Showing posts with label What is SQL Injection and How to Fix It. Show all posts
Showing posts with label What is SQL Injection and How to Fix It. Show all posts

Saturday, February 7, 2015

What is SQL Injection?

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.

What is the impact of SQL Injection?        
 
Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Query / Commands through an input form field. This is equivalent to handing the attacker your database and allowing him to execute any SQL command including DROP TABLE to the database.

An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to manipulate existing queries, to UNION (used to select related information from two tables) arbitrary data, use sub selects, or append additional queries.

In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures, it could spell disaster.

Unfortunately the impact of SQL Injection is only uncovered when the theft is discovered. Data is being unwittingly stolen through various hack attacks all the time. The more expert of hackers rarely get caught.

1. Malicious SQL statements:
   a. For numeric Field :-SQL Injection Based on 1=1 is Always Return True.

   b. For  String   Field:-   SQL Injection Based on ""="" is Always Return  True .

 

  Note: The Hacker used these above  malicious sql statement to fetch the record without knowing there


Password and Id.


Let See The Work Demonstration: 

 

 Is a Table Structure(Employee)                 

                                               

Emp_Id

Emp_Name

Emp_Password

Emp_Salary

1001

RahulGanga

HA123

10,000

1002

Sathya

BA321

20,000

1003

Akhil

SA132

30,000

1004

Bubi

FA213

40,000

Our Targets is:

1.Fetch the Employee Details Without Knowing Their Password and even their name Or ID.

2.Modify the Record of Employee Without Knowing Their Password.

3. Delete the Record of Emplyee Without Knowing Their Password.

Example1.(InSQL)

1.     Fetch  the Employee Details Without Knowing Their Password and even ther name Or ID.
Sol: select * from employee where Emp_Id=1 or 1=1 and Emp_Pwd='Dhoom3' or''=''

Out Put:
 


2.     Modify the Record of Employee Without Knowing Their Password.

 First see actual result of table "empTb"


Sol: update empTb set Emp_Name='Titanic',Emp_Pwd='0' where Emp_Id=1 or 1=1
     and  Emp_Pwd=123 or 1=1

Out Put:


3. Delete the Record of Emplyee Without Knowing Their Password.
 
Sol:delete from employee where Emp_Id=1 or 1=1

Out Put:

How do I prevent SQL Injection attacks?
 
This Problem is solved by parameterized sql, SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.And  it Does not take any extra values because it take the value by Add parameter .

code:

_con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["con"].ConnectionString);
        _cmd = new SqlCommand("select * from  SqlInjectionTb where id=@0 and pwd=@1", _con);
        _cmd.Parameters.AddWithValue("@0",Convert.ToInt32(TxtId.Text));
        _cmd.Parameters.AddWithValue("@1", TxtPwd.Text);
  
        _con.Open();
        _cmd.ExecuteNonQuery();
        DataTable _dt = new DataTable();
        SqlDataReader _dr = _cmd.ExecuteReader();
        _dt.Load(_dr);
        GridView1.DataSource = _dt;
        GridView1.DataBind();
Note:

It Not Accept any Extra Values by Hackers.
IT Fire Error…
After execution of this above code it absolutely fire the exception as use see below :