So guys today we are going to learn about SQL injection.yeah i know most of you are know about this.How ever let's see what is it And what is happening under the hood.
First of all let me introduce you what is SQL?
SQL stands for structured quarry language.So it is used for work with databases. We can Store data/make quarries / delete /update data with this language.
Let's get started.
Hear is the login page.
So it ask for username and password.Then the web application ask the database
"Do you have a user with username 'Test' and password is 'cat'. ? "
If the database say the login details are true then web application let the user to enter.
let's see how the back-end script handle the user entered data.
$query="select username,password from users where username='$username' and password='$password' limit 0,1";
$rows = mysql_fetch_array($result);
echo "Login successful" ;
echo "login data invalid";
First it get post data and put them directly in a SQL quarry.It dos not check what type of data is submitted.Hear is the SQL quarry which is used.
SELECT username,password FROM users WHERE username='$username' AND password='$password' LIMIT 0,1 ;
So we are going to fuss the web application. Wait what does mean fussing?. Fussing is we give the web application some random data. Long strings / integers etc.
We know if we want to break a SQL quarry we input an apostrophe '
or a double quote. "
This time I enter user
as the username and pass'
as the password.Did you noticed a singe quote after 'pass' .So the quarry become.
SELECT username,password FROM users WHERE username='user' AND password='pass'' LIMIT 0,1 ;
So I get the this error.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near
'test''' at line 1
Do you think 'What the fuck happened hear?' Let me explain this.Think only about this part.
AND password='test'' LIMIT 0,1
it takes our input and put inside two quotes.If I enter test Then it'll become password = 'test'
. Due to quote which is we entered after test
quarry think our input is over.
If there is nothing more the quarry is fine and O.K.But there is another quote and some other code also after this string. ( '
So accordion to SQL syntax rules this is not correct.That caused to throw an error.
Is this all thing we wanted. No we want to try break this web-application and bypass the login.For this purpose we want some logic. Think that what if I add this string as the input.
test' or 1 = 1 --
This time our quarry become
SELECT username,password FROM users WHERE username='user' AND password='test' or 1 = 1 --' LIMIT 0,1 ;
In SQL we use - -
or - - +
as the pound character. so if we want to comment some thing or block some part of a code we can use this.In this quarry all things after --
We can only care about part that before -- .
Only that part of our quarry is affected.
SELECT username,password FROM users WHERE username='user' AND password='test' or 1 = 1
This is the time logic is come to play.If you take care about below par of code you can understand what's happening.
password ='test' or 1 = 1
The interesting thing about OR operator is it checks two Boolean statements and if one of them or both of them are correct it will return true.
so if password is similar to the string test
or 1 = 1 it'll return true. As 1 is always similar to 1 this quarry ignore if password is not correct.
So we could bypass the password check. Great. But wait what if we don't know both password and user name? .
Then we can use this string as the username and anything as the password.
user' or 1 = 1 --
This time our quarry is.
SELECT username,password FROM users WHERE username='
user' or 1 = 1 --' AND password='xxxx' LIMIT 0,1 ;
As it'll ignore all thing after --
it dosn't care about password. It will give us enter to the web-application.
So guys hope you got an idea about what's SQL injection. In next tutorials we are going to go deep and learn new things.