Hello readers,
Today, We Will Discuss About SQL Injection Attack (also known as SQLi attack). And How SQL injection works.
so, let's start our discuss,
first,
Q 1. What Is SQL Injection Attack?
Ans . SQL injection is one type of vulnerability in web server. In Which, Attacker Can Insert
different type of SQL statements, syntax and commands (also commonly refers to as a malicious
payload.) and can also execute that statements on server.
With This Attack, A Attacker can control a web application's database server or you can say
Relational Database Management System. That's why, this is very dangerous vulnerability,
One Of The Oldest, And Easy To Exploit Vulnerability (Because Many Types Of Injections
Frameworks and scripts are already developed by many hackers and also available on internet , free
- of - cost).
By Using This Vulnerability, Any Attacker Can Do Many Things But Some Of Them Given Below,
- Bypass Login Authentication Mechanism,
- Retrieve Sensitive Data From Database,
- Adding, Modifying and Deleting Contents in database,
Now, Our Second Question Is
Q 2. How SQL Injections Works?
Ans.
In Order To Insert Malicious SQL Query Statements, an attacker must needs to find an input with
in web application or in html page that is included inside of an SQL query.
For A Successful Attack, an attacker need to insert malicious codes in a input place from where,
vulnerable site takes input directly, and includes them within an SQL statement.
and
After Successful sql injection, an attacker can easily insert a payload that will do attacker work
more easy.
now,
let me show you some practical codes examples
Code 1.
Simple authentications codes.
# Codes Start From Here
#
# Define POST variables
#
# THis Is For Username
uname = request.POST['username']
# This Is For Password
passwd = request.POST['password']
# SQL query vulnerable to SQL Injection attack
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”
# Execute the SQL statement With SQLi Codes
database.execute(sql)
# Code Ends HEre
#
#
The above example is a vulnerable example.
because
an attacker could submit malicious input in such a way
that
would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something
as simple as
setting the password field to password’ OR 1=1
.
This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’
Q 3. Tools For SQL Injection Attacks?
Ans.
readers, Here I Am Sharing Some Tools Name And Download Links But
Note : I Will Not Take Any Type Of Responsibility Of Any Type Of illegal Activity.
- SQLMAP
- SQLNINJA
- SQLSUS
So, readers, I think this is Enough For Today,
In My Next Tutorial, You Will See More Deep Details About SQL Injections.
written by ssb
For More Update, Visit Our Regularly.
And Subscribe Our Blog,
Follow Us and share it.
For Any Type of Suggestion Or Help
Contact me:
Suraj
surajsinghbisht054@gmail.com