Question
Hi I have the following query which is part of a java class. I just want to know what are the possible attacks possible with the SQL Injection. How an attacker can inject queries? What are sample queries in this case that can be used to gain access to the database?
https://stackoverflow.com/questions/22895941
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian String query = ("SELECT username, password, admin FROM users
WHERE " + "username='" + username + "' AND password='" +
password + "'");
ResultSet rs = st.executeQuery(query);
// Entry in the result set means the query was successful and
//the user is a valid user
if (rs.next()) {
username = rs.getString(1);
isAdmin = rs.getBoolean(3);
I think this is a possible way of attack also by putting username as abc';# since anything after # will be considered as a comment in SQL. What others think about it?
I want to know what the attacker will be entering in the username box and password box of the HTML page to gain access as an administrator. Assuming the job of the above java class is to process the request of the users's input from a HTML page by querying a database.
Solution
basically it works like this https://xkcd.com/327/
what I do is assuming, that everything a user inputs is a threat, so I would save everything to variables like usUsername, where "us" means unsafe.
After that I check every "us"-variable for injections, what results in sUsername (s means safe). So when I build a query I can only use s-varaibles and should be safe in most cases.
This idea is totally taken from here: http://www.joelonsoftware.com/articles/Wrong.html
OTHER TIPS
Based on this code you could do ANYTHING you want by manipulating the values of the username or password text sent to the query.
The only constraint is the level of permission of the user account executing the query. If it was a sysadmin, you could delete everything. If it's SQL Server and xp_cmdshell is enabled, you could format the hard drive of the SQL server.
SQL Injection is one of those things where if you can do something you can pretty much do anything.
Look into the Havij tool, that is a security research tool that can demonstrate the power of SQLi.
You can not do that. username and password can be replaced by anything leading to all types of queries. You must use a prepared statement to provide username and password
Entering the following values for password would add a row to the result set containing the values 'admin', 'dummy', 1 for username, password, and admin, respectively:
' AND 1=0 UNION SELECT 'admin', 'dummy', admin FROM users WHERE admin = 1 AND '1'='1
The resulting query would look like:
SELECT username, password, admin FROM users
WHERE username='dummy' AND password='' AND 1=0 UNION SELECT 'admin', 'dummy', admin FROM users WHERE admin = 1 AND '1'='1'
The first SELECT would return no result as 1=0 is false for each record. But the second, injected SELECT would return all records where admin=1 is true and replaces the original values for username and password with admin and dummy, respectively.
You should use prepared statements and pass the values as parameters on execution.
