Thursday, 23 May 2013

SQL Injection


SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

The following example shows a simple SQL injection.
SQL Server Table 'login' -

I have Created a Login page in asp.net .


the Code for Login Button is below Described..


protected void Button1_Click(object sender, EventArgs e)
    {
        if (TextBox1.Text != "" && TextBox2.Text != "")
        {
            id = TextBox1.Text;
            pass = TextBox2.Text;
            string query= "select * from login where loginid='" + TextBox1.Text + "' and password= '" + TextBox2.Text + "'";
            SqlCommand cmd = new SqlCommand(query, con);
            con.Open();
            SqlDataReader dr = cmd.ExecuteReader();
            if (dr.HasRows)
            {
                dr.Read();
                Session["uid"] = TextBox1.Text;
                Session["upass"] = TextBox2.Text;
                Response.Redirect("Admin.aspx");
            }
            else
            {
                Response.Redirect("Error.aspx");
            }
        } 
    }


now enter the LoginId and Password in textboxes of Login Page (suppose userid is 'admin' and password is 'admin' ) the query Variable contains "select * from login where loginid='admin' and password= 'admin' ";
the Page login Successfull.

Now the Question is How to inject this or Login if we don't  know UserID and Password..

this is very Simple . You just need to pass the Sql Query snippet in Login Textbox and you can Login Successfully.

now enter the  ' or 1=1;--  in UserID text box and enter some characters in Password textbox(if you set Required field for Password) and Click Login Button. now the query variable Contains  "select * from login where loginid='' or 1=1;--' and password= 'pass' ";
the Page logins Successfull. this Query comment the Password condition and 1 = 1 becomes true and fetch the all login table information. and you can access the admin.aspx page .


this is the Way You can Access Authorised Data if you are Unauthorised.
please feel free to comment or ask anything.

Thanks and Regards:
Suraj K. Mad.


0 comments:

Post a Comment

Topics

ADO .Net (2) Ajax (1) Angular Js (17) Angular2 (24) ASP .Net (14) Azure (1) Breeze.js (1) C# (49) CloudComputing (1) CMS (1) CSS (2) Design_Pattern (3) DI (3) Dotnet (21) Entity Framework (3) ExpressJS (4) Html (3) IIS (1) Javascript (6) Jquery (9) Lamda (3) Linq (11) Mongodb (1) MVC (48) NodeJS (7) RDLC (1) Report (1) Sql Server (29) SSIS (3) SSRS (2) UI (1) WCF (12) Web Api (10) Web Service (1) XMl (1)