What is the concept behind SQL injection? How does SQL injection work?
Sql Injection is basically an attack that relies on adding some content to any input ( user input) in any query so as to manipulate the input in such a way that that it breaks or modifies the syntax ( in a way which admin of website did not intent to).
Even if you are a bit confused with the above statement don’t worry take is easy you will get it as you go through the answer.
Well i will take a basic example to explain you how it works.
Below diagram is result of logical OR
a | b | a OR b ----------------------- false | false | false false | true | true true | false | true true | true | true
If you see carefully what it means is if any of the two statements is true then result will be true. what i mean is if there is any statement say A OR B such either of the two ( i mean A or B) is true then result will be TRUE .
Now lets move to the SQL part.
Suppose you have a website and it has a table Users ( name of table) which has Name ( name here is username) and password(s) ( as usually we do have ). So people can sign up and sign in.
When someone logins the query that is handling the input is say this :
SELECT Id FROM Users WHERE Name = $name AND Password = $password;
So in normal cases what will happen is say i m a user sunnynehra and i create a passwords hacksandsecurity. When i will sign in the command goes like this :
SELECT Id FROM Users WHERE Name = sunnynehra AND Password = hacksandsecurity;
which is fine. I will get my login access as there is a user sunnynehra with password hacksandsecurity in the table.
But the id passwords are dependent on users so they could choose anything. Suppose a user goes to login form page and enters say in the username column : ‘ OR 1 = 1; — and in the password column say password itself ( or anything you can take here or even leave it blank).
Now the query has become
SELECT Id FROM Users WHERE Name = 1 OR 1 = 1; -- AND Password = password;
So lets now first understand what it means. If you are not in SQL ( practice any other language) in all languages you use something to denote the comment section. Say in PHP we use // to denote comment or say in C it starts with/* and ends with */ . The — is the SQL does the same purpose means everything followed after it will be considered as comment ( so won’t be executed as a command , in way will be ignored).
I already told you about OR logic and you can see well that 1=1 is always true. So because one of the two values ( a OR b) is true means the results will be true. And the result is followed by — — means it mentions that comment section starts from there ( ignore the part that is ahead).
Now this is how SQL works. What i mean is you gave an input for username which became a command here ( true command).
When i used my real credentials that is sunnynehra and hacksandsecurity for login i logged into the account corresponding to these credentials. But here i just asked for access of True ( and true is valid on all id). Depending upon the complete structure of website ( the other part of coding) it will be executed. Most probably ( considering normal scenario) i will get logged into User id that is the first id ( first column and first row) .
Well now you can well imagine what all could be done with it. You could simply create queries to login into some specific user or get entire database even or even delete some columns or rows ( say drop them).
Say if i use this to drop the table itself :
"SELECT * FROM Users WHERE Name = ''; DROP TABLE `users`";--";
The above query can delete entire users database ( see carefully the second half of query).
You can use different queries for different results.
What hackers do is they will first try some queries and check how is your website dealing with the special characters. Some websites don’t even allow characters like “=” as a part of id or password. Some do allow but they sanitize or parse them well and know how to handle them ( at the date you can do a lot many things to prevent it , even placeholders are enough and if you want to discuss more on its prevention raise a question on its prevention or say on FIEO — filter input escape output and invite me there). Anyways what hackers do is they check by sending queries how your website is handling these queries ( from the errors they are getting). If errors show that the database side is accepting these queries than they go for SQL ( now things depend upon the website).
If you still have problem in understanding it i will make some videos on such stuff (when i get some free time) on my channel : Hacks and Security
Originally published at https://hacksandsecurity.org.