Saturday, February 12, 2005

SQL Injection - A Blind Injection

It was night, time near about 9.00.Since, i have MTNL BroadBand Connection for 24 Hrs, i preferred to sit on my computer rather than seeing TV serials. I was on Yahoo Messanger, chatting with friends. Suddenly Himanshu Rawat ( He_rawat --> Yahoo ID ), one of my good friends , pings me.

He_rawat: Vaibhav , u there. ( Font size near about 32, and font color - RED ).

I know he is a unique creature, so nothing is funny in this font-size and font color. But still i requested him to change the font color to Black and to reduce font size.Since, in college, he is famous with the name "BULL" .So, he replied :

He_rawat: Vaibhav, u know that i love this color, so i can't change color but ya i reduce font size. Come On the topic man ....

As we ( me and himanshu ) promised each other that we discuss about one new topic daliy , when we meet on Msger.

He_rawat: Go on to this site :: www.movies.keralaonline.com.

I replied that i was not interested in Kerala Songs.

He_rawat: Go Man, and try this :

User Name : abcd
Password : abcd' or 1=1;--'

So, as he was requesting , i went to that site and tried his given User Name and Password.
Yes, It really works and give me many more permissions. Mean to say, that i hacked that site:-)

So, what actually happened was something like that :-

*****************

When first time i put user name and password, some absurd value like:-

User Name : abcd
Pasword : afgaf.

it will not work...

Obviously this was not right user name and Password as well , so it returns me that ERROR MESSAGE : User Name and Password Not found in DataBase, with a SQL error.

And that is the weak point, it shows .

My mind concluded that : This site takes Login Name and Password and sends a SQL request to check the validity of that User Name and Password. If not presents, returns an error message.

So, it happens something like that

SELECT FLAG FROM DATABASE WHERE USERNAME='abcd' and PASSWORD='afgaf';

and this flag is true when it get any entry of username and Password that was in the DataBase.

Now What is unique in the

login name = abcd
password : abcd' or 1=1;--'

I think you grab the scenerio at this time , if not go ahead ...

Look how this works

SELECT FLAG FROM DATABASE WHERE USERNAME='abcd' and PASSWORD='abcd' or 1=1;--';

Oh !!! My God this is surprising ...

1=1 always be true and hence, flag value is 1, no doubt!!!
So, i hacks that site !!!

*********************************

This all knowlege i got that day by Himanshu...

So, next question that immediately comes in my mind :: It is the generic case, anywhere login and password is validated by this way. So, that it mean !!! we can hack any of the site ....

NO WAY ... BECAUSE

This is what actually happened in many cases :-

To secure an application against SQL injection, devlopers must never allow client-supplied data to modify the syntax of SQL statement. In fact, the best protection is to isloate the web application from SQL altogether. All SQL statements required by the application should execute the stored procedure using a safe interface such as JDBC's CallableStatement or ADO's Command Object.

If arbitrary statements must be use, use PreparedStatement . Both PreparedStatements and stored procedures compile the SQL statement before the user input is added, making it impossible foruser input to modify the actual SQL statement.


Just understand that ... there is a webmaster sitting in between user input and DataBase. Its the responsibity of Webmaster to first scan the input ... check the validity .

I tried a lot and have some good example ...

First check that the site is vulnerable or not !!!

Assume that we have to check this ....
http://www.interraIT.com/pressRelease.jsp/pressReleaseID=10 ( this is ficticious :-) )

so on the top of URL , type this
http://www.interraIT.com/pressRelease.jsp/pressReleaseID=10 AND 1=1

and if it returns the same page ..... Yahoooooooooooooooooooooo we can crack it !!!!

or if say " Type Mismatch error" ... :-(( Sorry Man go on your work .

I think , its enough for this BLOG .... if you want more examples ... Tell me .



Friend's Blogs


2 comments:

sujata singh said...

ya vaibhav! i too checked it, it was too gr8...we hv other cracks also...:)

Neeraj said...

good one vaibhav.... and even better is the way to say it. i simply loved it