Thursday, June 23, 2005

SQL Injections: from previous link

SQL Injections [At the Database Level]

The first step before SQL Injections is to test whether a site is vulnerable to SQL Injections or not. It can be achieved by giving some arbitrary input. If input results in an error message (other than user generated error message), it means site is vulnerable to SQL Injections. To find whether a sire is vulnerable to SQL injections try followings special characters in input:

‘ ; , ‘‘ % - *

Bypassing User Authentication:
An attacker can easily bypass Login Page without providing a valid user name & password. He just need to give:
' Or 1=1;-- (In the User Name text Box)
On submitting this page SQL query (at the server) becomes:
Select * from authentication where Name =' ' or 1=1; --
Note: MS SQL Server treats anything after; -- as comment so rest of the query will be ignored. What attacker has done here is without specifying a valid username & password he bypasses the Login page.
Telling you frankly even if site is vulnerable to SQL Injections most of the time it will not work. It depends on the way ASP Code is written. Key thing behind SQL Injection is your input should be according to ASP code to get desired result. Here I would like to suggest that you should try all the following possible combinations and more, which you can think.
1. ' Or 1=1; --
2. ' Or 1=1); --
3. ' any_bad_value
4. ‘ “
5. ‘ “or”
6.“ any_bad_value” ‘ etc.
Note: This explanation is just for understanding from this test scenario. This varies on your Web Application code.
Post a Comment