Hacking Activity SQL Inject a Web Application
We have a simple web application that is vulnerable to SQL Injection attacks for demonstration purposes only. The HTML form code above is taken from the login page. The application provides basic security such as sanitizing the email field. This means our above code cannot be used to bypass the login.
To get round that, we can instead exploit the password field. The diagram below shows the steps that you must follow
Click on Submit button
You will be directed to the dashboard
The generated SQL statement will be as follows
SELECT * FROM users WHERE email = ' AND password = md5('xxx') OR 1 = 1 -- ]');
The diagram below illustrates the statement has been generated.
SQL Injections can do more harm than just by passing the login algorithms. Some of the attacks include
Deleting data
Updating data
Inserting data
Executing commands on the server that can download and install malicious programs such as Trojans
Exporting valuable data such as credit card details, email, and passwords to the attacker’s remote server
Getting user login details etc
The above list is not exhaustive; it just gives you an idea of what SQL Injection
Automation Tools for SQL Injection
In the above example, we used manual attack techniques based on our vast knowledge of SQL. There are automated tools that can help you perform the attacks more efficiently and within the shortest possible time. These tools include
How to Prevent against SQL Injection Attacks
An organization can adopt the following policy to protect itself against SQL Injection attacks.
User input should never be trusted - It must always be sanitized before it is used in dynamic SQL statements.
Stored procedures – these can encapsulate the SQL statements and treat all input as parameters.
Prepared statements –prepared statements to work by creating the SQL statement first then treating all submitted user data as parameters. This has no effect on the syntax of the SQL statement.
Regular expressions –these can be used to detect potential harmful code and remove it before executing the SQL statements.
Database connection user access rights –only necessary access rights should be given to accounts used to connect to the database. This can help reduce what the SQL statements can perform on the server.
Error messages –these should not reveal sensitive information and where exactly an error occurred. Simple custom error messages such as “Sorry, we are experiencing technical errors. The technical team has been contacted. Please try again later” can be used instead of display the SQL statements that caused the error.