Introduction to Hacking – SQL Injections

Disclaimer – All the post of this series are meant to discuss the basics behind the art of hacking and not to provide exploits, irrespective of the fact whether I am aware of any or not. Assure you that the stuff provided is surely more than sufficient for any intelligent person to come up with a good hack.

SQL Injections, this is one of a well known techniques to bypass authentication where there is a backend database involved.

Idea behind it – On a normal login page, username and password entered by the user are stored in a database and when anyone tries to login, a query is fired on the database to check if the credentials entered are correct or not. The query fired would be something like this

SELECT * FROM USER_TABLE WHERE USERNAME=’WAT_I_ENTERED‘ AND PASSWORD=’WHAT_I_DONT_KNOW

Now, in most of the cases, developers just take input on the page and concatenate it in a query which is then fired on the database. If the query returns any results, its a valid user who is then proceeded to the next page; if it doesnt, the user is thrown out back to the login page, typically. In a situation like this, its not very difficult for anyone to login to the site even without knowing a password. All it requires is some basic knowledge of writing SQL queries. You can tailor your input to malform the SQL query being fired on the database and help yourself get in.

How its done – The first step would be to check if the site we are trying to get into is a suitable candidate for SQL Injection i.e. there is a database behind and the query being fired is being built using concatinating the inputs in a static string as shown above. To check this, all that needs to be done is input a single quote (‘) in any of the fields and a possible valid value in the other one. What a quote does it, it malforms the SQL and the application would get error from the database when the query is not well formed. If you see an error page, or application error msg in any of the corners of the page, you are on. If you dont see any of this stuff and get back to the login page which is not showing any error anywhere as well, dont get disheartened, you still have a chance – it really depends on the error handling of the application what you see.

Once this is done, we need to tailor the input values we would need to input to get through the login. This would require inputting something that would not only, when concatenated to the query string, form a valid SQL Query but also return some result. So, basically I am targetting to fire something like this to the database.

SELECT * FROM USER_TABLE WHERE USERNAME=” OR 1=1 –‘ AND PASSWORD=’ANYTHING’

or

SELECT * FROM USER_TABLE WHERE USERNAME=’WAT_I_ENTERED‘ AND PASSWORD=” OR 1=1 –‘

As is obvious from the above queries, in one example I have entered ‘ OR 1=1 — as username and ‘ANYTHING’ as a password which wouldnt matter as it gets commented in the query and in the second example, when I knew a valid username, I entered a valid username and password as ‘ or 1=1 —. Now both these queries would return the whole table in the result set and would surely take me through the login hassle. Simple, aint it.

Why we talking this – The objective of discussing this is to make all the developers aware of the possible consequencies of un-elegent programming. Usage of concatenation of strings to form an SQL Query is one of the bad programming techniques and SQL Injects are one of the possible techniques used to exploit it. How we can prevent SQL Injections is by using parameterized queries as far as possible, which prevents us from SQL Injections because then, any tailored input would act as a parameter for a database column in the query and would NOT be able to malform the query in any form.

Keep coding !!!!!!!!

Advertisements

Technical Helpdesk

Ok… the funniest of the things happened last evening. We are currently in a process of integrating a renouned Payment Gateway with our site and they have provided an API for it. We have been having compatibility issues of their API with our IBM JRE being used in our project.

Now, I was driving back home and I got a call from this bank guy to ask me about the issues we are facing with the integration. He said he was calling from the technical helpdesk. Confident that he was, without even listening me out, he went on to talk about how this was a simple thing and should have been accomplished within a couple of days and stuff. I asked him if he was aware the version of java their API is compatible with and he said “Ahh. Dont worry about that, we are compatible with all versions of java… 2000, XP, even 2003. If you are facing any issues, just restart your IIS and it would work.“. Turned out, he was a sales guy from the bank. 🙂

PS – Actually got hold of the development team of the Payment Gateway today, and, ironically, they gave in when realized that we are on IBM JRE.

Fantastic morning – More about Capital Culture

I dearly missed blogging since morning, but I couldnt help, entered office after 2 PM after a really eventful and funny day.

