sqlthumb

Malicious SQL Injection: An Introduction

In many countries (including US and UK), it is illegal to use this attack on an active website. Sqlzoo has set up a vulnerable test system here so that you can legally try this out for yourself.

Overview

SQL, also known as Structured Query Language, is a special-purpose programming language used to communicate with databases. SQL can insert data, retrieve data, and update and delete data. Of course, any system can be abused, and the most common form of abuse of SQL is an SQL injection. The SQL injection technique tricks the target into passing malicious SQL code to a database by embedding portions of code with user input. The concept of embedding the malicious code with the user input is known as ‘code injection’. While SQL injection is considered an older hacking technique, it is not necessarily less effective.

In this article we will be using SQL code injection to bypass authentication. In this scenario, a website will ask for a username and a password and will get the input through two text boxes. It will then embed the user input within a statement of SQL code and pass it on to the database. If the database finds that the credentials from the SQL statement match the credentials in the database, that user will be logged in!

Examples

The usual authenticating SQL statement uses something around the lines of this code and uses two text boxes for getting the user input for usernames and passwords.

SELECT id FROM TableUsers WHERE Username = '' AND Password = '';

How this line of code works, is that when you input your credentials, it’s put into the Username and Password fields. So if the user ‘Bob’ was trying to log in, this is what the completed SQL code would be.

SELECT id FROM TableUsers WHERE Username = 'Bob' AND Password = 'iambob';

If Bob’s credentials are correct, or if you can select the ‘id’ from the TableUsers with the username of ‘Bob’ and the password of ‘iambob’, then the statement will return true and Bob will be logged in.

Now, if we were trying to use a simple way to bypass the authentication, we would try to trick the SQL code into not checking ANY credentials. Instead, we would have something along the lines of ’1 = 1′ so that it would return true. This can be referred to as an ‘always true’ statement. One of the easiest ways to do this is to input this line of code into both the username and passwords fields.

' OR '' = '

All together, this is what the SQL code would look like after it has been injected with our malicious code.

SELECT id FROM TableUsers WHERE Username = '' OR '' = '' AND Password = '' OR '' = '';

As we can see, here we have successfully ridden this code from having it check our credentials. Instead, we injected an ‘always true’ statement into the SQL code. Because “” is always equal to “” the statement will return true. This technique should get us past the authentication, and log us in as the first user on the list, which is usually (and hopefully) the system administrator.

You can change the injection code to almost anything you please as long as the ‘always true’ statement is there. For example, this line of code would work:

1' OR '1' = '1

This line would work:

dbadmin' or '1' = '1

But this line would not:

1' OR '2' = '1

Conclusion & Foreword

As you have seen in this article, SQL injection is both an effective and lethal attack against websites and web applications passing SQL commands to databases. Here, we used our knowledge of SQL code injection to bypass authentication and log in as the first user on the list. Usually, this is the system administration account. In the next tutorial, we will learn some more SQL code, and start making changes to the database!

The contents of this guide are for educational use only. For more information, see our Disclaimer.

2 Comments

  1. fritz

    02.13.2013

    Reply

    doesn’t work…

    • Jeff Browning

      Jeff Browning

      02.13.2013

      Give it another go — we just fixed a typo or two.

Leave a Reply to fritz Cancel reply