PDA

View Full Version : Moonbat's Guide to SQL Injections



Moonbat
03-27-2007, 02:22 PM
This is my little guide to SQL Injections:

Ah, here we go.

http://www.w*schools.com/sql/default.asp

You can learn all about SQL and what it's for here. I'm not gonna try to explain all of that, this is only for injections.
------------------------------------------------

Now, suppose you are at a site called www.candycanestotehmax.com (http://www.candycanestotehmax.com). You have to login to this site to see the candy canes. The login page is like this:


www.candycanestotehmax.com/login.php

Now you try logging in with a bogus name and password. The URL now becomes something like:


www.candycanestotehmax.com/login.php?user=johnny&password=nicetry

You obviously weren't able to log in. But now you want to see if the login is vulnerabel to SQL injection. Try playing around a bit with the URL.


www.candycanestotehmax.com/login.php?user=a'&password=*=*
OR

www.candycanestotehmax.com/login.php?user=*=*&password=*'
OR
Some other combanation, there should be apostrophes and/or equal statements (*=*) because these tend to confuse servers.

Anyways, you should see some wierd error, but if you don't, don't fret, there still could be a vulnerability (known as Blind SQL Injection).

-----------------------------------------------

Well now suppose you've found a vulnerablitly to SQL injections on candycanestotehmax.com. Break down the URL and convert it into SQL. When you see this URL:


www.candycanestotehmax.com/login.php?user=johnny&password=nicetry

It's actually sending two SQL queries, one for a username match and one for a passowrd match. It looks like this (let's assume the name of the table is "login"):


SELECT username FROM login WHERE username='johnny'
SELECT password FROM login WHERE password='nicetry'

But there is no username johnny or password nicetry in the database, so therefore you can't login. But now you know a vital piece of info: The table "login" contains all the usernames and passwords. It would be nice if we could view this table.
------------------------------------------

So we find somewhere where we can enter text, sometimes this is the login field, other times you actually have to enter it in the URL, usually after the ? in a php page. But assume you have to enter it in the login. In the username field, enter a command so you can view the usernames on the table "login".


SELECT username FROM login

This would display the list of usernames in the table login. You can go back and edit the injection so it shows you the passwords also.
------------------------------------------

Well, thanks for reading my tutorial, I hope you learn something:D

-Moonbat

natebozung535
03-28-2007, 06:52 PM
thanks a lot man, I actually learned something for once :), I do have one question though, in your tut it was a php, and I was kinda fuzzy on whether or not this sort of act could be done on something other than php, and I did read the w* stuff so I'm pretty sure I understand the basic sql commands.

Moonbat
03-28-2007, 08:09 PM
Well, the only web language that handles databases besides PHP is ASP, and I've never tried it on an ASP page.

natebozung535
03-28-2007, 11:05 PM
i was tryin it on an asp page earlier, but i didn't get very far, heh

Ezekiel
03-29-2007, 12:20 PM
Any web language can interact with SQL databases -- SQL databases are separate from web servers and have no way of knowing if data has been requested by PHP or any other language. It just depends on whether the authors made functions for SQL interaction with the popular database servers.

If we're talking about popularity though, PHP, ASP and Perl are the first three that come to mind.

~~smart~fool~~
04-01-2007, 04:27 PM
Hey, Moonbat you are doing good. I see you got rid of adverting and set some rules. I might come back sometimes.

aabee
01-04-2008, 01:08 PM
thanks a lot.