisible text & hosting so I thought I'd debunk some myths and give you the facts straight up....
Now You Have A Web Site. Have You Ever Heard Of Accessibility?
An accessible Web site is easily approached, easily understood, and useable for all. There are accessibility standards set forth by the World Wide Web Consortium, which all sites should adhere to as much as possible...
Windows Vs Linux : Hosting
Linux (and its close relation Unix) and Windows 2000 (and its close cousin Windows NT) are types of software (known as operating systems) that web servers use to do the kind of things that web servers do. You do not need to know any real detail of either to make a decision as to which you need but here a few guidelines....
|
|
05.22.06
How Bad Guys Hack Into Websites Using SQL Injection
 By
Matija
SQL Injection is one of the most common security vulnerabilities on the web. Here I'll try to explain in detail these kinds of vulnerabilities with examples of bugs in PHP and possible solutions.
If you are not so confident with programming languages and web technologies you may be wondering what SQL stands for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases.
Nowadays most websites rely on a database (usually MySQL) to store and access data.
Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials?
The client (or user) sends to the server two strings, the username and the password.
Usually the server will have a database with a table where the user's data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:
SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'
For those of you who are not familiar with the SQL language, in SQL the ' character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.
In this example we see that the username and password supplied are inserted into the query between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).
Now, what happens if a user types a ' character into the username or password field? Well, by putting only a ' into the username field and leaving the password field blank, the query would become:
SELECT * FROM users WHERE username=''' AND password=''
This would trigger an error, since the database engine would consider the end of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now see what would happen if we would send this input data:
Username: ' OR 'a'='a Password: ' OR 'a'='a
The query would become SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'
Since a is always equal to a, this query will return all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :).
Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128))
There's a single row in that table with data:
username: testuser password: testing email: testuser@testing.com
To check the credentials I made the following query in the PHP code:
$query="select username, password from users where username='".$user."' and password='".$pass."'";
| Enter
to Win a FREE iPod Nano or 3 Months of Channel Management
- Click Here |
|
The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).
So, last time I showed you how SQL injection basically works. Now I'll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.
Lets get started! So, if we put just an ' character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1
That's because the query became
select username, password from users where username=''' and password='' What happens now if we try to put into the username field a string like ' or user='abc ? The query becomes
select username, password from users where username='' or user='abc ' and password=''
And this give us the error message Unknown column 'user' in 'where clause'
That's fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ' or email=' and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ' or email='testuser@testing.com in both the username and password fields and our query becomes
select username, password from users where username='' or email='testuser@testing.com' and password='' or email='testuser@testing.com'
which is a valid query and if that email address exists in the table we will successfully login!
You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ' or user.test=' and you will see an error message like Unknown table 'user' in where clause
Fine! Let's try with ' or users.test=' and we have Unknown column 'users.test' in 'where clause'
so logically there's a table named users :).
Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.
About the Author:
The author is a 23-year-old coder. He specializes in computer security, C and PHP coding, networking and server administration.
|
|
