Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Detecting SQL Injection
- Determining the Injection Type
|
Detecting SQL Injection
To identify an SQL injection, we would need to test every user input to see if it’s been filtered out right or not. Input parameters such as “GET, POST” are the ones commonly vulnerable to this attack. However, “cookie” values and “http headers” can also be used to conduct SQL injection attacks, where any one of the http headers or cookie values would be inserted in the database and would be displayed at some point of time. If they are not filtering it out correctly, it could result in an SQL injection. To test this, you could insert one of following inputs and hope to break the existing query: Single quote (‘), double quotes (“), or backtick/accent grave (`) In most cases, the single quote would work; however, it doesn’t hurt to test the others. In the case you are entering a single quote, if an error is displayed, there is a good chance that it’s vulnera- ble to an SQL injection. Next, enter another single quote; if no error is displayed, it’s most probably vulnerable to an SQL injection. Similarly, probe the user inputs with double quotes and backtick. Note : This is the case when the application is returning an error. If it doesn’t, it doesn’t always mean that the application is not vulnerable to SQL injection. We will look into this in detail when we discuss blind sql injection attacks. Determining the Injection Type The first step after you have identified an SQL injection attack is to figure out whether your injec- tion type is “integer” or “string.” This is very important since the rest of your queries would depend upon it. 344 ◾ Ethical Hacking and Penetration Testing Guide When dealing with integer-based SQL injection, you don’t need the single quote to be associ- ated with the rest of the query. In the following query, the value of user_id is set to an integer, so we don’t have to use single quote every time we inject our SQL statements. SELECT * FROM users WHERE user_id=1 [SQL Statement] In the case of a string-based sql injection, you would need to append the ‘every time you inject an SQL statement and append --+ (+ denotes a single space character in the URL-encoded form, so DB renders it as “--“ (without quotes) at the end of your query. Take an example of the following statement, where the value of user_id is a string. The injection would look like SELECT * FROM users WHERE user_id='1' ' [SQL Statement] --+ Yüklə 22,44 Mb. Dostları ilə paylaş:
|