•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 402,004 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,382 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Views: 3156 | Replies: 2
 |
•
•
Join Date: Jun 2004
Posts: 125
Reputation: 
Rep Power: 5
Solved Threads: 1
Junior Poster
Sql Injuction Hello
This Is My Tutorial Over "SQL INJECTION" , Hope It Would Help Out Many Out Here.
Basically SQL INJECTION Is A Attack Over Weak Programming And Can Affect Major Over The Databases.
No Lets Jump Out Here:
Consider a Form As Shown below,
http://www25.brinkster.com/vinothbabu/login.asp
The Form Accepts a Username and Password.It Would then Probably Query a database to retrieve some information
Let Us Say that this is a bank database and, hypothetically,it has a table user_id with following
structure shown below:
The Account number is used for all transactions, and will be retrived from the table when the user
ebters his username and password.This Would Most Likely be Done By a query Like ...
Bit What Happens if the user enters his name as spechacker' instead of spechacker??? The Query Now Becomes...
This Is an Error And So the Database Server Will Return An Error.This Could Be Something Similar
to What's Shown Below:
Now From Above We Come Here to state an information....
* We Know that we can managle the query at our will
* We Know the database at the back-end.In this Case It Is Oracle.
Now What If We Entered Our Password As jamesbond' OR 'b' = 'b? The Query Becomes......
This Is a Valid SQL query. Further, It Will always yield True Since 'b'='b' always Yields True.
Hence This will Result In an Overall true.This Means that You Could Type any password and log in
successfully!
Moving On To Other Possibilities
We Have Seen That Quating Can Wreak All Sorts Of Havoc in the authentication scheme.Another Offending string is the '-'
This Is USed As A Comment In SQL.Now,What If We Entered Our Username As spechacker;-?
The Query Would Be...
As You Can See The Entire 'where' clause has been eliminated.In short, no password check is performed!
Furthermore,the ';'(semicolon) character is used in SQL to seperate two queries.While Some Databases
Ignore This Such as Oralce , Others Such As MS SQL2000 And MYSQL Use it.This is by Far the Most Dangerous.By this the
attacker has access to your databases.
A Query Such As..
Can Easily Formed By Entering A Username.
If The User Were to USe Some Dangerous Query Like Drop Table,You Could be in Real Trouble!
Many Databases Have Commands tht are used to execute Shell Commands.Some Like PostgreSQL,Have
XP_shellexec that can compromise the entire system by running programs such as FTP to get Trojan
Horses.
How To Prevent This Attack ............
Let us Prevent This Attack And Provide More Security To The Web.
Thanx
Hope This Tutorial Will Surely Help EveryOne In This Board.
Vinoth
This Is My Tutorial Over "SQL INJECTION" , Hope It Would Help Out Many Out Here.
Basically SQL INJECTION Is A Attack Over Weak Programming And Can Affect Major Over The Databases.
No Lets Jump Out Here:
Consider a Form As Shown below,
http://www25.brinkster.com/vinothbabu/login.asp
The Form Accepts a Username and Password.It Would then Probably Query a database to retrieve some information
Let Us Say that this is a bank database and, hypothetically,it has a table user_id with following
structure shown below:
•
•
•
•
Username Password AccountNumber
The Account number is used for all transactions, and will be retrived from the table when the user
ebters his username and password.This Would Most Likely be Done By a query Like ...
•
•
•
•
Select account_number from user_id where
username='spechacker' and password='jamesbond'
Bit What Happens if the user enters his name as spechacker' instead of spechacker??? The Query Now Becomes...
•
•
•
•
Select account_number from user_id where
username='spechacker'' and password='jamesbond'
This Is an Error And So the Database Server Will Return An Error.This Could Be Something Similar
to What's Shown Below:
•
•
•
•
Native Error Code:1756
Now From Above We Come Here to state an information....
* We Know that we can managle the query at our will
* We Know the database at the back-end.In this Case It Is Oracle.
Now What If We Entered Our Password As jamesbond' OR 'b' = 'b? The Query Becomes......
•
•
•
•
Selecr account_number from user_id where
username='spechacker' and passwords= 'jamesbond' OR 'b'='b'
This Is a Valid SQL query. Further, It Will always yield True Since 'b'='b' always Yields True.
Hence This will Result In an Overall true.This Means that You Could Type any password and log in
successfully!
Moving On To Other Possibilities
We Have Seen That Quating Can Wreak All Sorts Of Havoc in the authentication scheme.Another Offending string is the '-'
This Is USed As A Comment In SQL.Now,What If We Entered Our Username As spechacker;-?
The Query Would Be...
•
•
•
•
Select account_number from user_id where
username=spechacker'- and password='jamesbond'
As You Can See The Entire 'where' clause has been eliminated.In short, no password check is performed!
Furthermore,the ';'(semicolon) character is used in SQL to seperate two queries.While Some Databases
Ignore This Such as Oralce , Others Such As MS SQL2000 And MYSQL Use it.This is by Far the Most Dangerous.By this the
attacker has access to your databases.
A Query Such As..
•
•
•
•
Select account_number from user_id where username='spechacker';
update balance_table set balance_amnt=87497824 where
user='spechacker'--' and password='jamesbond'
Can Easily Formed By Entering A Username.
•
•
•
•
spechacker';update balance_table set balance_amnt=87497824 where user='spechacker'--
If The User Were to USe Some Dangerous Query Like Drop Table,You Could be in Real Trouble!
Many Databases Have Commands tht are used to execute Shell Commands.Some Like PostgreSQL,Have
XP_shellexec that can compromise the entire system by running programs such as FTP to get Trojan
Horses.
How To Prevent This Attack ............
•
•
•
•
1. Escape/Filter Special Characters whereever not required.
Ensure that characters such as' ,;()- are dealt with properly.
2. Run the Web Application as the database User with the least Possible privileges.
3. Run The Web Application as An Operating System User with the Least +ve Privileges.
4. Limit the field lengths.No One Will Enter an 80-Character username.
Let us Prevent This Attack And Provide More Security To The Web.
Thanx
Hope This Tutorial Will Surely Help EveryOne In This Board.
Vinoth
Webdevelopers and Programmers Forums | Tips for Freelance PHP Coders | Best Search Engine | Get Connecting JSP with MySQL |
•
•
Join Date: Jun 2004
Posts: 125
Reputation:
Rep Power: 5
Solved Threads: 1
Junior Poster
Did this thread not help any one here/
I need some comments over this,
I need some comments over this,
Webdevelopers and Programmers Forums | Tips for Freelance PHP Coders | Best Search Engine | Get Connecting JSP with MySQL |
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
- Sql Injuction (Computer Science and Software Design)
- SQL Server vs MYSQL vs MSQL (i'm stopping now) (MS SQL)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: New Win32 Virus + Desktop Blank
- Next Thread: Hijackthis services.exe
