What is an SQL injection?

The number of sites and pages on the Web is steadily growing. For the development are taken by all who can. And novice web programmers often use unsafe and old code. And this creates a lot of loopholes for intruders and hackers. Than they also use. One of the most classic vulnerabilities is SQL injection.

A bit of theory

Many people know that most of the sites and services on the network use SQL to store the database. This is a structured query language that allows you to manage and administer data stores. There are many different versions of database management systems - Oracle, MySQL, Postgre. Regardless of the name and type, they use the data requests equally. This is where potential vulnerability lies. If the developer could not correctly and safely process the request, the attacker can take advantage of this and apply special tactics to gain access to the database, and from there to the management of the entire site.

To avoid such situations, you need to intelligently optimize the code and carefully monitor which query is processed in what way.

SQL injection test

To establish the presence of vulnerability in the network, there are a lot of ready-made automated software systems. But you can perform a simple test manually. To do this, go to one of the sites under investigation and try to cause a database error in the address bar. For example, a script on a site may not process requests and do not crop them.

For example, there is some_site / index.php? Id = 25

The easiest way is to put after 25 quotes and send a request. If no error has occurred, then either all requests are filtered on the site and processed correctly, or their output is disabled in the settings. If the page rebooted with problems, then there is a vulnerability for SQL injection.

After it is found, you can try to get rid of it.

To implement this vulnerability, you need to know a little about the SQL query commands. One of them is UNION. It combines several query results into one. So you can calculate the number of fields in the table. The example of the first query looks like this:

• Some_site / index.php? Id = 25 UNION SELECT 1.

In most cases, such an entry should produce an error. This means that the number of fields is not equal to 1. Thus, selecting options from 1 and more, you can set their exact number:

• Some_site / index.php? Id = 25 UNION SELECT 1,2,3,4,5,6.

That is, when the error ceases to appear, it means that the number of fields is guessed.

There is also an alternative solution to this problem. For example, when the number of fields is large - 30, 60 or 100. This is the GROUP BY command. It groups the results of the query according to some characteristic, for example id:

• Some_site / index.php? Id = 25 GROUP BY 5.

If errors were not received, then there are more fields than 5. Thus, substituting variants from a fairly wide range, it is possible to calculate how many of them actually are.

This example of SQL injection is for beginners who want to try themselves in testing their site. It is important to remember that for unauthorized access to someone else there is an article of the Criminal Code.

The main types of injections

Implementing vulnerabilities through SQL injection can be done in several ways. Next are the most popular techniques:

• UNION query SQL injection. A simple example of this type has already been considered above. It is implemented due to an error in checking the incoming data, which is not filtered in any way.

• Error-based SQL injection. As the name implies, this type also uses errors, sending expressions that are syntactically incorrect. Then, the response headers are intercepted, analyzing which, you can later carry out the SQL injection.

• Stacked queries SQL injection. This vulnerability is determined by the execution of consecutive requests. It is characterized by the attachment at the end of the ";" sign. This approach is often implemented to access the implementation of reading and writing data or managing the functions of the operating system, if the privileges permit it.

Software complexes for searching for SQL vulnerabilities

The programs that are available for SQL injections usually have two components: scanning the site for possible vulnerabilities and using them to gain access to the data. There are such utilities for almost all known platforms. Their functionality greatly facilitates the verification of the site for the possibility of hacking SQL injection.

Sqlmap

A very powerful scanner that works with most known DBMS. Supports various techniques for implementing SQL injection. Has the ability to automatically recognize the password hash type and hack it through the dictionary. There is also the functionality of uploading and uploading files from the server.

Installation in the Linux environment is performed using the following commands:

• Git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev,
• Cdsqlmap-dev /,
• ./sqlmap.py --wizard.

For Windows, there is an option with a command line, and with a graphical user interface.

JSQL Injection

JSQL Injection is a cross-platform tool for testing the use of SQL vulnerabilities. Written in Java, so the system must have JRE installed. Can handle requests for GET, POST, header, cookie. It has a convenient graphical interface.

