How to protect your website's admin privileges from unauthorised access?

NOTE: This tutorial is for educational purposes only so the reader is warned to apply this knowledge at their own risk and responsibility. This blog shall not be accounted for any violations or unauthorized actions being practiced by anyone. 


SQL Injection is one of the most frequent security vulnerabilities on the net. Here I'll try to describe in detail this kind of vulnerabilities with examples of bugs in PHP and possible alternatives.

(image source: pixabay.com)

If you are not so confident with encoding languages and web solutions you may well be wondering what SQL stay for. Well, is actually an acronym for Organised Query Language (pronounced "sequel"). It's "de facto" the conventional language to access and manipulate data in directories.

Nowadays most websites count on the database (usually MySQL) to maintain and gain access to data.

Our example will be a common sign in form. Internet surfers see those login forms every day, you put your account information in and then the server determines the credentials you offered. Ok, that's simple, but what happens exactly on the server when this individual checks your credentials?

The client (or user) delivers to the server two strings, the username, and the password.

Usually, the server will have a database with a desk where the user's data are stored. This desk has at least two columns, one to store the username and one for the password. Whenever the server receives the username and password gift items he will query the database to see if the supplied credentials are valid. He will how to use SQL assertion for that may look like this:

SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'

For those of you who are not familiar with the SQL language, in SQL the ' character can be used as a delimiter for string variables. Here we make use of it to delimit the username and password gift items supplied by the customer.

In this example we see that the consideration information supplied are put in the query between the ' and the complete issue is then executed by the database engine. In the event that the query returns any rows, then the provided credentials are valid (that user exists in the database and has the password that was supplied).

Now, what goes on if a user types a ' character into the login name or password field? Very well, by putting only a ' into the username field and living the password field blank, the query would become:

SELECT * FROM users WHERE username="' AND password="

This kind of would trigger a mistake since the database engine would consider the end of the string at the 2nd ' and then it would trigger a parsing error at the third ' character. Discussing now what would happen whenever we would send this input data:

Login ID: ' OR 'a'='a

password: ' OR 'a'='a

The query would become

SELECT * FROM users WHERE username=" OR 'a'='a' AND password=" OR 'a'='a'

Seeing that and is actually equal to a , this query will return all the series from the table users and the server will "think" we supplied him with valid credentials and let as in - the SQL injection was successful: ).

Now we are going to see some more advanced techniques. My example will be based on a PHP and MySQL platform. Within my MySQL database I emerged up with the pursuing table:

CREATE TABLE users (username VARCHAR(128), password VARCHAR(128), email VARCHAR(128));

There’s a single row in that table with data:

username: rishabh
password: techstreet
email: rishabh@techstreet. com

To check the credentials I made the subsequent query in the PHP code:
$query="select username, password from users where username='".$user."' and password='".$pass."' ";

The server is also constructed to print out mistakes triggered by MySQL (this is useful for debugging but should be overlooked on a production server).

Therefore, last time I actually showed you how SQL injection basically works. Today I'll teach you how can we make more complicated questions and how to use the MySQL error text messages to get additional information about the database structure.

(image source: pixabay.com)


Let's get started! So, if we put just a ' character in the username field we have an error message like

You could have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right format to work with next to "" and password="' at line 1

That's because the query became:
select username, password from users where username="' and password="

What happens now when we try to put into the username field a string like ' or user='abc?

The issue becomes:
select username, security password from users where username=" or user='abc ' and password="

And this provide us with the error message

Unidentified column 'user' in 'where clause'

That's fine! Working with these error messages we can guess the articles in the table. We are able to try to put in the username field ' or email=' as we get no error meaning, we know that the email column exists in that table. If we understand the email address of a user, we can now just try with‘ or email=’rishabh@techstreet.com in both the username and password fields and our query becomes:

select username, password from users where username=” or email=’rishabh@techstreet.com’ and password=” or email=’rishabh@techstreet.com’

a valid query and if that email address exists in the table we will successfully login!

You can also use the mistake messages to guess the table name. Since in SQL you are able to use the table. column notation, you can try to put in the username field ' or user. test=' and you will see a mistake message like:

Unknown table ‘user’ in where clause

Fine! Let’s try with ‘ or users.test=’ and we have

Unknown column ‘users.test’ in ‘where clause’

so logically a table called users exists :)

Basically, if the server is tweaked to give these problem messages, an attacker may use them to enumerate the data source structure and might be able to use these information in assaulting your website. So you need to tweak this bug. I'll leave that up to you, it won't be difficult, believe me!  

Comments

Popular posts from this blog

Learn basic regex for Linux in 2 minutes

Some basic linux hacks

How secure are these so called CGI Proxy Sites?