|
Latest Web News |
Google Selling Video Ads On The Web
The click-to-play video advertisements go on sale beginning today, and will be available to advertisers in the US, Canada, and Japan at launch. Visitors to sites in Google's network of AdWords publishers will have complete control over the video ad experience...
Google Secrecy A Blessing And Curse
Other than the legally mandated SEC filings, only the very top of the Google leadership knows just how the company operates. The LA Times delivered the most apt commentary on Google...
Google Domains Not Catching Fire
Beyond the vaunted minimalist Google home page, the next nineteen Google domains barely account for 20 percent of visits to all things ending in Google.com.
Doc Searls Closes Syndicate Conference
The close of the Syndicate Conference in New York came with Searls' keynote address, where he touched on the issue of "The Return to Producerism."
Amanda Congdon Talks Syndicating Videoblogs At Syndicate NY
Video blogs shouldn't be called "Internet TV"; Congdon said that completely devalues them. "They are a totally unique video experience, usually more casual."
Yahoo! Finance Badges Detailed
Another component in Yahoo's syndication strategy will enable publishers to embed financial information into their sites and blogs. Mani Kulasooriya from Yahoo said the toughest part of creating Yahoo! Finance Badges was not the technical side.
Google Notebook Goes Live
As promised at Google's Press Day event last week, its Notebook service from Google Labs has been turned on in beta for users to try. Firefox users will have an easy time of adding...
Justice Unworried About IE7 Search
Google had complained to US and European antitrust regulators about Microsoft including a search box with MSN Search as the default in Internet Explorer 7, but the Department of Justice had no problems with the feature.
|
|
|
Recent Articles |
GData, MySQL, and the Future of on-line Databases
In reading Richard MacManus' Why Google
is extending RSS, I couldn't help feeling that
he was missing the point a bit. It's as if he was
focusing on the small things ("Why RSS?") rather
than looking at the bigger picture of where all this is going...
MySQL, Oracle Agree On InnoDB Deal
A multiyear agreement between Oracle and MySQL over
the InnoDB storage engine license should put an
end to fears of a potential Oracle-fueled money
grab...
SQL Server Indexes
A database index is similar to an index in a book - it is comprised of a lookup value, and a number identifier that corresponds to the row number in a table.
Oracle Produces Oracle SQL Developer
The kids out in Redwood Shores announced a new product
called SQL developer, known previously as Project
Raptor. The product is a free database...
SQL Injections Abound
Danish security firm Secunia reported on Monday several moderately critical vulnerabilities in various software products that allow SQL injection attacks. Products like Gregarius, Total Ecommerce, Akarrus Social Bookmarking Engine and others.
Oracle Acquisitions are Not About MySQL
I've been thinking about this for the last day or
so and have come to the conclusion that Oracle's
acquisition of Sleepycat Software (and Berkeley
DB) is not...
Someone AJAXified mytop!
Check this out. Someone has built and AJAX powered version of mytop, the little console based MySQL monitoring tool I wrote years ago.
Protecting Against SQL Injection With PHP And MYSQL
Security is important for all developers, but more so when combining two of the most popular Database and Web Programming technologies.
SQL Injection Vulnerability
A vulnerability was discovered in the ADOdb and can be exploited by hackers doing SQL injection attacks. The vulnerability only works on the PostgreSQL users. Andy Staudacher discovered the vulnerability and Secunia reported the issue as moderately critical on Tuesday.
Microsoft SQL 2000 Disaster Recovery with SANRAD V-Switch - Planning Guide
Designing a disaster recovery system requires planning and consideration of the available options that will best fit your company's needs, SLA and budget.
MS SQL / MySQL - A Case Study
The release of Microsoft SQL Server 2005 on November 7th 2005 created a buzz around the office for IT professionals. The use of SQL server by businesses as in an in house data server has become increasingly more popular, this same popularity is now beginning to shift to the web hosting industry.
|
|
|
05.23.06
How Bad Guys Hack Into Websites Using SQL Injection
 By
Matija
SQL Injection is one of the most common security vulnerabilities on the web. Here I'll try to explain in detail these kinds of vulnerabilities with examples of bugs in PHP and possible solutions.
If you are not so confident with programming languages and web technologies you may be wondering what SQL stands for. Well, it's an acronym for Structured Query Language (pronounced "sequel"). It's "de facto" the standard language to access and manipulate data in databases.
Nowadays most websites rely on a database (usually MySQL) to store and access data.
Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that's simple, but what happens exactly on the server when he checks your credentials?
The client (or user) sends to the server two strings, the username and the password.
Usually the server will have a database with a table where the user's data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:
SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'
For those of you who are not familiar with the SQL language, in SQL the ' character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.
In this example we see that the username and password supplied are inserted into the query between the ' and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).
Now, what happens if a user types a ' character into the username or password field? Well, by putting only a ' into the username field and leaving the password field blank, the query would become:
SELECT * FROM users WHERE username=''' AND password=''
This would trigger an error, since the database engine would consider the end of the string at the second ' and then it would trigger a parsing error at the third ' character. Let's now see what would happen if we would send this input data:
Username: ' OR 'a'='a Password: ' OR 'a'='a
The query would become SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'
Since a is always equal to a, this query will return all the rows from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful :).
Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:
CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128))
There's a single row in that table with data:
username: testuser password: testing email: testuser@testing.com
To check the credentials I made the following query in the PHP code:
$query="select username, password from users where username='".$user."' and password='".$pass."'";
The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).
So, last time I showed you how SQL injection basically works. Now I'll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.
Lets get started! So, if we put just an ' character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1
That's because the query became
select username, password from users where username=''' and password='' What happens now if we try to put into the username field a string like ' or user='abc ? The query becomes
select username, password from users where username='' or user='abc ' and password=''
And this give us the error message Unknown column 'user' in 'where clause'
| Enter
to Win a FREE iPod Nano or 3 Months of Channel Management
- Click Here |
|
That's fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ' or email=' and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ' or email='testuser@testing.com in both the username and password fields and our query becomes
select username, password from users where username='' or email='testuser@testing.com' and password='' or email='testuser@testing.com'
which is a valid query and if that email address exists in the table we will successfully login!
You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ' or user.test=' and you will see an error message like Unknown table 'user' in where clause
Fine! Let's try with ' or users.test=' and we have Unknown column 'users.test' in 'where clause'
so logically there's a table named users :).
Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.
About the Author:
The author is a 23-year-old coder. He specializes in computer security, C and PHP coding, networking and server administration.
|
