Testing if a site is vulnerable to Sql Injection

Question

I was reading about sql injection and i understand how it works if there is a form where the user can enter his username and login  What i dont get is how websites without a login page can be vulnerable to sql injection   http   thecybersaviours com how-to-find-out-if-a-website-is-vulnerable-to-sql-injection  It says just append a   or      to test it  I dont understand how this helps to determine whether an error exists  Where is the query being constructed at all

User · Answer

SQL Injection can be done on any input the user can influence that isn't properly escaped before used in a query.

One example would be a get variable like this:

http//www.example.com/user.php?userid=5

Now, if the accompanying PHP code goes something like this:

$query = "SELECT username, password FROM users WHERE userid=" . $_GET['userid'];
// ...

You can easily use SQL injection here too:

http//www.example.com/user.php?userid=5 AND 1=2 UNION SELECT password,username FROM users WHERE usertype='admin'

(of course, the spaces will have to be replaced by %20, but this is more readable. Additionally, this is just an example making some more assumptions, but the idea should be clear.)

User · Answer

A login page isn t the only part of a database-driven website that interacts with the database   Any user-editable input which is used to construct a database query is a potential entry point for a SQL injection attack   The attacker may not necessarily login to the site as an admin through this attack  but can do other things   They can change data  change server settings  etc  depending on the nature of the application s interaction with the database   Appending a   to an input is usually a pretty good test to see if it generates an error or otherwise produces unexpected behavior on the site   It s an indication that the user input is being used to build a raw query and the developer didn t expect a single quote  which changes the query structure   Keep in mind that one page may be secure against SQL injection while another one may not   The login page  for example  may be hardened against such attacks   But a different page elsewhere in the site might be wide open   So  for example  if one wanted to login as an admin then one can use the SQL injection on that other page to change the admin password   Then return to the perfectly non-SQL-injectable login page and login as the admin

User · Answer

SQL injection is the attempt to issue SQL commands to a database through a website interface  to gain other information  Namely  this information is stored database information such as usernames and passwords    First rule of securing any script or page that attaches to a database instance is Do not trust user input    Your example is attempting to end a misquoted string in an SQL statement  To understand this  you first need to understand SQL statements  In your example of adding a   to a paramater  your  injection  is hoping for the following type of statement      SELECT username password FROM users WHERE username   username    By appending a   to that statement  you could then add additional SQL paramaters or queries     OR username --     SELECT username password FROM users WHERE username    OR username --   username   That is an injection  one type of  Query Reshaping   The user input becomes an injected statement into the pre-written SQL statement    Generally there are three types of SQL injection methods    Query Reshaping or redirection  above  Error message based  No such user password  Blind Injections   Read up on SQL Injection  How to test for vulnerabilities  understanding and overcoming SQL injection  and this question  and related ones  on StackOverflow about avoiding injections   Edit   As far as TESTING your site for SQL injection  understand it gets A LOT more complex than just  append a symbol   If your site is critical  and you  or your company  can afford it  hire a professional pen tester  Failing that  this great exaxmple proof can show you some common techniques one might use to perform an injection test  There is also SQLMap which can automate some tests for SQL Injection and database take over scenarios

User · Answer

Any input from a client are ways to be vulnerable  Including all forms and the query string  This includes all HTTP verbs   There are 3rd party solutions that can crawl an application and detect when an injection could happen

User · Answer

The easiest way to protect yourself is to use stored procedures instead of inline SQL statements   Then use  least privilege  permissions and only allow access to stored procedures and not directly to tables

User · Answer

The test has to be done on a page that queries a database so yes typically that is a login page because it s the page that can do the most harm but could be an unsecure page as well    Generally you would have your database queries behind a secure login but if you just have a listing of items or something that you don t care if the world sees a hacker could append some sql injection to the end of the querystring   The key with SQL Injection is the person doing the injection would have to know that your querying a database so if your not querying a database then no sql inject can be done  If your form is submitting to a database then yes they could SQL Inject that   It s always good practice to use either stored procedures to select insert update delete or make sure you prepare or escape out all the statements that will be hitting the database

[sql] Testing if a site is vulnerable to Sql Injection

Examples related to sql