SQL Injection Technique{3}


by Dean H
Sumamry:

This article presents some of the most common methods of hacking a website. I have condensed this article review to SQL injection only.

SQL Injection(Previously mentioned during the lecture): Enter SQL code into web forms, login fields, address fields, or anywhere that enables the users to interact with the database. The concept is that users input are normally checked by the system by matching the table/row data, and to either grant or denied access. Here is an example

‘ OR 1=1 double-dash-txt.png The concept is based off of this SQL statement:

SELECT * FROM users WHERE username = ?USRTEXT ‘ AND password = ?PASSTEXT?

Since 1 = 1, this pass the validation and thus granted the user access. However this is is a really old technique and there are other ways to perform the same task such as:

  • admin’—
  • ‘) or (‘a’=’a
  • ”) or (“a”=”a
  • hi” or “a”=”a

As you can see the concepts are similar. However its not that easy to simply “inject” the SQL codes into the website. The hackers have to find vulnerable websites and apply the code.

Another injection method is called ” Backdoor Injection”. Is is normally used to hack Forums’ searching function. Since “search” is always linked to a database and return matching results. An example of hacking would be calling username and password, user information, and even modify/change the data. This rings the alarm for websites that have strong security measure at the login, but poor security on other forms.

SQL injection in the browser Address Bar: This is a good indicator to see if a website has a low security level. An example:

http://somesite.com/index.asp?id=10 ; Try to add “AND id=11” to see if 2 values are actually returned.

There are other more complicated methods such as Remote injection and Automated injection. One involved uploading malicious files and the other required some open source tools to automate the injection process.

Reflection:

Sine many classmates used the articles that are related to “Databases being hacked” I came out with the idea of introducing some basic hacking techniques using SQL injection. I think this is a great way to relate the advance SQL language that we learned from class with real world examples, and be aware of the hacking methods being used. Personally I did not know anything about hacking/SQL injection until this quarter, and I think this is something that all CIS major students should be aware off. The purpose of this article is not t encourage the hacking activity, but rather to keep the students informed on the basic practices and learn how to defend against it.

Source:

John , C. (2008, Mar 5). How they hack your website: Overview of common techniques [Web log message]. Retrieved from http://www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php