SQL INJECTION
Hello guyz welcome again, Today we are learning about a term which you may know or may not . But it is a very well known term that is used by many ethical hackers, black hackers. This term is a process which helps in fetching users information from the databases of the website or a company. Database of website is like the brain of the website which stores a huge amount of information in it. Every information stores in database. So the hacking of database may result in total destruction of a website. Database contains very sensitive information like passwords , card details, official documentation etc. So not only the website has to sacrifice but the customers too and whoever stores his data into that particular database.
This attack is performed using a query language called , STRUCTURED QUERY LANGUAGE (SQL). This query language is used to communicate with the databases. It includes some queries that will execute the injection. Attackers can use SQL Injection vulnerabilities to bypass application security measures.They can go around authentication and authorization of a web page or web
application and retrieve the content of the entire SQL database. They can insert new values , update existing values, delete existing values, or even delete the whole table. A SQL Injection vulnerability may affect any existing website that uses an SQL database such as Oracle,Mysql.
Injection attacks are the oldest , dangerous , and very effective attacks.
HOW IT IS PERFORMED
Nowadays every website has a login page.It means it will have a database also where all the usernames and passwords are stored.
A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query. The attacker can create input content. Such content is often called a payload and is the key part of the attack. After sending the content in the database, the malicious query will run in database. Many websites often use SQL database that means you can affect a website with SQL injection. It may have most dangerous consequences on a website as its database is compromised.
A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query. The attacker can create input content. Such content is often called a payload and is the key part of the attack. After sending the content in the database, the malicious query will run in database. Many websites often use SQL database that means you can affect a website with SQL injection. It may have most dangerous consequences on a website as its database is compromised.
A normal query is like :
select * from table_name;
Above query will execute and return all the rows and column from the mentioned table name. It can be specified by giving WHERE condition or clause. for example:
select * from table_name where username='itbugz' and password='itbugz';
But the malicious query be like :
select * from users where username=' ' or 1=1-- password='itbugz';
Above query is a payload query which acts as an injection in the database and will retrieve the column from the database.
The bold letters in the above query represents the main function as it will make the return statement true. The first single quote represents the end of username string, means the username string is empty then we have OR means it needs only 1 condition to be true.And then we have condition 1=1, it will always be true because 1 is always eqaual to 1. And here is the twist , this will retrieve the columns from the database. And then we have double hyphens -- , these are used to comment everything next to it.It means it will comment the password entered because we dont want it to interupt.
There are many types SQL injection attacks which i will demonstrate in upcoming blogs. Till then stay tuned and STAY SAFE
What is SQL Injection ? Why it is used in1 hacking | legal or illegal ?
Reviewed by Mr.Robot
on
November 27, 2019
Rating:
Reviewed by Mr.Robot
on
November 27, 2019
Rating:
No comments: