What is SQL Injection ?

-
SQL Injection 

 Related image

 SQL Injection is an attack wherein attackers can send malicious SQL queries to target web application/Servers.

 SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.
How SQL Injection works
In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.

# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement
database.execute(sql)

The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.
The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the password field to password’ OR 1=1.
This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username=’username’ AND password=’passwordOR 1=1

Comments

Post a Comment

Popular posts from this blog

DNS Tunneling Attack - You might know this !

-
Image
  Introduction: In the world of cybersecurity, attackers continuously explore new techniques to bypass network defenses and exfiltrate sensitive information. One such technique gaining prominence is DNS tunneling. DNS tunneling allows attackers to use the DNS protocol as a covert communication channel, exploiting its ubiquitous nature and inherent characteristics. This blog post delves into the concept of DNS tunneling, its working mechanism, potential risks, and methods to mitigate this emerging threat. Understanding DNS Tunneling: DNS (Domain Name System) is the backbone of the internet, responsible for translating domain names into IP addresses. Its primary purpose is to facilitate communication between devices. However, this fundamental protocol can be manipulated to serve as a covert channel for data transmission. DNS tunneling involves encapsulating data within DNS queries and responses, effectively bypassing network security measures that may not scrutinize DNS traffic as c...
Read more

The New LG OLED TV with 4K

-
Image
It doesn't seem too long ago that we were questioning whether OLED TV would really take off, but since then a slew of ultra-thin screens have passed through our testing rooms. Our verdict? OLED TVs were definitely worth the wait. With the rapid evolution of televisions over the past few years, we've seen new technologies from 3D to Smart content to  4K Ultra HD  resolution all become established features. OLED has managed to work its way on to the long list of TV jargon too, with its main selling point being ultra-dark blacks and super-bright whites. The first OLED TVs started to hit the shelves in 2013 but they were few and far between, and expensive . These sets gave us a glimpse at what all the fuss was about, with a revolution in picture quality and slimline design promised - a 4K OLED TV became the holy grail in many AV enthusiasts' minds. But that promise appeared to wane somewhat during 2014. First there was news that Sony and Panasonic ha...
Read more

Protect Your Smartphone's Data, and Avoid Being Hacked

-
Image
The government  hack of an iPhone  used by a San Bernardino killer serves as a reminder that phones and other electronic devices aren't impenetrable vaults. While most people aren't targets of the  NSA , FBI or a foreign government, hackers are looking to steal the financial and personal information of ordinary people. Your phone stores more than just selfies. Your email account on the phone, for instance, is a gateway to resetting banking and other sensitive passwords. Like washing your hands and brushing your teeth, a little "cyber hygiene" can go a long way toward preventing disaster. Lock your phone with a passcode Failing to do so is like leaving your front door unlocked. A four-digit passcode - and an accompanying self-destruct feature that might wipe a phone's data after too many wrong guesses - stumped the FBI for weeks and forced them to bring in outside help. Using six digits makes a passcode 100 times harder to guess. And if you want to m...
Read more