Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
SQL injection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Blind SQL injection=== Blind SQL injection is used when a web application is vulnerable to a SQL injection, but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.<ref>{{cite web|url=http://howto.hackallthethings.com/2016/07/extracting-multiple-bits-per-request.html|title=Extracting Multiple Bits Per Request From Full-blind SQL Injection Vulnerabilities|publisher=Hack All The Things|access-date=July 8, 2016|url-status=dead|archive-url=https://web.archive.org/web/20160708190141/http://howto.hackallthethings.com/2016/07/extracting-multiple-bits-per-request.html|archive-date=July 8, 2016|language=en}}</ref> There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.<ref>{{cite web|url=http://www.justinclarke.com/archives/2006/03/sqlbrute.html|title=Using SQLBrute to brute force data from a blind SQL injection point|publisher=Justin Clarke|access-date=October 18, 2008|url-status=dead|archive-url=https://web.archive.org/web/20080614203711/http://www.justinclarke.com/archives/2006/03/sqlbrute.html<!-- Bot retrieved archive -->|archive-date=June 14, 2008|language=en}}</ref> ====Conditional responses==== One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. As an example, a book review website uses a [[query string]] to determine which book review to display. So the [[URL]] <code><nowiki>https://books.example.com/review?id=5</nowiki></code> would cause the server to run the query <syntaxhighlight lang="sql">SELECT * FROM bookreviews WHERE ID = '5';</syntaxhighlight> from which it would populate the review page with data from the review with [[Identifier|ID]] 5, stored in the [[Table (database)|table]] bookreviews. The query happens completely on the server; the user does not know the names of the database, table, or fields, nor does the user know the query string. The user only sees that the above URL returns a book review. A [[Security hacker|hacker]] can load the URLs <code><syntaxhighlight lang="sql" inline>https://books.example.com/review?id=5' OR '1'='1</syntaxhighlight></code> and <code><syntaxhighlight lang="sql" inline>https://books.example.com/review?id=5' AND '1'='2</syntaxhighlight></code>, which may result in queries <syntaxhighlight lang="sql">SELECT * FROM bookreviews WHERE ID = '5' OR '1'='1'; SELECT * FROM bookreviews WHERE ID = '5' AND '1'='2';</syntaxhighlight> respectively. If the original review loads with the "1=1" URL and a blank or error page is returned from the "1=2" URL, and the returned page has not been created to alert the user the input is invalid, or in other words, has been caught by an input test script, the site is likely vulnerable to an SQL injection attack as the query will likely have passed through successfully in both cases. The hacker may proceed with this query string designed to reveal the version number of [[MySQL]] running on the server: <code><syntaxhighlight lang="mysql" inline>https://books.example.com/review?id=5 AND substring(@@version, 1, INSTR(@@version, '.') - 1)=4</syntaxhighlight></code>, which would show the book review on a server running MySQL 4 and a blank or error page otherwise. The hacker can continue to use code within query strings to achieve their goal directly, or to glean more information from the server in hopes of discovering another avenue of attack.<ref>{{cite web|url=http://forum.intern0t.org/web-hacking-war-games/818-blind-sql-injection.html|title=Blind SQL Injection tutorial|author=macd3v|access-date=6 December 2012|url-status=dead|archive-url=https://web.archive.org/web/20121214193021/http://forum.intern0t.org/web-hacking-war-games/818-blind-sql-injection.html|archive-date=December 14, 2012 |language=en}}</ref><ref>{{cite web|title=TDSS botnet: full disclosure |url=http://nobunkum.ru/analytics/en-tdss-botnet|access-date=6 December 2012|author=Andrey Rassokhin|author2=Dmitry Oleksyuk|url-status=dead |archive-url=https://web.archive.org/web/20121209032723/http://nobunkum.ru/analytics/en-tdss-botnet|archive-date=December 9, 2012 |language=en}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)