Reputation: 21
How to check if there's SQL injection vulnerability PROGRAMMATICALLY?
I see some hack tools can find web pages with SQL injection vulnerability AUTOMATICALLY.
How does it work?
Upvotes: 0
Views: 13288
Answers (3)
Reputation: 1651
Usually, one can make an educated guess about the SQL code structure, to allow the injection.
For example, with a vulnerable username/password verification code, it will be in most cases something like:
select count(*) from users where username=@username and password=@password;
so the hacker will attempt to inject something like:
@username=" 'blabla' or 1=1 "
@password=" 'blabla' or 1=1 "
so the result would be that count(*) will be > 0, hence login accepted.
Upvotes: 1
Reputation: 6171
A lot of these tools have lists of parameters that are known to break web pages. They fire these parameters off in multiple requestsm inserting the parameters in:
- form fields
- the GET URL
- HTTP Headers
Their tools will usually spider the site to ensure they are hitting as much of the site as possible.
One of the tricky bits is determining when you have found an exploitable web page. In some cases the web server might take longer to retuen the page, or certain parts of the page might be slightly different. Things to check for:
- HTTP Response Codes (500 server error probably means SQL is invalid)
- Size of returned page
- Time taken for page to return
Having said all that, if you actually have access to the site's source code you can use static analysis techniques to look for vulnerabilites.
Upvotes: 0
Reputation: 36
An easy test can be to just put a single quote in the input field and see if you get a mysql error message back.
If you get something like 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 '
or if you get a php/mysql error (which could probably be programmatically recognized by its formatting or the common error message) then you also know you have an injection vulnerability.
If you just get a generic 'no such username' or a valid empty result set back, then you most likely don't have an injection vulnerability.
Upvotes: 0
Related Questions
- Testing if a site is vulnerable to Sql Injection
- How can I know if my website is vulnerable to SQL Injection?
- Java SQL injection code scanner?
- How to manually attempt SQL injections on my website?
- Test whether or not log-in system is protected against sql injection
- Testing a SQL injection attack
- How to confirm SQL injection
- How to test if SQL injection is blocked?
- How to find sql injection vulnerabilities?
- What are some common SQL injection checks I can use?