SQL injection tutorial: learn through examples

Data is one of the most important components of information system . Organizations use database driven Web Applications get data from customers .SQL Is the acronym of structured query language . It is used to retrieve and manipulate data in the database .

What is? SQL Inject ？

SQL Injection is an attack dynamic SQL Statement to comment out some parts of the statement or attach a condition that is always true . It takes advantage of poorly designed Web Take advantage of design flaws in applications SQL Statement to execute malicious SQL Code .

In this tutorial , You will learn SQL Injection technology and how to protect Web Applications are protected from such attacks .

• SQL How injection works
• Hacking activities ：SQL Inject Web Applications
• other SQL Inject attack types
• SQL Injection automation tools
• How to prevent SQL Injection attack
• Hacking activities ： Use Havji Conduct SQL Inject

SQL How injection works

have access to SQL The type of attack injected depends on the type of database engine . This attack applies to dynamic SQL sentence . Dynamic statements are used at run time from Web Form or URI A statement generated by querying the parameter password of a string .

Let's consider a simple with a login form Web Applications .HTML The code of the form is as follows .

<form action=‘index.php’ method="post">

<input type="email" name="email" required="required"/>

<input type="password" name="password"/>

<input type="checkbox" name="remember_me" value="Remember me"/>

<input type="submit" value="Submit"/>

</form>

here ,

• The form above accepts email addresses and passwords , Then submit them to a file named index.php Of PHP file .
• It can choose to store the login session in cookie in . We from remember_me The checkbox infers this . It USES post Method submit data . This means that these values will not be displayed in URL in .

Suppose the backend checks the user ID Is as follows

SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);

here ,

• The above statement directly uses $_POST[] The value of the array , Without cleaning it up .
• Password usage MD5 Algorithm encryption .

We will use sqlfiddle To illustrate SQL Injection attack . stay Web Open in the browser URL http://sqlfiddle.com/ . You will see the following window .

Be careful ： You have to write SQL sentence

step 1) Enter this code in the left pane

CREATE TABLE `users` (
  `id` INT NOT NULL AUTO_INCREMENT,
  `email` VARCHAR(45) NULL,
  `password` VARCHAR(45) NULL,
  PRIMARY KEY (`id`));
  
  
insert into users (email,password) values ('[email protected]',md5('abc'));

step 2)  Click build mode

step 3) Enter this code in the right pane

select * from users;

step 4) Click Run SQL. You will see the following results

Suppose the user provides [email protected] and 1234  As password . The statement executed on the database will be

SELECT * FROM users WHERE email = '[email protected]' AND password = md5('1234');

You can take advantage of the above code by commenting out the password part and attaching a condition that is always true . Suppose the attacker provides the following input in the email address field .

[email protected]’ OR 1 = 1 LIMIT 1 — ‘ ]

xxx Is password .

The generated dynamic statements are as follows .

SELECT * FROM users WHERE email = '[email protected]' OR 1 = 1 LIMIT 1 — ' ] AND password = md5('1234');

here ,

• [email protected] End in single quotation marks , Complete string quotes
• OR 1 = 1 LIMIT 1 Is a condition that is always true , And limit the returned results to only one record .
• — ' AND ... Is to delete the password part SQL notes .

Copy the above SQL sentence , Paste the SQL FiddleRun SQL The text box , Here's the picture

Hacking activities ：SQL Inject Web Applications

We are Login | Personal Contacts Manager  There's a simple one on Web Applications , It is very susceptible SQL Injection attack , For demonstration purposes only . above HTML The form code is taken from the login page . This application provides basic security , For example, clean up e-mail fields . This means that the code above cannot be used to bypass login .

To solve this problem , We can use the password field . The following figure shows the steps you must follow

Suppose the attacker provides the following input

• The first 1 Step ： Input [email protected] As an email address
• The first 2 Step ： Input xxx') OR 1 = 1 — ]

• Click Submit button
• You will be directed to the dashboard

Generated SQL The statement is as follows

SELECT * FROM users WHERE email = '[email protected]' AND password = md5('xxx') OR 1 = 1 — ]');

The following figure shows that the statement has been generated .

here ,

• This statement intelligently assumes that md5 encryption
• Complete the single quotation mark and closing bracket
• Attach a condition to a statement that will always be true

Usually , The success of SQL Injection attacks will try to use many different technologies （ For example, the technology demonstrated above ） To execute a successful attack .

other SQL Inject attack types

SQL Injection is more harmful than just through the login Algorithm . Some attacks include

• Delete data
• Update data
• insert data
• Execute commands on the server that can download and install malicious programs such as Trojans
• Send the credit card details 、 Valuable data such as emails and passwords are exported to the attacker's remote server
• Get user login details, etc

The list above is not exhaustive ; It just lets you know what is SQL Inject

SQL Injection automation tools

In the example above , We use our rich SQL Manual attack technology of knowledge . There are some automated tools that can help you execute attacks more effectively in the shortest possible time . These tools include

• SQLMap - sqlmap: automatic SQL injection and database takeover tool
• JSQL Inject - jsql | Kali Linux Tools

How to prevent SQL Injection attack

Organizations can adopt the following strategies to protect themselves from SQL Injection attack .

• User input should never be trusted —— In for dynamic SQL The statement before , It must always be cleaned .
• stored procedure —— These can be encapsulated SQL Statement and treat all inputs as parameters .
• Prepared statements —— The prepared statement is created by first SQL Statement and then work with all the submitted user data as parameters . This is right SQL The syntax of the statement has no effect .
• Regular expressions —— These can be used to detect potentially harmful code and execute SQL Delete it before the statement .
• Database connection user access —— Only the necessary access rights should be granted to the account used to connect to the database . This helps to reduce SQL Statement can perform operations on the server .
• Error message —— These should not reveal sensitive information and the exact location of the error . Simple custom error messages , for example “ I'm sorry , We encountered a technical error . The technical team has been contacted . Please try again later ” It can be used to replace the display that causes errors SQL sentence .

Hacking activities ： Use Havij Conduct SQL Inject

In this actual scenario , We will use Havij Advanced SQL Injection Program to scan the website for vulnerabilities .

Be careful ： Because of its nature , Your antivirus program may mark it . You should add it to the exclusion list or pause your antivirus software .

The image below shows Havij Main window

The above tools can be used to evaluate websites / Application vulnerabilities .

Generalization

• SQL Injection is a kind of underutilization SQL The attack type of the statement
• SQL Injection can be used to bypass the login Algorithm , retrieval 、 Insert 、 Update and delete data .
• SQL Injection tools include SQLMap、SQLPing、SQLSmack etc. .
• To write SQL A good security policy can help reduce SQL Injection attack .