SQL Injection

SQL Injection


                This is one the best way to attack a site or simply in words you can say that to I-Iack a  site.
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.
this was the explanation of sql according to Microsoft....
well the most simple definition about an sql algorithm in my view will be that
"giving any value to the asp server that in any case that valur returns true like 1=1 means in any aspect 1 can not be equal to 0. so like this we pass a sql equation in a the login field of the target site.
fallow the following steps for hacking you first site-
1- search "asp admin log in" in google.
2- click on any asp based site from list.
3- type in login field 1' or'1'='1  or '1'='1 and many more...
    type the same code in password field also and at last.
4- press enter or click on log in.
CONGRATULATIONS you have successfully logged in the site admin page as admin of the site ..... for more info visit http://en.wikipedia.org/wiki/SQL_injection

Vulnerability description

Multiple products that use data in SQL queries are vulnerable to SQL injection. Attackers can use SQL injection techniques to exploit Web sites and applications that implement SQL queries without first removing potentially harmful characters. Using SQL injection, attackers can create and modify tables, and possibly gain complete control over the database, host computer, and network of trusted computers.

How to remove this vulnerability

Review every parameter of every script that interacts with a Web site or application. If testing the script yields any form of database error message in any part of the response (including hidden fields and headers), then the application is vulnerable to SQL injection.
These guidelines can help minimize the possibility of SQL injection and mitigate the risk:
  • If you have the ability to modify the script or application, implement strict filtering over all variables (using a default-deny regular expression) for any characters or strings that could be used maliciously. It is safer to build a regular expression that permits only alphanumeric characters (for example, s/^[0-9a-zA-Z]//g), as opposed to enumerating every forbidden character and possibly missing a few, rendering the application vulnerable.
  • Limit database rights so that the Web application only has access to essential stored procedures.
  • Remove stored procedures and scripts that are not essential for the Web application.

How can I automatically test my site for SQL injection attacks, using either a script or program?


yes you will need to use these tools 
Free tools like paros proxy [crawls] (previously mentioned),
burpsuite (previously mentioned [crawls] but active attacks requires pro): http://portswigger.net/burp/
sqlninja (sqlserver only) http://sqlninja.sourceforge.net/
google rat proxy: [crawls] http://code.google.com/p/ratproxy/
websecurify: [crawls] http://www.websecurify.com/
wapiti: [crawls but takes work to set up - can be used specifically for sqli with spider]http://wapiti.sourceforge.net/


thank you for reading....
{this topic and all related content has been posted for education (or ethical hacking )purpose only i do not responsibility of any wrong use}

No comments:
Labels:
Subscribe to: Posts (Atom)