This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
SELECT queries are utilised to get information back from a database. Many web applications that use changing content of any kind will engineer pages using information sent from SELECT queries. Frequently the manipulable part of the query is the WHERE clause. A query can be modified from within a WHERE clause .this will make it return information other than those intended, by injecting a UNION SELECT. A UNION SELECT allows more than one SELECT queried to be shown in a single statement:
SELECT companyName FROM Shippers where 1 = 1 UNION ALL SELECT companyName from customers WHERE 1 = 1
The record sets from the first and second queries will hence be returned together. All of these are needed to escape certain types of SELECT DISTINCT statements and don't interfere otherwise, so it is sensible to use it all the time. It is important to ensure that the first query, for which the web application's developer planned execution, returns no records. This can be relatively straight forward. if working on this code:
SQLString = "SELECT firstName, LastName, Title FROM Employees WHERE CITY = '" & " ' "
And using this injection string:
'UNION ALL SELECT OTHERFIELD FROM Other Table WHERE ''= '
This will result in the following query being sent to the database server:
SELECT FirstName , Last name , Title from Employees WHERE City = ' ' UNION ALL SELECT OtherField FROM OtherTable WHERE ' ' = ' '
The database engine would then examine the employees table, searching for a row where City is set to nothing . it will not find a row where city is nothing, however , no records will be returned . only returned recorded will from the injected query. Occasionally ,using nothing won't work because specifying nothing makes the legitimate value or there something that looks out of the ordinary when observing the legitimate values or there are other table entries where nothing is used .When expecting a number negative number and zero are frequently appropriate . Use a string for a text argument such as "No such recorded ",or the ever-popular "wsedfgadef". So long aas it does not return records , it does not matter. Would not it be great if all the queries used in applications were as straight forward as the ones above ? Sadly ,they are not . Depending on the habits of the developer and the intended query , it may be difficult to break the syntax error .
The portion of the query containing the syntax error in the error message is returned by some database servers. In cases like this , it can "bully" portions of the SQL QUERY out of the server by purposefully creating syntax errors. Depending on the way that the query is designed , some string will return useful information and other won't.
A list of possible attack strings:
Bad value '
' OR '
' OR '
Often , several of these strings will return the same or no information ,there can also be instances where only one of them will provide helpful information . It is important to try all of them will provide helpful information . It is important to try all of them and to be thorough.
Parenthesis (image ) 2
If the syntax error contains a parenthesis in the cited string (such as the SQL server message used bellow ) or a message is received that openly protests about missing parentheses(like oracle ), add a parenthesis to the bad value section of the injection string , and one to the WHERE clause . in some case , it may need to use two or more parentheses. Here is the code used in parenthesis.
MYSQL = "SELECT LastName, FirstName, Title, Notes, Extension FROM Employees where (CITY = '"& StrCity & "') ''
So, when you inject the value " ' (UNION SELECT OtherField FROM Other Table WHERE ( ' ' = ' '' ,
The Following query will be sent to the server:
SELECT LastName , FirstName, Title , Notes, Extension FROM Employees where (CITY = '') UNION SELECT OtherField from otherTable WHERE (' ' = ' ')
Like queries (image )
Another common issue is being trapped inside a like clause . Observing the LIKE keyword or percentage signs quoted in an error message are portents of this occurrence .Most search functions use SQL queries with LIKE clause , like
SQLString = "SELECT FirstName , LastName , Title FROM Employees WHERE LastName LIKE ' % " & strLastNameSearch & " % ' "
The percentage signs are distracting and confusing . So here , the WHERE clase would report that it is true in any case where last name search appears any where in last name .halt the intended query's from returning of records, the bad value must be unique to anything , any of the value in the Last Name field may contain .the string that the web application adds to the end of the user input , (usually a percentage sign and single quote ) (and often parenthesis as well ) , need to be mirrored in the WHERE CLAUSE of the injection string . Using nothing as your bad values will also make the LIKE argument "%%". This results in the full wild _card , which returns everything from the entry from .
There are times when it may be impossible to defeat, at least without an enormous amount of effort. Occasionally queries are found that seem to be unbreakable, no matter what it is and why it gets error after error. This often happens because it is impossible to defeat, at least without an enormous amount of effort. Occasionally queries are found that seem to be unbreakable, no matter what it is and why it gets error after error. This often happens because it is trapped and in the perpetual loop . Inside a function that internal to WHERE clause is a sub select , an argument of another function where string manipulations performed on it s output and subsequently used in a LIKE CLAUSE , IN A SUB-SELECT SOME WHERE else . Not even SQL SERVER ";--" can save theses case .
Column number mismatch (image )
If it has around the syntax error , the most difficult part has been accomplished . the subsequent error message may well Object to a bad table name .A valid system table name may be selected from the appendix that aligns with the database server being then complains about differences in number of fields in the select and UNION SELECT query may apper . it must find out how many columns are being asked for in the reall query .
If is the code in the web application that you re attacking ;
The legitimate SELECT and the injected UNION SELECT NEED TO HAVE AN EQUAL NUMBER of column in their WHRER clause. Here , they both need three . Not only that , but their columns type must also match . if first name is green too . some server , such as Oracle , are very strict on this . others allow you to use any type of data that can implicitly convert to the correct type of data .in SQL server , putting number data in a varchar's place is ok as , number can implicity be converted to strings . putting text in a smallest column is however , illegal because text can 't be changed into a number . Number types frequently convert to strings easily but vice versa , so number values should be used by default .
To ascertain the number of columns which need matching , keep adding values to the UNION SELECT UNTIL the column number mismatch error ceases to display . if a data type mismatch error is shown the column entered should be changed from a number to a literal . Occasionally these conversion error will be reported immediately upon submission of an incorrect type of data . on other the occasions, the conversion message will only appear once it has matched the correct number of columns , the columns causing the actual error must then be determind . when the letter is the cause, it can take a very long time to match the data type s, because the possible combinations are raised to match the data types , because the possible combinations are raised to the number of columns in the query . Having fifty column SELECT s is not particularlcombinations are raised to match the data types , because the possible combinations are raised to the number of columns in the query . Having fifty column SELECT s is not particularly unusual. Page should hopefully then appear with the same formatting and structure as a legitimate one . wherever changeing conternt is applied there will be results of injection query.
some time problems could be extra WHERE CONDITIONS THAT ARE ADDED THE QUERY SUBSEQUANCTLY to the injection strings .
the glich that injects query does not have a table in the FROM section that contains a column called 'country' in the in it . there are couple of solving ways resolve ing this problems .
create and use ";--" terminator if using SQL server , or guess the name of the table that the problem column is in , and it is from use attack queries listed in section
Now the injection is working . it has to decide what tables and fields it is to retrieve information from . with SQL server , it can simply obtain all the table and column names in the data base with oracle . Access may or may not be capable of this , depending on account allowances . the key is to enable or access the system table that have the table and column names within them . in SQL server