What is SQL Injection?
Acunetix describes it as ” the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.” Today in this article, we are going to see login bypass using SQL Injection.
To make it more interesting, I am going to divide this article into two parts. First, the Web Programmer part and second the hacker part. I am going to use Wamp server for this. Imagine a web programmer has been hired to code a website for a newly formed company named shunya. He codes the website as below.The first file is the index.php. On this page he creates three buttons. He adds functionality to the ‘Login’ button.
So when a user clicks on the Login button, he is redirected to another page called action.php which is a login form for the users of shunya.com.
It’s script is given below.
In the above code notice that the form action is set to process.php. This file validates the users. What this script does is, when a user enters the username and password it creates a connection to the database and checks if the user is in the database. If the user is in the database and his authentication is correct, he is taken to the page login_success.php.
The above script is very important to understand SQL Injection. You can see that the username and password are submitted as raw input. Notice also the query underlined.
This is the database the programmer has created for the website.
When a user in the database enters the correct password as shown below, he is redirected to the login_success page.
The page below is the page I set for login_success.php.
When a user not listed in the database, or a valid user logs tries to login without password like below,
this happens.
That’s the end of the programmer part. Now it’s time for the hacker part. A hacker happens to find the site of shunya.com. In the Login form, he inserts a single quote to see if the site is vulnerable to SQL Injection.
He gets a below error message. This indicates the site is vulnerable to SQL Injection.
Then he tries a query like the one shown below.
Surprisingly, he gets access to the restricted area.How does the above query work. When a user enters the above query the statement $sql in the process.php works as,
$sql = “SELECT * FROM $tbl_name WHERE username= ” or ’0;’
This is a valid SQL query and user is validated even without checking the password. There are some other queries which can work similarly. Two of them are here.
‘ or ’1′=’1;
‘ or ’1′=’1”
‘ or ’1′=’1”
When a hacker enters these two queries, the username field becomes
” or ’1′=’1;
which transforms to validate the user if username is empty or 1=1. Now whatever may happen, one will always be equal to one. We can find many more using trial and error. This vulnerability exists because we are supplying raw data to our application. Our web programmer after a short time finds out this vulnerability and patches it as below.
What the mysql_real_escape_string does is it removes any special characters from the input. Now try the same queries and see what happens. Thank you.