SQL Interjection Attack

Basic Information:

It is assumed that the reader is familiar with the concept of dynamic
driven websites and speficially with server-side languages that deliver
content from a datebase. A slight knowledge of SQL and how database
interact with the server is helpful. A deep understanding isn't required
for this document.

Test Enviorment:

Server:

Apache/1.3.22 (Darwin) PHP/4.0.6 mod_ssl/2.8.5 OpenSSL/0.9.6b

Database:

MySQL 3.23.36

Premise:

Dynamicaly direven website can be open to attack by not validating the
commands they send to thier database.

Main:

Many websites populate their pages with dynamic content from database
and use this to fill in html templets. (examples: google.com,
slashdot.org) This is very helpful for search engines and news site but
also can leave security holes. A webpage will ask a database for certain
content through a server side program (perl/cgi, php, coldfusion, asp).
It is how this server side program handles the interaction that can
cause the problem. If a website wants to grab all of tthe information
from a table (my_table)in a database using a command similar to "SELECT
* FROM my_table;". This will return all of the records in my_table.
Often sites will store sensitive information about users/customers in
their database in another table (customers) and use a different SQL
command to only get that users content, "SELECT user_name,
password,e-mail FROM customers WHERE user_name LIKE AND password LIKE ;"
This is comparing database records that use variables from an html login
form.

The problem appears when a webpage stores the SQL command in a common
variable name ($SQL) and doesn't validate the command before sending it
to the database.

Example:

login.php?user=bob&pass=**** Regular url.

login.php?user=bob&pass=****&sql=SELECT * FROM customers

The sql command can be overloaded with the url. This command will cause
the sql server to select all of the records about all of the customers
and display them on the website, giving you private information about
the users.

login.php?sql=drop%20table%20customers This command will completely drop
the table and make them restore it from backup, this can be very usefull
if you already know a users old password or the default password

Conclusion:

This is very fun but also damaging and illegal, although you are simply
asking the webpage for information and it gives out the sensitive
information to you. You can be cought and convicted of being the little
terrorist* you are!

*Thanks to the PATRIOT act for considering geeks the same as terrorist
and silecing scientist with the DMCA, that'll really make us safer.