SQL Injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer.(wikipedia). SQL injection is technique that exploits and attack vulnerability from the web application security. Commands, sql statement and query embeded SQL is used to penetration test the vulnerability to injected web form into the database, change data or dump the database.
The following line of code illustrates this vulnerability
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended.
' or '1'='1
Or using comments to even block the rest of the query (there are three types of SQL comments, you can SQL injection is used to :
- Perform operations on the database
- Bypass authentication mechanisms
- Read otherwise unavailable information from the database
- Write information such as new user accounts to the database
- Redirection and reshaping a query
- Error message based
- Blind injection
Blind SQL Injection is one of the database exploitation techniques that are different from sql injection in which the normal value will be issued but a blind sql injection techniques will not issue any value but the value that we will find out by trial and error will value the test true or false value, Here we use the command
mid () = almost the same function as substring ()
char () = is a variable of character
mid () = almost the same function as substring ()
char () = is a variable of character
To test a bug (vulnerable) :
Sql injection :
By inserting the statements "and 1=0 dan and 1=1"
www.victim.com/client.php?id=3 and 1=1
maybe have vuln....
Blind sql injection :
Using query: "and mid (user (), 1,1) = CHAR (65)"
mid (user () 1,1) = in this case we do not know the value, so we try and try of what the value of user "()" we try empty and 1.1 points behind () is that while the sequence of CHAR value is in decimal and variables (65) is the decimal value. in the ASCII table 65 is A.
www.victim.com/client.php?id=3and mid(user(),1,1)=CHAR(65) if with the statement we have false we must try other statment by change the value until we have the true.
0 comments:
Post a Comment