Shawndouglas: Added further reading

2016-08-10T22:12:00Z

Added further reading

← Older revision		Revision as of 22:12, 10 August 2016
Line 4:		Line 4:

	===To prevent this type of attack===		===To prevent this type of attack===
	* ~~use~~ prepared statements to access the database ''– or –''		* Use prepared statements to access the database ''– or –''.
	* ~~use~~ stored procedures, accessed using appropriate language/library methods or prepared statements		* Use stored procedures, accessed using appropriate language/library methods or prepared statements.
	* Always ensure the DB login used by the application has only the rights that are needed		* Always ensure the DB login used by the application has only the rights that are needed.

	===Rationale===		===Rationale===
Line 17:		Line 17:
	====Example====		====Example====
	If the input for the title of the page on this website were vulnerable to SQL injection then the URL that would be used for the attack is '''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''. A simple test to reveal if the input is vulnerable would be to add ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''<nowiki>'</nowiki>''' because this SQL syntax would break the query and show an SQL error on the page. The next query could be to select usernames and hashed passwords with something like ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''<nowiki>1%20UNION%20ALL%20SELECT%20user_pass%20FROM%20wiki_user;--</nowiki>'''. The ;-- on the end ends the query and makes the remaining query a comment. Files containing password salts could be dumped to allow an attacker to begin cracking passwords and gain access to administrator accounts using the '''select load_file()''' query. A query like this one could be used to gain shell access to the server: ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''UNION%20SELECT%20<? system($_REQUEST['cmd']); ?>,2,3%20INTO%20OUTFILE%20"shell.php";--'''		If the input for the title of the page on this website were vulnerable to SQL injection then the URL that would be used for the attack is '''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''. A simple test to reveal if the input is vulnerable would be to add ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''<nowiki>'</nowiki>''' because this SQL syntax would break the query and show an SQL error on the page. The next query could be to select usernames and hashed passwords with something like ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''<nowiki>1%20UNION%20ALL%20SELECT%20user_pass%20FROM%20wiki_user;--</nowiki>'''. The ;-- on the end ends the query and makes the remaining query a comment. Files containing password salts could be dumped to allow an attacker to begin cracking passwords and gain access to administrator accounts using the '''select load_file()''' query. A query like this one could be used to gain shell access to the server: ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''UNION%20SELECT%20<? system($_REQUEST['cmd']); ?>,2,3%20INTO%20OUTFILE%20"shell.php";--'''

			==Further reading==
			* [[wikipedia:SQL injection\|SQL injection]]

	==Notes==		==Notes==
	The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/SQL_injection the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.		The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/SQL_injection the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Shawndouglas: Created as needed.

2016-08-10T20:33:35Z

Created as needed.

New page

{{TOC right}}
==SQL injection==
An SQL injection vulnerability occurs if user input included in database queries is not escaped correctly. This type of vulnerability allows attackers to change database queries, which can allow them to obtain or modify database contents.

===To prevent this type of attack===
* use prepared statements to access the database ''– or –''
* use stored procedures, accessed using appropriate language/library methods or prepared statements
* Always ensure the DB login used by the application has only the rights that are needed

===Rationale===
Escaping input manually is error-prone and can be forgotten. With prepared statements, the correct escaping is automatically applied. This also avoids issues with different input interpretation (charset, null byte handling etc.) which can lead to hard-to-find vulnerabilities.
Using a database login with limited access rights limits the impact of successful attacks.

====Exploitation====
SQL injection can compromise any information in the database and even lead to full system compromise. It can be used to add PHP, HTML, and JavaScript code to web pages and create files. Arbitrary content added to the website can be used for malicious attacks against users and to gain shell access to the server.

====Example====
If the input for the title of the page on this website were vulnerable to SQL injection then the URL that would be used for the attack is '''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''. A simple test to reveal if the input is vulnerable would be to add ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''<nowiki>'</nowiki>''' because this SQL syntax would break the query and show an SQL error on the page. The next query could be to select usernames and hashed passwords with something like ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''<nowiki>1%20UNION%20ALL%20SELECT%20user_pass%20FROM%20wiki_user;--</nowiki>'''. The ;-- on the end ends the query and makes the remaining query a comment. Files containing password salts could be dumped to allow an attacker to begin cracking passwords and gain access to administrator accounts using the '''select load_file()''' query. A query like this one could be used to gain shell access to the server: ''<nowiki>https://en.wikibooks.org/w/index.php?title=</nowiki>'''''UNION%20SELECT%20<? system($_REQUEST['cmd']); ?>,2,3%20INTO%20OUTFILE%20"shell.php";--'''

==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/SQL_injection the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

LII:Web Application Security Guide/SQL injection - Revision history

Shawndouglas: Added further reading

Shawndouglas: Created as needed.