Lets Begin
1. URL based
2. Form based
Major reason for both of them is 'badly architectured parametres'
many say That remove/rename or unlink the database configuration file, ofcourse this will work but this is NOT the solution, as it will halt the functionality of the site, your
Dynamic website will turn into just html pages in seconds, this is anologus to condition like, because of fear of robbery you don't buy anything for yourself too: P
what we will be doing is sanitizing and validating php variables, we have make sure That our critical global arrays like get, post, files, session, cookies etc allow data which we
Want them to store and nothing else, because we can't trust the fact that users will enter expected data. What we mean is suppose you have site script like this:
blabla.com/news.php?id=8
Now what dis means is, in our "news.php" script (in global GET array) we have an array location $_GET[id] which contains the value which is being passed via URL,
In our case it is '8', what usually careless admins do is, pass on the get[] as it is to the database query which is to be executed so that proper content for id=8
Can be extracted from database and thrown on the user screen, SQL query can be like :
$news_query = "SELECT * FROM news WHERE NEWS ='".$_GET['id']."'";
Now if we manipulate the URL and write 'something' in place of 'expected' integer then we may break normal query and can execute our own queries!
by breaking a query i mean, as in the above example we wrote
NEWS ='$_GET[id]'
if instead of expected id we write something like ==> 8'; eval_query; #
now what our new url is ==> blabla.com/news.php?id=8'; eval_query; #
our new query becomes ==> $news_query = "SELECT * FROM news WHERE NEWS ='8'; eval_query; #';
# is used to comment out query part after it, so now as u can see our "eval query" will be executed with normal expected query, eval query can be { DROP TABLE news} which will drop the "news"!
we can prevent this if instead of directly using get[] variable in query we first validate them and then use them, by validating I mean, we make sure that URL variables contains
only that data which we want them to store and nothing else (in this case, we want integers for id values), this depend on the programming of the script, we may sometimes want alphabets(lower case or upper case or both),
numbers, some special characters etc . . . php gives us some function to do the same :
in this case we can use "preg_replace" or maybe 'ereg_replace', i advertise preg_replace cause it has lot more functionality and is faster than ereg :) [you can search php.net if you want details about them]
so here we want only numbers in id fiels so we wil add this line before querying it :
$id = $_GET['id'];
$vald_id = preg_replace('#[^0-9]#i', '', $id);
first line is getting id variable from url via get and storing it in local variable $id, next we are cleaning it using preg_replace, so that it only contains numbers from 0-9 (if anything else is there it will replace it with a blank.space) and nothing else, we will use this cleaned variable
$vald_id in our query.
if we want some(defined) special characters along with alphabets we can write (in place of [^0-9]) :
preg_replace('#[^A-Za-z,.?$@!]#i', '', $id);
Now how to patch panels/forms of sites against sql
suppose there is an admin panel say
blabla.com/admin/
hit [ctrl+u] view source, crawl source and search for [action=], cause every html form will be processin and submitting form elements using php scripts, if its written something like
action="" ==> this means php script is calling itself and its processing is done in same script
if instead there ist written :
action="login.php" [it can also call lol.php dosn't matter :P]
this means all form data goes to login.php processed there and then sent to database. Main culprit is login.php because it is not filtering variables correcty!
go to login.php, it wil be having lines looking like
$username = $_POST['user'];
$pass=$_POST['pass'];
$loginquery = "SELECT * FROM tbl_admin WHERE username ='$username' AND password = '$pass'";
$result = mysql_query($loginquery);
so we need to clean POST array elements before using them in a query
we will use preg_replace as before and we will also use
strip_tags as we don't want any html javascript elements in our form data,
basic syntax is ==> strip_tags($variable)
if you want to allow certain tags like
then we can also do that as ==> strip_tags($var, '')
i intended to make a short tut but i failed :p hope you
About The Author : This Post was written by Saad Abbasi,
Saad Abbasi is Ethical Hacker and Pentester.
Source:Devil's Cafe
Post a Comment
Feel Free To Ask Your Query we Love To Answer