What is SQL Injection?
It is a type of attacking technique by changing the SQL code in your website. If your web application was not developed carefully and wisely, then there is a chance that attackers can do SQL Injections and mess up your database. They may alter the SQL code and steal your vital information from the database. Not only getting information from your database, they can also delete and modify information or modify the structure of your database.
Some Methods to Test for SQL Injections
There are some simple ways to test the web pages and see if they are protected from SQL injections or not. For example, you can try to enter a single quote (“’”) in a text box on your web page and check the error message. If the web page returns an error message similar to the one below, then there is a chance for SQL injections.
[Microsoft][ODBC SQL Server Driver][SQL Server] Incorrect syntax near the keyword 'or'. /wasc.asp, line 10
The primary choice of the attackers is the Forget password page. In the following, we are going to demonstrate some examples about how the attacker can crash your users’ table.
Usually, when the user enters the email address in the Forgot password page, the page is supposed to send an email to the user with the password or just the link to change the password.
So, first you check for SQL injections by entering a single quote (see above). Once there is a chance for SQL injection, then you can enter the following text in a text box on your web page:
Test’ Or ‘s’=’s
In the background of your web page, the query may look like
- Select data1,data2..data2 fromtablewhere field= ‘Test’ Or ‘s’=’s’
In the above code, the “field=’Test’” filter condition may not return anything but the next statement “‘s’=’s’” is always true and the above query will return all rows because of the “Or” operator. As a result, the password will be sent to the user and you may see a confirmation message, for example:
Your login information mailed to email@example.com
The next step is to figure out the name of the user’s table. Try to enter the following statement in a text box:
- Test' AND EXISTS(SELECT * FROM tablename) AND ‘s’=’s
For the table name, you can try different names. For example, usually we use the following names when we create the users’ table:
tblUser, tblMember, Users, Members.. etc..
After trying different names, at one point the user’s table may match. So, if a table name returns the confirmation message (e.g., your login information mailed to firstname.lastname@example.org) instead of an error message, then that’s the correct table name.
So, let’s say the “tblMembers” table name returned a confirmation message. Now, change your input as illustrated below:
- Test' ; DropTable tblMemebers;’
- Test' ; truncateTable tblMemebers;’
The first query deletes the members’ (users’) table or the second statement deletes all the records from the members’ table. Your members’ table is gone and your application is messed up!!!
Now, let’s see how to insert a new user in the members’ (users’) table, I mean create a new user. First, we have to figure out the fields’ names in the tblMembers table. Try to enter the following statement:
- Test' AND EXISTS(SELECT FieldName FROM tblMembers) AND ‘s’=’s
For the “FieldName”, try different names. For example, usually we may have fields like
Firstname, lastname, UserName, password and etc.,
After trying different fields one by one and if you get a confirmation message from the page, then that’s the right field.
Let’s say we were able to figure out the first name, lastname, username, and password fields. Now, try the following statement to insert a new user in the members’ table:
- Test' ; Insertinto tblMemebers(FirstName, UserName, Password)
- values (‘pop’, ’pop12345’, ’test123’);’
If we get a confirmation message (e.g., your login information mailed to email@example.com) from the web page, then the new user was inserted successfully. Now, you can use the new inserted user to login to the web site and destroy the site. Your site is gone!!!
How to Protect from SQL Injections
In order to avoid the SQL injections, do not ever use ad-hoc sql statements to query or update the database. Always use stored procedures, even if you just need a simple SQL statement.