Posted by : Unknown
Sunday, April 22, 2012
Hello friends,How r you ?In this post,I am writing some hacks that are present in the Internet 24/7 and not noticed by Website Administrator.This hack is also based on Google Hacking and SQL Injection.So,First You need to know.....
WHAT IS SQL INJECTION:
SQL Injection is one of the most common vulnerability on the WEB.Well if you are not familiar with programming language and Scripting then you are wondering What SQL means.SQL is Structured Query Language.
At Present,Most of the Website has Database (eg MySQL) which is stored on there server and is accessible to website administrator only b/z He/She has Username and Password to access the Database.
Ok,Let's take a simple example:
You are surfing on NET and want to open GMAIL,FACEBOOK etc.First thing you have to do is to put your USERNAME and PASSWORD in the LOGIN BOX and after that you will see that your Page is opening.So,What is happening behind the screen or behind the server.When you click on Submit button then your USERNAME and PASSWORD will go to database of server which is stored at their server.And if it is correct then you are Authorized to Enter in next page else not.
When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:
SELECT * FROM users WHERE username='xxxxxxx' AND password='xxxxxxxxx'
For those of you who are not familiar with the SQL language, in SQL the ‘ character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.
In this example we see that the username and password supplied are inserted into the query between the ‘ and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).
Now, what happens if a user types a ‘ character into the username or password field? Well, by putting only a ‘ into the username field and leaving the password field blank, the query would become:
SELECT * FROM users WHERE username=''' AND password=''
This would trigger an error, since the database engine would consider the end of the string at the second ‘ and then it would trigger a parsing error at the third ‘ character. Let’s now see what would happen if we would send this input data:
Username: ' OR 'a'='a Password: ' OR 'a'='a
The query would become
SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'
Since a is always equal to a, this query will return all the rows from the table users and the server will “think” we supplied him with valid credentials and let as in – the SQL injection was successful .
Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128))
There’s a single row in that table with data:
username: testuser password: testing email: testuser@testing.com
To check the credentials I made the following query in the PHP code:
$query="select username, password from users where username='".$user."' and password='".$pass."'";
The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).
So, last time I showed you how SQL injection basically works. Now I’ll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.
Lets get started! So, if we put just an ‘ character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” and password=”’ at line 1
That’s because the query became
select username, password from users where username=''' and password=''
What happens now if we try to put into the username field a string like ‘ or user=’abc ? The query becomes
select username, password from users where username='' or user='abc ' and password=''
And this give us the error message Unknown column ‘user’ in ‘where clause’
That’s fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ‘ or email=’ and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ‘ or email=’xyz@xyz.com in both the username and password fields and our query becomes
select username, password from users where username='' or email='xyz@xyz.com' and password='' or email='xyz@xyz.com'
which is a valid query and if that email address exists in the table we will successfully login!
You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ‘ or user.test=’ and you will see an error message like Unknown table ‘user’ in where clause
Fine! Let’s try with ‘ or users.test=’ and we have Unknown column ‘users.test’ in ‘where clause’
so logically there’s a table named users .
Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.
WHAT IS SQL INJECTION:
SQL Injection is one of the most common vulnerability on the WEB.Well if you are not familiar with programming language and Scripting then you are wondering What SQL means.SQL is Structured Query Language.
At Present,Most of the Website has Database (eg MySQL) which is stored on there server and is accessible to website administrator only b/z He/She has Username and Password to access the Database.
Ok,Let's take a simple example:
You are surfing on NET and want to open GMAIL,FACEBOOK etc.First thing you have to do is to put your USERNAME and PASSWORD in the LOGIN BOX and after that you will see that your Page is opening.So,What is happening behind the screen or behind the server.When you click on Submit button then your USERNAME and PASSWORD will go to database of server which is stored at their server.And if it is correct then you are Authorized to Enter in next page else not.
When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:
SELECT * FROM users WHERE username='xxxxxxx' AND password='xxxxxxxxx'
For those of you who are not familiar with the SQL language, in SQL the ‘ character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.
In this example we see that the username and password supplied are inserted into the query between the ‘ and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).
Now, what happens if a user types a ‘ character into the username or password field? Well, by putting only a ‘ into the username field and leaving the password field blank, the query would become:
SELECT * FROM users WHERE username=''' AND password=''
This would trigger an error, since the database engine would consider the end of the string at the second ‘ and then it would trigger a parsing error at the third ‘ character. Let’s now see what would happen if we would send this input data:
Username: ' OR 'a'='a Password: ' OR 'a'='a
The query would become
SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'
Since a is always equal to a, this query will return all the rows from the table users and the server will “think” we supplied him with valid credentials and let as in – the SQL injection was successful .
Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128))
There’s a single row in that table with data:
username: testuser password: testing email: testuser@testing.com
To check the credentials I made the following query in the PHP code:
$query="select username, password from users where username='".$user."' and password='".$pass."'";
The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).
So, last time I showed you how SQL injection basically works. Now I’ll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.
Lets get started! So, if we put just an ‘ character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” and password=”’ at line 1
That’s because the query became
select username, password from users where username=''' and password=''
What happens now if we try to put into the username field a string like ‘ or user=’abc ? The query becomes
select username, password from users where username='' or user='abc ' and password=''
And this give us the error message Unknown column ‘user’ in ‘where clause’
That’s fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ‘ or email=’ and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ‘ or email=’xyz@xyz.com in both the username and password fields and our query becomes
select username, password from users where username='' or email='xyz@xyz.com' and password='' or email='xyz@xyz.com'
which is a valid query and if that email address exists in the table we will successfully login!
You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ‘ or user.test=’ and you will see an error message like Unknown table ‘user’ in where clause
Fine! Let’s try with ‘ or users.test=’ and we have Unknown column ‘users.test’ in ‘where clause’
so logically there’s a table named users .
Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.