SQL METHOD ~ SQL MANIPULATION


                       As in the Earlier post I had discuss that it is  the most commonly described attacks for all types of databases (including SQL Server, MySQL, PostgreSQL, and Oracle).   Let see the SQL MANIPULATION method in some detail with basic......

Note : SQL statements are used in this chapter to demonstrate the  SQL injection method. In order to be programming language neutral, only the developer intended and attacker manipulated SQL statements are presented.  The portions in blue, italics is a sample of what input the programmer is expecting and what an attacker might actually enter into a string field of the application. 

                       The most common type of SQL Injection attack is SQL manipulation.  The attacker attempts to modify  the existing SQL statement by adding elements to the WHERE clause or extending the SQL statement  with set operators like UNION, INTERSECT, or MINUS.  There are other possible variations, but these are the most significant examples.

Example : 

                   The classic SQL manipulation is during the login authentication.  A simplistic web application may check user authentication by executing the following query and checking to see if any rows were
returned –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword'  

The attacker attempts to manipulate the SQL statement to execute as –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a'  

Based on operator precedence, the WHERE clause is true for every row and the attacker has gained
access to the application.

The set operator UNION is frequently used in SQL injection attacks.  The goal is to manipulate a SQL
statement into returning rows from another table.  A web form may execute the following query to
return a list of available products –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs%'


The attacker attempts to manipulate the SQL statement to execute as –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs' 
UNION 
SELECT username FROM dba_users 
WHERE username like '%'

The list returned to the web form will include all the selected products, but also all the database users.




Also See : What is SQL Injection ?
                 SQL Injection category.

0 comments:

Post a Comment