What Is SQL Injection Attack (SQLi) / How SQL Injection Works - SQL Injection - Part 1

Hello Friends,




                                                        Today, We Will Discuss About SQL Injection Attack (also known as SQLi attack). And How SQL injection works.

so, let's start our discuss,


first,

Q 1. What Is SQL Injection Attack?


Ans . SQL injection is one type of vulnerability in web server. In Which, Attacker Can Insert

different type of SQL statements, syntax and commands (also commonly refers to as a malicious

payload.) and can also execute that statements on server.

With This Attack, A Attacker can control a web application's database server or you can say

Relational Database Management System. That's why, this is very dangerous vulnerability,

One Of The Oldest, And Easy To Exploit Vulnerability (Because Many Types Of Injections

Frameworks and scripts are already developed by many hackers and also available on internet , free
- of - cost).

By Using This Vulnerability, Any Attacker Can Do Many Things But Some Of Them Given Below,


  • Get Controls Of Server,
  • Get Access To Database,
  • Bypass Login Authentication Mechanism,
  • Retrieve Sensitive Data From Database,
  • Adding, Modifying and Deleting Contents in database,
  • And Many More Things.




Now, Our Second Question Is


Q 2. How SQL Injections Works?


Ans.

In Order To Insert Malicious SQL Query Statements, an attacker must needs to find an input with

in web application or in html page that is included inside of an SQL query.


For A Successful Attack, an attacker need to insert malicious codes in a input place from where,

vulnerable site takes input directly, and includes them within an SQL statement.

and

After Successful sql injection, an attacker can easily insert a payload that will do attacker work

more easy.

now,

let me show you some practical codes examples

Code 1.


Simple authentications codes.


# Codes Start From Here
#
# Define POST variables
#
# THis Is For Username
uname = request.POST['username']

# This Is For Password
passwd = request.POST['password']

# SQL query vulnerable to SQL Injection attack
sql = SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement With SQLi Codes
database.execute(sql)

# Code Ends HEre
#
#

The above example is a vulnerable example.

 because 

an attacker could submit malicious input in such a way 

that 

would alter the SQL statement being executed by the database server.

A simple example of an SQL Injection payload could be something 

as simple as 

setting the password field to password’ OR 1=1.

This would result in the following SQL query being run against the database server.


SELECT id FROM users WHERE username=username AND password=password OR 1=1




Q 3. Tools For SQL Injection Attacks?



Ans.


Friends, Here I Am Sharing Some Tools Name And Download Links But 

Note : I Will Not Take Any Type Of Responsibility Of Any Type Of illegal Activity.




  1. SQLMAP
  1. SQLNINJA
  1. SQLSUS



So, Friends, I think this is Enough For Today,

In My Next Tutorial, You Will See More Deep Details About SQL Injections.


written by ssb

For More Update, Visit Our Regularly. 
And Subscribe Our Blog, 

Follow Us and share it.
For Any Type of Suggestion Or Help
Contact me:
S.S.B
surajsinghbisht054@gmail.com

Share this

Related Posts

Previous
Next Post »

2 comments

Write comments
19 April 2017 at 22:36 delete

It is very important to learn about SQL Injection before making a website because no one wants their websites to be hacked by any hacker. Thank you for sharing the information.

Best Regards,
Crish Watson
Pass Microsoft Certification Without Taking Exam

Reply
avatar