There was one of the links which was supposedly under a login page which took URL parameters. The URL parameter could be modified to conduct the SQL Injection attack by following steps:
Step 1 Lets assume the URL is - https://noname.com/result/trick.php?PARAM1=777
Step 2 In the actual PHP code, there was inline SQL query that is getting executed to retrieve some values from the database.
Step 3 If the code is not secure enough, we can trick the code to execute other statements in the database:
https://noname.com/result/trick.php?PARAM1=777; delete from table1;--
This was the last thing I did before reporting the issue to the developer and also gaining some praise in this process.
There were other things I could do:
1) Enter the wrong parameter or SQL statement --> Database error was shown by the PHP compiler. The error also spewed out the wrong SQL statement giving information about the database tables.
I am sure there are many ways to prevent the above attacks but I have listed a few -
- Secure your code by taking the URL parameter in single quotes while preparing the SQL statement. (where column1 = '$URLparameter'). The PHP compiler will escape any bad input entered in the URL with a single quote (').
- Change the PHP settings to hide database errors
- Encrypt your URL parameters (use any algorithm)
- Best way of prevention is to use Stored Procedures instead of inline SQL.
No comments:
Post a Comment