Introduction to SQL Injection
SQL Injection is a technique that allows an attacker to take advantage of the vulnerability of checking input data in web applications (Web Application) and error messages (Error Message) of the base management system. returned data to inject and execute illegal SQL query statements. SQL Injection can allow an attacker to perform actions: delete (delete), add (insert), edit (update) … on the database of the application, even on the server of the application. run.
- SQL Injection is known as an attack medium on web applications whose data is managed by database management systems such as SQL Server, Oracle, MySQL, DB2, Sysbase …
- SQL Injection is a popular web application attack technique, especially with PHP (4) and ASP (5) applications due to the popularity of these web applications.
– Consequences: When a web application is attacked by SQL Injection, the consequences are immense:
- Read data not allowed in the database: An attacker can read important data in the database such as information about user accounts (including email, password, bank card information). , …); information about admin admin account, server information, …
- Unauthorized modifications: In the SQL Injection attack technique, through inserting statements such as insert, update, delete, etc. into database query statements, an attacker can perform the addition. , edit, delete fields in the database arbitrarily without any rights.
In addition, an attacker could use it to log in with admin rights to make the database modification legally.
- Implement remote attack code: In addition to inserting query statements into the database, an attacker can insert dangerous script code, for other attack purposes, attack from far into the web application system.
SQL Injection exploit directions
Dangerous SQL scripts can be injected into a query in a variety of ways.
– Through user input
User Input is the data entered by the user, interacting with the web applications via input forms: account and password logging into the system, user information such as date of birth, email, etc. …; input search box: request to search information in the system, …
- The data entered by the user is sent to the server by the web browser (HTTP GET or POST) and becomes a parameter for the web application to access the database.
For example, when a user enters in the search box the word “SQL Injection”, the web browser sends the server a search request, the web server looks in the database and finds the records that its content contains. keyword “SQL Injection” and return results to users.
- In the image above, when the user enters User ID = 1; The browser sends an HTTP GET packet to the server with the id = 1 parameter, which will appear in the browser URL bar. When a request is received, the web application looks in the database and returns it to the user with id = 1.
- We can attack SQL Injection by passing SQL statements through these input parameters.
– Through cookies
- Cookies are files that store user state information when accessing web applications. This information is decided by the programmer, created on the server and stored in the client.
- Because it is stored in the client, the user can edit it freely, so if the web application uses the information stored in cookies to build queries to the database, the hacker can insert the cookie. SQL scripts to execute an SQL injection attack.
– Through server variables
- Server variables are variables used in the process of transferring information between clients and servers such as Http Header, Network Header …
- The values stored in the server variable can be used by the web application, such as logging access or user agent access statistics … These tasks all interact with the database, so they An attacker could use server variables to exploit SQL Injection.
– Second – order Injection
This technique is rarely used because it is very difficult to tell whether a web application has this error. The technique is described as follows: First, the attacker “injects” into the database a piece of code. This code has never been dangerous to the system but it will be used as a springboard for the next injections of hackers. Let’s take a look at a specific example to better understand this technique. A hacker accessed a web application and tried to register an account with the username “administrator” – “. The hacker then proceeds to change the password. The password change operation is handled by the web application as follows:
With the username registered above, the above query becomes:
As such, the attacker has changed the password of the administrator account and can log in as an administrator account.