Typical username, password validation is done in sql query using like this:
SELECT COUNT(*) FROM Users WHERE USERNAME = 'InputUsername' AND PASSWORD ='InputPassword'
If query returns count greater than zero, then user exists else no such user with the given input username & password.
Now what happens if the following input is given:
Username: ' OR 1=1 --
password: anyCharacters
Now the query is
SELECT COUNT(*) FROM Users WHERE USERNAME = '' OR 1=1 --AND PASSWORD ='InputPassword'
This query returns the count as total records found in the table. As a result of this validation gets bypassed even though there is no such username & password exists in table.
declare @tblVar TABLE
(
loginname varchar(20),
pwd varchar(20)
)
INSERT INTO @tblVar values ('asif','101')
INSERT INTO @tblVar values ('jiju','123')
declare @inputUser AS VARCHAR(20)
declare @inputPwd AS VARCHAR(20)
select COUNT(*) from @tblVar where loginname = 'asif' and pwd = '101'
--select COUNT(*) from @tblVar where loginname = 'inputUserName' and pwd = 'inputpwd'
--inputUsername:'or 1=1 --
select COUNT(*) from @tblVar where loginname = ''or 1=1 --' and pwd = 'inputpwd'
i.e bcoz the opening quote is closed by the quote in the inputUserName and the next stmt. is OR condition. In the OR condition we are giving true condition which always returns true. After this sql comment comes, hence the comment part is skipped.
1 comments:
we can also give with the injucting code so that a hacker no need to know about the table name ' or 1=1 ;delete from (select top 1 Name from sys.tables) when we give ';' in sql it means the next query so we can do all hazars as our logic says happy hacking \m/
Sreerejith
Post a Comment