What is SQL Injection (SQLi)?

► Play

The SQL injection is one of the most commonplace web attack mechanisms utilized by attackers to steal records and sensitive records from business or social media platform. While SQL Injection can lose any information an application that uses a SQL database, it’s miles most customarily used to assault web websites. SQL Injection is a code injection technique that hackers can use to insert malicious SQL statements into input queries for execution through the underlying SQL database. This method is made feasible because of improper coding of inclined web packages. The SQL injection rises up due to the fact access of input fields made available for user enter all of the bad types of SQL statements to go through and insert queries the database directly.

Different Types of Injections

► Play

  • Modify the SQL query and retrieve additional information from the database, we can say this retrieving hidden data from tables.
  • Interfere with the business logic and modify the query to change the application logic.
  • Get data from different tables in database and attack on them this is called UNION attacks.
  • Examining the database, in which you can extract information approximately the version and structure of the database.

Get Hidden Data

► Play

Let’s type this URL in your browser and get the Bonus categories from the table:

https://insecure-website.com/products?category=Bonus

This causes the application to make an SQL question to retrieve info of the relevant merchandise from the database like this:

SELECT * FROM merchandise WHERE category = ‘Bonus’ AND released = 1

This SQL query asks the database to return:

  • all info (*)
  • From the products desk
  • Where the category is Bonus
  • And released is 1

The software doesn’t put in force any defences towards SQL injection attacks, so an attacker can assemble an assault like:

https://insecure-website.com/products?category=Bonus’ – –

The result of the above query is:

SELECT * FROM products WHERE category = ‘Bonus’–‘ AND released = 1

The key component right here is that the double-dash series — is a remark indicator in SQL, and means that the rest of the question is interpreted as a comment. This successfully gets rid of the rest of the query, so it no longer includes AND launched = 1. This way that every one product are displayed, such as unreleased products.

Another method for SQL injection:

https://insecure-website.com/products?category=Bonus’+OR+1=1–

The result:

SELECT * FROM products WHERE category = ‘Bonus’ OR 1=1–‘ AND released = 1

Using the above query you can easily attack the database.

Change the Application Logic

► Play

Bypass the login account using the below query:

SELECT * FROM users WHERE username = ‘john’ AND password = ‘johnwilliam’

Attacker’s log with the username without any password, in SQL query use “ – – ” double dash password and comment it in where clause. For example, send a query the username “ administrator ” and empty password field. Query is:

                SELECT * FROM users WHERE username = ‘administrator’ – – ‘ AND password = ”

They’re also a lot of methods for SQL injection.

How to SQL Injection in Login Page

► Play

A simple PHP code for SQL Injection in login page is given below:

$uname = $_POST [ ‘ uname ‘ ] ;

$passwrd = $_POST [ ‘ passwrd ‘ ] ;

$query = ‘ select username, pass from users where username = ‘ $uname ‘ and password = ‘ $passwrd

$result = mysql_query ( $query ) ;

$rows = mysql_fetch_array ( $result ) ;

If ( $rows )

{

echo ‘ You have Logged in successfully ‘ ;
create_session( ) ;

}

else {

echo ‘ Better Luck Next time ‘ ;
}

Send us a feedback0/500

Do you like this article?
Yes
No