Installation of this software is as follows:

Wget https://github.com/`curl -s https: //github.com/ron190/jsql-injection/releases | Grep-E -o '/ron190/jsql-injection/releases/download/v[0-9]{1,2}.[0-9]{1,2}/jsql-injection-v[0-9] {1,2}. [0-9] {1,2} .jar '| Head-n 1`

The launch is performed using the command java -jar ./jsql-injection-v*.jar

In order to start checking a site for a SQL vulnerability, you need to enter its address in the top field. They are separate for GET and for POST. If the result is positive, a list of available tables appears in the left window. They can be viewed and learn some confidential information.

To search for administrative panels, use the "Admin page" tab. It uses special templates to automatically search for system records of privileged users. Of these, you can only get a password hash. But it is also available in the program's tools.

After finding all the vulnerabilities and injecting the necessary queries, the utility will allow you to upload your file to the server or, vice versa, download it from there.

SQLi Dumper v.7

This program is an easy-to-use tool for searching and implementing vulnerabilities in SQL. Produces it on the basis of so-called drills. Their lists can be found on the Internet. Dorky for SQL injection is a special pattern of search queries. With their help, you can find a potentially vulnerable site through any search engine.

Tools for training

The site itsecgames.com has a special toolkit, which allows for example shows how to make a SQL injection and test it. In order to use, it must be downloaded and installed. Archive contains a set of files, which is the structure of the site. To install it, you will need the existing set of web server Apache, MySQL and PHP.

After unpacking the archive into the web server folder, you need to go to the address that was entered when installing this software product. A page with user registration will open. Here you need to enter your details and click "Create". By translating the user into a new window, the system prompts you to select one of the test options. Among them there are both described injections, and many other test tasks.

It is worth considering an example of SQL injection type GET / Search. Here you need to select it and press "Hack". Before the user will appear a search string and an imitation of a certain site with movies. You can go through the movies for a long time. But there are only 10. For example, you can try to enter Iron Man. A movie will appear, which means the site is working, and the tables in it are available. Now we need to check if the script filters special characters, in particular, the quotation mark. To do this, add '' to the address line. And, you need to do this after the title of the movie. The site will throw an error Error: You have an error in your SQL syntax; Check the manual that corresponds to your MySQL server version for the right syntax to use near '%' 'at line 1, which says that the characters are still being processed incorrectly. So, you can try to substitute your request. But you must first calculate the number of fields. To do this, use order by, which is introduced after the quote: http://testsites.com/sqli_1.php?title=Iron+Man 'order by 2 - & action = search.

This command will simply display information about the movie, that is, the number of fields is greater than 2. A double hyphen tells the server that the remaining requests should be discarded. Now we need to sort through, substituting all the large values until an error is output. In the end, it turns out that the fields will be 7.

Now it's time to get something useful from the database. It will be necessary to modify the query in the address bar a little, bringing it to this form: http://testsites.com/sqli_1.php?title=Iron+Man 'union select 1, database (), user (), 4, password, 6, 7 from users - & action = search. As a result of its execution, you will see lines with password hashes that can easily be turned into understandable characters using one of the online services. A little pokoldovav and picking up the name of the field with a login, you can access someone else's record, for example, the admin site.

There are many types of injections in the product, on which you can practice. It is worth remembering that the application of these skills in the network, on real sites can be criminal.

Injection and PHP

As a rule, PHP code is responsible for the necessary processing of requests coming from the user. Therefore, it is at this level that you need to build protection against SQL injections in PHP.

To begin with, it is worthwhile to give a few simple recommendations based on which you need to do this.

• The data must always be processed before being put into the database. You can implement this either by using existing expressions or by organizing queries manually. Here, too, it is worth considering that the numerical values are converted to the type that is needed;
• Avoid the request for the appearance of various control structures.

Now a little about the rules of querying in MySQL to protect against SQL injections.

When writing any expressions for a query, it is important to separate the data from the SQL keywords.

• SELECT * FROM table WHERE name = Zerg.

