Difference between revisions of "SQL Injection"
FElghamrawi (talk | contribs) |
FElghamrawi (talk | contribs) |
||
| Line 12: | Line 12: | ||
In the business logic of the application, a query is used to retrieve the data of an user based on username and password. The username and password are filled in by the user via a web form. The input goes directly into the query. | In the business logic of the application, a query is used to retrieve the data of an user based on username and password. The username and password are filled in by the user via a web form. The input goes directly into the query. | ||
SELECT * FROM Users WHERE name ='userName' and password='password' | SELECT * FROM Users WHERE name ='userName' and password='password'; | ||
=== Step 2 === | === Step 2 === | ||
Suppose the attacker gives admin as the username and ' or '1' = '1' as a password. That results in the following query that will be evaluated by the database: | Suppose the attacker gives admin as the username and ' or '1' = '1' as a password. That results in the following query that will be evaluated by the database: | ||
SELECT * FROM Users WHERE name ='admin' and password='' or '1'='1' | SELECT * FROM Users WHERE name ='admin' and password='' or '1'='1'; | ||
=== Step 3 === | |||
The above SQL query is valid and returns all tuples from the Users relation. By adding the OR condition '1' = '1', the WHERE clause is always evaluated as true. The query then corresponds to: | |||
SELECT * FROM Users; | |||
* | === Step 4 === | ||
Furthermore, several SQL statements can be executed simultaneously on many database servers by separating them with semicolons. The attacker can thus insert additional commands, for example, to delete a relation with a call. | |||
The attacker enters the following in the password field: | |||
' or '1'='1'; DROP TABLE Users; SELECT * FROM info WHERE '1' = '1 | |||
This results in the following queries: | |||
SELECT * FROM Users WHERE name ='admin' and password=' 'or '1'='1'; DROP TABLE Users; SELECT * FROM info WHERE '1' = '1' | |||
When the database server processes these two queries, it first returns all data records from the Users relation and then deletes or removes the entire Users table. | |||
== Types of SQL queries == | |||
There are a number of SQL injection attacks that occur in different situations. | |||
Depending on the target of the attacker, the techniques can be used separately as well as together. | |||
These are for example: | |||
=== Tautologies === | |||
=== Union Query === | |||
=== SQL Blind SQL Injection === | |||
=== Alternate Encoding Obfuscation === | |||
=== Procedure Stored procedure attacks === | |||
== Prevention == | |||
== Practice == | |||
== References == | == References == | ||
Revision as of 21:50, 30 January 2020
Summary
SQL Injection is a vulnerability, which can be found in applications, especially web applications. According to a study conducted in 2019 by OWASP, SQL injections count to the most common way for attackers to fetch sensitive data from a database. SQL injections are simply possible if SQL queries in the application provide results based on user input, while the user input is processed directly in the SQL query.
Functionality
SQL injections are basically possible if SQL queries in the application deliver results based on user input. The user input is processed directly by the SQL interpreter without changes or validation. In this case, the database cannot distinguish between malicious or good entries.
An attack could look like this:
Step 1
In the business logic of the application, a query is used to retrieve the data of an user based on username and password. The username and password are filled in by the user via a web form. The input goes directly into the query.
SELECT * FROM Users WHERE name ='userName' and password='password';
Step 2
Suppose the attacker gives admin as the username and ' or '1' = '1' as a password. That results in the following query that will be evaluated by the database:
SELECT * FROM Users WHERE name ='admin' and password= or '1'='1';
Step 3
The above SQL query is valid and returns all tuples from the Users relation. By adding the OR condition '1' = '1', the WHERE clause is always evaluated as true. The query then corresponds to:
SELECT * FROM Users;
Step 4
Furthermore, several SQL statements can be executed simultaneously on many database servers by separating them with semicolons. The attacker can thus insert additional commands, for example, to delete a relation with a call.
The attacker enters the following in the password field:
' or '1'='1'; DROP TABLE Users; SELECT * FROM info WHERE '1' = '1
This results in the following queries:
SELECT * FROM Users WHERE name ='admin' and password=' 'or '1'='1'; DROP TABLE Users; SELECT * FROM info WHERE '1' = '1'
When the database server processes these two queries, it first returns all data records from the Users relation and then deletes or removes the entire Users table.
Types of SQL queries
There are a number of SQL injection attacks that occur in different situations. Depending on the target of the attacker, the techniques can be used separately as well as together. These are for example: