How SQL Injection works - part 2

hey guys,
first of all sorry for not posting anything for a long time. I've been very busy since last of couple of months. Err.. I know I didn't posted anything for even more longer :P

Note: This article is for educational purpose only. Hack The Dark will not be responsible for any misuse or any harm caused to any property or person or anything else.

Anyways, lets get started from where we left last time.

In the Last article, we learned how you can use SQL Injections to hack into vulnerable website. Some of you might be wondering how this SQL injection actually works.

So we are gonna cover the working on SQL and SQL injections inside the box. In order to move forward, I need to have basic knowledge of atleast. Now, if you want me to provide some links which you can add in your browsers bookmarks and never ever gonna open them back, then its not gonna happen. Hit google, and it will spit out some really good articles about SQL.

Now, lets get started.

Assuming, you are using latest version of mysql server (can use SQL server as well), first we will gonna create a simple table of users. Just copy the below query and run it in your sql wizard.

  `username` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL

Once table is created, lets insert few records in it. Use below SQL query to insert few records.

INSERT INTO `users` (`username`, `password`) VALUES
('admin', '123456'),
('administrator', 'hackthedark');

Since, we have a table with some records in it. So now if a user tries to login in application, the server side script will gonna fetch the records from login form and check the database with following query:

SELECT * FROM `users` WHERE username = '<USERNAME>' AND password = '<PASSWORD>';

If the supplied username and password combination found in the database then it will return the result else it will return a empty set of record. So far so good.
Since in last article I showed a simple SQL injection string i.e. 'or'1'='1
Here lets try to put this string in place of password in above SQL query and see what happens,

SELECT * FROM `users` WHERE username = '<USERNAME>' AND password = ''or'1'='1';

Lets run this query in SQL wizard now. ....Viola, It returns all the records. We successfully performed the SQL injection.

If we look closer the SQL query after injecting the SQL injection string, this is HOW it worked:

The OR part from our SQL inection string actually separated the WHERE clause of SQL query into two parts:
1st part:

SELECT * FROM `users` WHERE username = '<USERNAME>' AND password = ''

2nd part:


Here 1st part returned empty set while the 2nd part returned complete set, since both are the part of same query so we get a complete set of results and will successfully able to login into the website. :)

That's all for this article.
In the upcoming article we will learn how you can create your very own SQL injection strings and how to protect your website from SQL injection.

Till then, keep learning. keep rocking :)
Next Post »