I was driving back from Ghaziabad, a suburb trans yamuna, after dropping my sister and while driving up on a flyover in a packed traffic my car broke down and showed no intentions of starting up. I popped the hood and realized that either the battery is dead or the carbon on top is preventing the circuit while I was waiting in the middle of the road for the Car Helpline guy. In the meanwhile, the traffic started to suffer and I started getting reactions, all kinds – “Kya Hua ??”, “Did it broke down ??”, swears, “Why dont you move it to the side ??” and what not.

Just when I was about to get annoyed and lose it on one of the jerks, I realized I was stuck in one of the most beatiful sights in Delhi. The only place in Delhi from where you can see 5 miles (may be a lot more) of empty space, the river, a really beautiful highway, a cloudy morning with nice breeze and no sun… all in all an amazing view which I could never have got otherwise on this high speed highway. I moved to the back of my car, started directing vehicle to clean up the mess a bit and soon enough, the traffic was back in full swing and I was fully enjoying my stranded traffic policeman job with the great surroundings.

And now came a gentleman, who got off his bus, to ask me if he could help which was a surprising gesture considering the nearest bus stop was another 2 miles before he could get another bus and he hardly knew of how to fix the thing at all. He did help me move my car to the side and then, I helped him hitchcock a bike and ride off.

Finally, when I got the Car Helpline guy, who got the car working again and I got the battery replaced from a nearby dealer and got in the car to drive back to office and exactly then, it started raining cats and dogs. Thats what I call perfect timing.. which became all the more perfect when it stopped as soon as I got off the car in front of my office.

The funniest part was that due to the climate and the fun I was having while I was stranded, I never felt annoyed or tired or irritated and enjoyed it thoroughly.

Hmm.. looking forward to getting stranded like that again, of course, without spending the ridiculous amount again.

Intro to hacking – Essentials

* Just couldnt sleep thinking that I might be leaving a few souls disappointed with my previous post, so just had to write this one.


A hacker is anyone who has to skills of a hacker and understands the spirit. Skills of a hacker include the following, in my opinion –

  • Atleast one programming language or scripting language.
  • Knowledge of HTML and Javascript.
  • Basic database skills and PL/SQL.
  • Basics of Operating System and networks.
  • Very good troubleshooting skills and logical thinking.
  • Ability to quick-read and understand code patterns.
  • Social Engineering

Some of these things are neccessary, however, traits like troubleshooting and recognizing code patterns is something one can learn over a period. Anything beyond this would make it easier for the guy to accomplish whatever he wants to just by providing more options. Knowing atleast one high level programming language thoroughly and one scripting language is a real must as is knowledge of Operating systems and HTML.

Just to give you a small example of how things work while hacking and you can use one of these skills to accomplish a task. Imagine a website which required a password to get through, which of course you dont have. There are multiple ways to find out the password – ask the site admin(dont laugh guys, its A way and is really an option) OR find out the way authentication would be done by the site and figure out a way to crack it. In a hypothetical situation, suppose the site admin has server side scripting to authenticate his password from some encrypted source to which you have no access to, however, there is a forget password button which sends an email to the site admin with the password in it. Now, in most of the static sites, there is not backend database to store info so most of the information is stored within the web content, either in files other than the pages being served or in the pages as hidden fields which can easily be looked up by viewing source for a web page.

In such a case, we use Java Script Injections. Java Script injections is a technique by which using the browser’s address bar, we issue java script commands to the browser to dynamically change values of the web page form including the ones which are hidden or read only. So, you know what to do.

Now, this teaches us a few important lessons as a hacker and as a developer –

  • All hacks are in some way exploiting a loophole left by one of the developers or admins.
  • There is a lot of logical thinking involved in trying to figure out what all are the possible hacks that could be used for a certain target. And of course, common sense.
  • Address bar of Internet Explorer is a powerful tool.
  • Its not a good idea to leave important information in any form in the HTML at all.

Think the hacking way, understand the hacking spirit and you would develop application that would defy security threats.

🙂 If you thought you just learnt a big trick on how to get into a site without authenticate, you are mistaken. This isnt something that would work on most of the sites you land on. It would take a lot more thinking and application than this to use Java Script injection to really accomplish anything at all.