In this design, the system might think that Zerg is the name of a field, so you need to enclose it in quotation marks.

• SELECT * FROM table WHERE name = 'Zerg'.

However, there are situations where the value itself contains quotes.

• SELECT * FROM table WHERE name = 'Cote d'Ivoire'.

Here, only a part of the cat is processed, and the rest can be perceived as a team, which, naturally, is not. Therefore, an error occurs. So you need to screen this kind of data. To do this, use the backslash-\.

• SELECT * FROM table WHERE name = 'cat-e' Ivory. '

All of the above applies to strings. If the action occurs with a number, then it does not need quotes or slashes. However, they must necessarily compulsorily lead to the required type of data.

There is a recommendation that the field name should be enclosed in a backquote. This symbol is on the left side of the keyboard, together with the tilde "~". This is necessary for MySQL to accurately distinguish the field name from its keyword.

Dynamic work with data

Very often, to obtain any data from the database, queries generated dynamically are used. For example:

• SELECT * FROM table WHERE number = '$ number'.

Here, $ number is passed as a field value definition. What will happen if the cat-d'Ivoire hits it? Error.

To avoid this trouble, of course, you can include "magic quotes" in the settings. But now the data will be screened where necessary and not necessary. In addition, if the code is written manually, you can spend a little more time trying to create a burglary-resistant system yourself.

To add a slash yourself, you can use mysql_real_escape_string.

$ Number = mysql_real_escape_string ($ number);

$ Year = mysql_real_escape_string ($ year);

$ Query = "INSERT INTO table (number, year, class) VALUES ('$ number', '$ year', 11)".

Although the code has grown in volume, yet, potentially, it will work much safer.

Placeholders

Placeholders are original markers, according to which the system learns that a special function must be substituted into this place. For example:

$ Sate = $ mysqli-> prepare ("SELECT District FROM Number WHERE Name =?");

$ Sate-> bind_param ("s", $ number);

$ Sate-> execute ();

This portion of the code prepares the query template, then binds the variable number, and executes it. This approach allows you to split the processing of the request and its implementation. Thus, you can protect yourself from using malicious code injection in SQL queries.

What can an attacker do

Protection of the system is a very important factor that can not be neglected. Of course, a simple website-business card will be easier to restore. And if this is a great portal, service, forum? What consequences can there be if you do not think about security?

First, the hacker can break both the integrity of the database, and remove it entirely. And if the site administrator or hoster did not make a backup, then it will not be easy. In addition, an attacker, hacking into one site, can switch to others, located on the same server.

Next is the theft of the personal data of visitors. How to use them - everything is limited only by the imagination of the hacker. But in any case, the consequences will not be very pleasant. Especially if the financial information was contained.

Also, an attacker can merge the database himself, and then extort money for her return.

Disinformation of users on behalf of the site administrator, who is not their own, can also have negative consequences, as fraud is possible.

Conclusion

All information in this article is provided for informational purposes only. Use it only for testing your own projects when vulnerabilities are detected and fixed.

For a more in-depth study of the technique of how to perform SQL injection, you need to start with actually exploring the features and features of the SQL language. How queries are made, keywords, data types and the application of all this.

Also, you can not do without understanding the operation of PHP functions and HTML elements. The main vulnerable points for using injections are the address bar, search and various fields. The study of PHP functions, the way they are implemented and the possibilities will help you understand how errors can be avoided.

The presence of many ready-made software tools allows you to conduct an in-depth analysis of the site on known vulnerabilities. One of the most popular products is kali linux. It is an image of a Linux-based operating system that contains a large number of utilities and programs capable of carrying out a comprehensive analysis of the site for strength.

Why do I need to know how to hack the site? It's very simple - this is necessary in order to have an idea of the potentially vulnerable places of your project or site. Especially if this is an online store with the ability to pay online, where the payment data of the user can be compromised by an attacker.

For professional research, there are information security services will be able to check the site according to different criteria and depth. From simple HTML injection to social engineering and phishing.