How bad guys hack websites with SQL injection
SQL injections are one of the most common security weaknesses on the web. Here I will try to explain in detail this type of weakness with examples of errors in PHP and possible solutions.
If you're not so confident in programming languages and web technologies, you might wonder why SQL survives. Well, it's an abbreviation of Structured Query Language (pronounced "sequel"). It is "de facto" the standard language for accessing and manipulating data in databases.
Nowadays most websites rely on a database (usually MySQL) to store and access data.
Our example will be a popular login form. Internet browsers see these login forms every day, put your username and password and then the server checks the credentials you provided. Well, that's simple, but what exactly happens on the server when you check your credentials?
The client (or user) sends to the server two series, username, and password.
The server usually has a database with a table in which the user's data is stored. This table has at least two columns, one for storing the username and the other for the password. When the server receives the username and password chains, it will inquire about the database to see if the credentials provided are valid. The SQL statement will be used so it may look like this:
Select * from users in terms of username = "supplied _ user" and password = "supplied _ password"
For those of you who are not familiar with SQL language, SQL personality is used as the selector of series variables. Here we use it to set the username and password chains provided by the user.
In this example, we see that the username and password provided are entered in the query between 'then the entire query is carried out by the database engine. If the query returns any rows, the credentials provided are valid (this user is in the database and has the password provided).
Now, what happens if the user writes a letter in the username or password field? Well, by placing the username field only and living in the password field empty, the query will become:
Select * from users in terms of username = "and password ="
This will result in an error because the database engine will look at the end of the series in the second 'and then it will lead to an error in the analysis at the third letter. Let's know what happens if we send these input data:
Username: 'OR' a '=' a
Password: 'OR' a '=' a
The query will become
Select * from users in terms of username = "or" a "=" and password = "or" a "=" a "
Since a is always equal to this query will return all rows of table users and the server will think that we provided it with valid credentials and allowed it in - SQL injections were successful:).
Now we'll see some of the most advanced technologies. It will be ideal based on PHP and MySQL platforms. In the MySQL database, I created the following table:
Table users' creation (
Username VARCHAR (128),
Password VARCHAR (128),
email VARCHAR (128))
There is one row in this table with data:
Username: testuser
Password: Test
Email: testuser@testing.com
To verify the credentials, I provided the following inquiry in the PHP code:
$ query = "select username, password from users where users name =". $ user ". 'Password = '. " $ pass' "؛
The server is also configured to print errors powered by MySQL (this is useful for correction, but should be avoided on the production server).
So, the last time I showed you how SQL injections mainly work. Now I'll show you how we can make more complex queries and how to use MySQL error messages to get more information about the structure of the database.
Let's get started! So, if we just put a "letter in the username field, we get an error message like
You have an error in your SQL combination; Check out the directory that corresponds to the version of your MySQL server to get the right combination to use near "" and password = "in line 1
That's because the query has become
Choose username and password from users where username = "and password ="
What happens now if we try to put a series like "or user =" abc in the username field?
Inquiry becomes
Choose username and password from users where username = "or user = 'abc' and password ="
And that gives us the wrong message.
Anonymous column "User" in "Where"
That is good! Using these error messages we can guess the columns in the table. We can try to put the username field "or email =" and since we do not receive an error message, we know that the email column is in this table. If we know the user's email address, we can now try "or email =" testuser@testing.com in both username and password fields and our inquiry becomes
Choose the username and password from users where the username = "or email = 'testuser@testing.com' and password =" or email = 'testuser@testing.com'
It is a valid inquiry and if the email address is in the table we will log in successfully!
You can also use error messages to guess the name of the table. Since in SQL you can use table. column notation, you can try to put the username field "or user. test =" and you will see an error message like
Unknown table "used" in terms of condition
Okay! Let's try with "or users. test =" and we have
The column is unknown 'users. test' in 'where the item'
So it makes sense to have a table called users:).
Basically, if the server is configured to give error messages, you can use them to enumerate the structure of the database, and then you may be able to use this information in the attack.