WebProNews Ad Rates Click Now!
Read WebProNews
With Friends!

How Bad Guys Hack into Websites Using SQL Injection

Get the WebProNews Newsletter!
By · May 22, 2006 · 30 Comments

SQL Injection is one of the most common security vulnerabilities on the web. Here I’ll try to explain in detail these kinds of vulnerabilities with examples of bugs in PHP and possible solutions.

If you are not so confident with programming languages and web technologies you may be wondering what SQL stands for. Well, it’s an acronym for Structured Query Language (pronounced “sequel”). It’s “de facto” the standard language to access and manipulate data in databases.

Nowadays most websites rely on a database (usually MySQL) to store and access data.

Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that’s simple, but what happens exactly on the server when he checks your credentials?

The client (or user) sends to the server two strings, the username and the password.

Usually the server will have a database with a table where the user’s data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:

SELECT * FROM users WHERE username='SUPPLIED_USER' AND password='SUPPLIED_PASS'

For those of you who are not familiar with the SQL language, in SQL the ‘ character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.

In this example we see that the username and password supplied are inserted into the query between the ‘ and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).

Now, what happens if a user types a ‘ character into the username or password field? Well, by putting only a ‘ into the username field and leaving the password field blank, the query would become:

SELECT * FROM users WHERE username=''' AND password=''

This would trigger an error, since the database engine would consider the end of the string at the second ‘ and then it would trigger a parsing error at the third ‘ character. Let’s now see what would happen if we would send this input data:

Username: ' OR 'a'='a Password: ' OR 'a'='a

The query would become SELECT * FROM users WHERE username='' OR 'a'='a' AND password='' OR 'a'='a'

Since a is always equal to a, this query will return all the rows from the table users and the server will “think” we supplied him with valid credentials and let as in – the SQL injection was successful :) .

Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:

CREATE TABLE users ( username VARCHAR(128), password VARCHAR(128), email VARCHAR(128))

There’s a single row in that table with data:

username: testuser password: testing email: testuser@testing.com
To check the credentials I made the following query in the PHP code:

$query="select username, password from users where username='".$user."' and password='".$pass."'";

The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).

So, last time I showed you how SQL injection basically works. Now I’ll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.

Lets get started! So, if we put just an ‘ character in the username field we get an error message like You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” and password=”’ at line 1

That’s because the query became

select username, password from users where username=''' and password='' What happens now if we try to put into the username field a string like ‘ or user=’abc ? The query becomes

select username, password from users where username='' or user='abc ' and password=''

And this give us the error message Unknown column ‘user’ in ‘where clause’

That’s fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ‘ or email=’ and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ‘ or email=’testuser@testing.com in both the username and password fields and our query becomes

select username, password from users where username='' or email='testuser@testing.com' and password='' or email='testuser@testing.com'

which is a valid query and if that email address exists in the table we will successfully login!

You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ‘ or user.test=’ and you will see an error message like Unknown table ‘user’ in where clause

Fine! Let’s try with ‘ or users.test=’ and we have Unknown column ‘users.test’ in ‘where clause’

so logically there’s a table named users :) .

Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.

Add to | DiggThis | Yahoo! My Web

Technorati:

The author is a 23-year-old coder. He specializes in computer security, C and PHP coding, networking and server administration.

RELATED ARTICLES:

Hack Turns Building Into a Playable Game of Tetris

Hack Turns Building Into a Playable Game of Tetris

Students at MIT converted one side of the Green Building at MIT into a full color working version of the game Tetris. According to IHTFP: Interesting Hacks To Fascinate People: The MIT Gallery of...
Windows XP Users: Upgrade Now, Or Forever Be Hacked

Windows XP Users: Upgrade Now, Or Forever Be Hacked

It's been almost 11 years since the launch of Windows XP in October of 2001. The operating system is getting on in years and Microsoft has done their best to get people to upgrade. Unfortunately, it...
Utah Department Breach: Hackers Stole Approximately 280K SSNs

Utah Department Breach: Hackers Stole Approximately 280K SSNs

We reported to you earlier that over 181,000 MEDICAID/CHIP enrollees had their personal information stolen and 25,000 of those people had their Social Security numbers (SSNs) compromised after the Uta...
Top Rated White Papers and Resources
There are 30 Comments. Add Yours.
  1. Guest
    Reply

    its not working.. perhaps the site iam trying to hack has tremendous security

  2. Guest
    Reply

    well, i have an Ip that i want to hack, username and a password, but it says that i m not allowed as a member. How can i change my ip, or idk? make something that allows me to entry?

  3. Nemesis
    Reply

    Hi. I want to hack my university’s "student information database". Well the problem is, one can only be able to hit tha database only if he is using university’s computer. The server uses a student ID and a seven digit password. The first three digits of everyone’s password are ‘uiu’ and other four is numeric (0-9). Can you tell me where can I find any software which will generate a combination for the last four digits and continue hitting the server until it finds the appropriate password?

    • Guest
      Reply

      If you know the first three digits and you also know that last four digits are numeric means they are from 0-9……………

      use the permutaions and combinations to solve thi s

      find out theways and then try it on each every time

    • Try them yourself man. There are only 9999 possibilities. Do like a few hundreds everyday and if your lucky, and the numeral is under 5000, you will get to it even quicker..

