Search code examples
sqlsql-injection

Testing if a site is vulnerable to Sql Injection

I was reading about sql injection and i understand how it works if there is a form where the user can enter his username and login. What i dont get is how websites without a login page can be vulnerable to sql injection.

http://thecybersaviours.com/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection

It says just append a ' or ''=' to test it. I dont understand how this helps to determine whether an error exists. Where is the query being constructed at all.

Solution

  • SQL injection is the attempt to issue SQL commands to a database through a website interface, to gain other information. Namely, this information is stored database information such as usernames and passwords.

    First rule of securing any script or page that attaches to a database instance is Do not trust user input.

    Your example is attempting to end a misquoted string in an SQL statement. To understand this, you first need to understand SQL statements. In your example of adding a ' to a paramater, your 'injection' is hoping for the following type of statement:

    SELECT username,password FROM users WHERE username='$username'

    By appending a ' to that statement, you could then add additional SQL paramaters or queries.: ' OR username --

    SELECT username,password FROM users WHERE username='' OR username -- '$username

    That is an injection (one type of; Query Reshaping). The user input becomes an injected statement into the pre-written SQL statement.

    Generally there are three types of SQL injection methods:

    • Query Reshaping or redirection (above)
    • Error message based (No such user/password)
    • Blind Injections

    Read up on SQL Injection, How to test for vulnerabilities, understanding and overcoming SQL injection, and this question (and related ones) on StackOverflow about avoiding injections.

    Edit:

    As far as TESTING your site for SQL injection, understand it gets A LOT more complex than just 'append a symbol'. If your site is critical, and you (or your company) can afford it, hire a professional pen tester. Failing that, this great exaxmple/proof can show you some common techniques one might use to perform an injection test. There is also SQLMap which can automate some tests for SQL Injection and database take over scenarios.