SQL Injection

A SQL Injection attack is one of the most common attacks occurring these days. Like Cross-site Scripting (XSS) and Remote Code Execution attacks, SQL Injection attacks do not require the hacker to gain access to the physical server. The attack is carried out on poorly written code.

To see how this attack works, say we have a login page. The login page has two fields – username and password. On the backend, in the code, there is a SQL query that looks something like this:

SELECT * FROM users WHERE username = '$username' AND password = '$password';

It's important to note that the statement ends with a semi-colon (;) and that the variables for username and password are encased in single quotes. Also, assume that the code grants access to the site when a matching record is found in the database (this is very common). To test this, the attacker types the following into the username field on the web page:

' OR 1=1;

The single quote that the attacker typed in now closes the single quote that was opened in the username = '$username' statement, making it appear as username = '' to the database. So far, no problem, because there's probably not a user with an empty username and password. However, the attacker also typed OR 1=1;. Remember, the semi-colon ends the SQL statement. So what we have now is:

SELECT * FROM users WHERE username = '' OR 1=1; AND password = '';

Since the semi-colon ends the SQL statement, we actually have two SQL statements. The second one will fail, however, the first one is the only one that the website code will really see. So, we've asked the database to give us all users where the username is empty, or 1 = 1. Well, 1 always equals 1. Guess what? The attacker is now in the system. With some further playing, the attacker is usually able to gain access to administrative accounts, from which they have full control, and can possible gain access to the physical server.