Pages

Sunday 28 July 2013

Example of a SQLInjection Attack

Example of a SQLInjection Attack

Here is a sample basic HTML form with two inputs, login and password..




The easiest way for the login.asp to work is by building a database query that looks like this:

SELECT id
FROM logins
WHERE username = '$username' AND
password = '$password’

If the variables
$username and $password

are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x

SELECT id
FROM logins
WHERE username = 'Joe' AND
password = 'anything' OR 'x'='x'

As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two- component clause.

The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

No comments:

Post a Comment