PDA

View Full Version : Moonbat's Guide to SQL Injections



Moonbat
11-13-2006, 10:13 PM
Ah, here we go.

http://www.w*schools.com/sql/default.asp

You can learn all about SQL and what it's for here. I'm not gonna try to explain all of that, this is only for injections.
------------------------------------------------

Now, suppose you are at a site called www.candycanestotehmax.com. You have to login to this site to see the candy canes. The login page is like this:


www.candycanestotehmax.com/login.php

Now you try logging in with a bogus name and password. The URL now becomes something like:


www.candycanestotehmax.com/login.php?user=johnny&password=nicetry

You obviously weren't able to log in. But now you want to see if the login is vulnerabel to SQL injection. Try playing around a bit with the URL.


www.candycanestotehmax.com/login.php?user=a'&password=*=*
OR

www.candycanestotehmax.com/login.php?user=*=*&password=*'
OR
Some other combanation, there should be apostrophes and/or equal statements (*=*) because these tend to confuse servers.

Anyways, you should see some wierd error, but if you don't, don't fret, there still could be a vulnerability (known as Blind SQL Injection).

-----------------------------------------------

Well now suppose you've found a vulnerablitly to SQL injections on candycanestotehmax.com. Break down the URL and convert it into SQL. When you see this URL:


www.candycanestotehmax.com/login.php?user=johnny&password=nicetry

It's actually sending two SQL queries, one for a username match and one for a passowrd match. It looks like this (let's assume the name of the table is "login"):


SELECT username FROM login WHERE username='johnny'
SELECT password FROM login WHERE password='nicetry'

But there is no username johnny or password nicetry in the database, so therefore you can't login. But now you know a vital piece of info: The table "login" contains all the usernames and passwords. It would be nice if we could view this table.
------------------------------------------

So we find somewhere where we can enter text, sometimes this is the login field, other times you actually have to enter it in the URL, usually after the ? in a php page. But assume you have to enter it in the login. In the username field, enter a command so you can view the usernames on the table "login".


SELECT username FROM login

This would display the list of usernames in the table login. You can go back and edit the injection so it shows you the passwords also.
------------------------------------------

Well, thanks for reading my tutorial, I hope you learn something:D

-Moonbat

Troll
11-13-2006, 10:54 PM
I hope you learn something

Actually, i learnt a lot :) Thanks

Is this vulnerability common?

Moonbat
11-13-2006, 11:03 PM
Well, I personally haven't seen it anywhere, mostly because most forums are made with good programs (VBullitein, phpBB, etc.) that usually protect against this kind of stuff.

Troll
11-13-2006, 11:23 PM
Okay. It's still very useful to know... just incase :p

Ezekiel
11-14-2006, 08:37 AM
Actually, i learnt a lot :) Thanks

Is this vulnerability common?

It's common in any web application that checks usernames/passwords against those in a database without filtering input. All it takes is a google search for inurl:login to find potential targets.