Reputation: 21
I see some hack tools can find web pages with SQL injection vulnerability AUTOMATICALLY.
How does it work?
Upvotes: 0
Views: 13288
Reputation: 1651
Usually, one can make an educated guess about the SQL code structure, to allow the injection.
For example, with a vulnerable username/password verification code, it will be in most cases something like:
select count(*) from users where username=@username and password=@password;
so the hacker will attempt to inject something like:
@username=" 'blabla' or 1=1 "
@password=" 'blabla' or 1=1 "
so the result would be that count(*) will be > 0, hence login accepted.
Upvotes: 1
Reputation: 6171
A lot of these tools have lists of parameters that are known to break web pages. They fire these parameters off in multiple requestsm inserting the parameters in:
Their tools will usually spider the site to ensure they are hitting as much of the site as possible.
One of the tricky bits is determining when you have found an exploitable web page. In some cases the web server might take longer to retuen the page, or certain parts of the page might be slightly different. Things to check for:
Having said all that, if you actually have access to the site's source code you can use static analysis techniques to look for vulnerabilites.
Upvotes: 0
Reputation: 36
An easy test can be to just put a single quote in the input field and see if you get a mysql error message back.
If you get something like 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 '
or if you get a php/mysql error (which could probably be programmatically recognized by its formatting or the common error message) then you also know you have an injection vulnerability.
If you just get a generic 'no such username' or a valid empty result set back, then you most likely don't have an injection vulnerability.
Upvotes: 0