  6. Guest
    Reply

    Hi. I hope someone can help me retrieve my username and password on my types. I forgot both, have changed email adresse and now I cant get in to change my blog! Any suggestions?

  7. theHolyOne
    Reply

    hello all, am a newbie at this. I need to hack into a bank’s online banking, i already succeded with sql injections, i got root and their long password, but cant connect to the database except through the website. How else do i do this. I am a newbie and this is my first attempt.

    Will check here for response

  8. paul
    Reply

    Hallo, i am new in hacking through sql injection and i dont know much about it though i understand a bit of mysql, php, html n javascript. We have a system whereby to access the internet on has to submit a username and a password. I will be greatfull if you can give me tips on how to go about it. Please inform me what is necessary to achieve this. Thank you

  9. Want help
    Reply

    we hav a group for hacking ! if u know about hacking & u can hack web or wap sites , u can join with us………. we can pay u tooo……

    • unknown
      Reply

      yoo what site you talk about, mean at the dude who commented bout a hackin group. I’ll love to know the location of the group cause i got interest in newbies. In the real i won’t say i’m a newbie but i have intrest in them so reach me trough 61139672 intl. (don’t mind my use of english cause i aint commin in group)

    • viraj
      Reply

      I can hack dude so where I have to contact,,,,,, websites wifi database I can easily access so give me contact info if u r inerested

  10. Guest
    Reply

    I’d be more interested in ensuring that the characters used to do the injection are not acceptable to the field. In Oracle Forms, OpenROAD frames, MS Access Forms, the input fields can all be given formats which will not accept anything detrimental, eg filters out anything but A to Z, a to z, or 0 to 9. Where the field is an object which has an event such as ‘on exit’ or ‘on setvalue’ then code attached to these events can spot bad characters and blank the whole form, or even report the IP Address of the machine or virtual machine attempting to do the hack.

  11. Guest
    Reply

    I want to hack grandchasers

  12. Guest
    Reply

    dear bro,

    I tried ur all tricks….i got how the query is going yo execute in my college attendence site…. still working…. i hope i may get success

    • Guest
      Reply

      hey bro. i read this page

      “http://www.webpronews.com/expertarticles/2006/05/22/how-bad-guys-hack-into-websites-using-sql-injection”

      i would hope that you could share some of your hacking knowledge with me. would that be possible?

  13. Dan
    Reply

    Im not entirly sure, but i want to retrieve account information be a program that enters a-z combinations for accounts that work. I use heidi sql and navicat pro do play with SQL. im souly hacking for a good purpose and would appreciate ANY HELP

  14. Humanity
    Reply

    Learn propper hacking, that was to the commenters, read. Learn a decent operating system, stop whining. TTFN.
    Humanity.

  15. matt
    Reply

    i tried this trick on a subscription dating site and it worked.. not gonna disclose it for security purposes..well i will still like to get more trick to decoding more sites with high security parameters.. cudos.. keep the good work going i am proud of you

    • eaglesflyhigh
      Reply

      hey pal, hows the going?….i’d love to learn some tricks from you
      please, write me via deedspeed_772000@yahoo dot com
      thank you for replying

    • hi matt…can you teach me…how to hack database of email subscribers…and perhaps can you hack clickbank.com subscribers…we can be millionaire if you can do this…

      Looking forward to see your hacking brilliance…

  16. eaglesflyhigh
    Reply

    hey Genius, i’d love to have a master…. someone who will teach me how to hack a server without been noticed….. been trying to get into a server for about 5 months but i think the admin is super-protected…i’d need someone to take me through….contact me via deepspeed_772000 @yahoo dot com ….perhaps add me to your yahoo messenger and we could start from there…

  17. Guest
    Reply

    I like boobie

  18. vishalthe legend
    Reply

    nt wrkng in facebook or orkut user name and password field

  19. Abdul Azeez
    Reply

    i like ur logic.i had not yet tried this type logic in server side validation test.

    i m getting scared to give u my email id because u can hack it by using sql injection.
    ok lets come to the point.

    can i use my coding or program with any of my hand-held device.
    for e.g :-in any atm,card swapping how does it works
    or in ibm laptop by swapping a finger we are able to access desktop

  20. Thank God.. now I’m safe from hackers.. many of my web pages were showing MySQL errors with DB info.. I didnt knew that this can get my site hacked..

  21. me
    Reply

    dear intelligents i’d like u contact coz i get u very easy money transfer web with only 4 digit password. If u rather interest in it we can co-operate…good luck.

  22. Prconja
    Reply

    Hello matija please email me at filip.radic93@gmail.com i want to ask you something. I need your help really badly!

  23. Um, i need help hacking the parental controls on my dads compy, pls help

What do you think? Respond.

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

WebProNews Videos | Advertise | About Us | Newsletter | Archive | News Feeds | Terms & Conditions | Contact Us

WebProNews is an iEntry Network ® publication - © 1998-2012 All Rights Reserved.