Basics of SQL-Injections.

Web Applications relay on dynamic content to achieve the appeal of traditional desktop windowing programss. This dynamism is typically achieved by retrieving updated data from a database. One of the more popular platforms for web datastores is SQL, and many web applications are based entirely on front-end scripts that simply query an SQL database, either on the web server itself or a spearate back-end system. One of the most insidious attacks on a web application involves hijacking the queries used by the front-end scripts themselves to attain control of the application or its data. One of the most efficient mechanisms for achieving this is a technique called SQL-Injection.

SQL-Injection refers to inputting raw Transact SQL queries into an application to perform an unexpected action. Often, existing queries are simply edited to achieve the same results-- Transact SQL is easily mnipulated by the placement of even a single character in a judiciously chosen spot, causing the entire query to behave in quite malicious ways. Some of the characters commonly used for such input validation attacks include the backtick ( ` ), the double dash ( -- ). and the semicolon ( ; ), all of which have special meaning in transact SQL.

What sorts of things can crafty hacker do with a usurped SQL query> Well, for starters, thy could potentially access unauthorized data. With even sneakier techniquies, they can bypass authentication or even gain complete control over the web server or back-end SQL system. Let's tak alook at what's possible.

Examples:

ByPassing Authentication

To authenticate without any credentials we can use,

Username : ' OR '='
Password : ' OR '='

To authenticate with just the username.

Username : admin'--

To authenticate as the first user in the users table.

Username : ' or 1=1--

To authenticate as fictional user

Username : ' union select 1, 'user', 'passwd' 1 --

Causing Destruction



To drop a database table

Username : ';drop table users--