sql injection

https://sechow.com/bricks/docs/login-1.html

About SQL Injection
Many vulnerabilities exist allowing hackers to steal data from organizations and SQL Injection is one of them. It is perhaps one of the most common application layer attack techniques used today. When improper coding of the web application is done then a hacker can inject into SQL commands. By using SQL commands a hacker can steal your data, they can modify your details and they can delete your data permanently.

In simple terms, SQL injection is nothing but it a technique where malicious users can inject SQL commands into an SQL statements, via webpage input and this input can break the security of the web application.

Now we understand how SQL Injection can be done in ASP .NET websites.

Let's take an example suppose you have a Login Table inside your database such as follows:

Create table Login

(

id int primary key,

Name varchar(50),

Email varchar(50),

Password varchar(50)

)

Using the code above the output will look like:

[图片上传失败...(image-4eedb2-1528120842746)]

And in this table you have some data such as the following.

Insert into Login values(1, 'Sourabh Somani', 'sourabh_somani2010@hotmail.com', 'password');

Insert into Login values(2, 'Shaili Dashora', 'dashorashaili17@gmail.com' 'password');

Insert into Login values(3, 'Divya Sharma', 'sharma.divya485@gmail.com', 'password');

Insert into Login values(4, 'Swati Soni', 'swati_soni@gmail.com', 'password');
Using the code above the output will be like:

[图片上传失败...(image-ca59f1-1528120842746)]

Now I am creating a Login page using the following code with a Login Control.

<asp:login id="Login1" runat="server" onauthenticate="Login1_Authenticate" width="331px"

backcolor="#F7F6F3" bordercolor="#E6E2D8" borderpadding="4" borderstyle="Solid"

borderwidth="1px" font-names="Verdana" font-size="0.8em" forecolor="#333333"

height="139px">

<InstructionTextStyle Font-Italic="True" ForeColor="Black" />

<LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid" BorderWidth="1px"Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284775" />

<TextBoxStyle Font-Size="0.8em" />

<TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="0.9em" ForeColor="White" />

</asp:login>

Using the code above the output will be like:

[图片上传失败...(image-c902b4-1528120842746)]

Now double-click on the Login control and generate a Login1_Authenticate event handler.

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)

{

}

And if you write the following code such as the following:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)

{

SqlConnection con = new SqlConnection(@"Data Source=.\sqlexpress;Initial Catalog=MyDb;Integrated Security=True");  

string qry="select * from MyTable where Email='"+Login1.UserName+"'and Password='"+Login1.Password+"' ";  

adpt = new SqlDataAdapter(qry,con);  

dt = new DataTable();  

adpt.Fill(dt);  

if (dt.Rows.Count >= 1)  

{  

    Response.Redirect("index.aspx");  

}  

}

Here index.aspx is another page that will be shown after login.

Now press F5 to run this project. On the run-time we will see the How SQL Injection can be done...?

After running the output will be:

[图片上传失败...(image-f75161-1528120842745)]

SQL Injection when an attacker doesn't know the username: If the attacker doesn't know what the username is then he/she simply uses a "1=1" concept as in the following example.

[图片上传失败...(image-8fe94a-1528120842745)]

Now if we look at our SQL query then that was:

string qry="select * from MyTable where Email='"+Login1.UserName+"'and Password='"+Login1.Password+"' ";

Now see that what we entered as the username inside the TextBox of the login control is ' or 1=1, so after pressing the Log In button your query will look like:

select * from MyTable where Email='' or 1=1--'and Password=''
Here:

[图片上传失败...(image-24dfe1-1528120842745)]

SQL Injection when the attacker does know the username: If the attacker does know the username then he will never need to apply the 1=1 rule, he will simply write username + ' in the TextBox and comment out everything following such as in the following.

[图片上传失败...(image-d0d3a2-1528120842745)]

So now depending on the username our query will be like this:

select * from MyTable where Email='sourabh_somani2010@hotmail.com'--and Password=''

Here:

Query

How SQL Injection can be dangerous: Suppose an attacker knows the information about the SQL, then he can also modify the database. For example suppose an attacker know the name of the table. He can then also apply insert, delete, update, alter and so on command inside the SQL.

For this see the following example.

Example: My table name is **MyTable **and if I want to delete data from the table then my query will be "Delete from MyTable".

How to apply this query in a TextBox

[图片上传失败...(image-ebba83-1528120842745)]

So by providing the username query above it will look such as the following.

select* from MyTable where Email='' Delete from MyTable --'and Password=''
Here

Query

If you want to check whether or not the data was deleted from the database then just go to SQL Express and select all the data using a selection query as in the following:

[图片上传失败...(image-7550a-1528120842745)]

This was all about SQL Injection.

Note: Inside an Index.aspx page I have just written the following code:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Index.aspx.cs" Inherits="Index" %> <!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">

<head id="Head1" runat="server">

<title></title>

</head>

<body>

<form id="form1" runat="server">

<div>

    <center>

        <h1>

            HELLO

            <br />

            C# CORNER

        </h1>

    </center>

</div>

</form>

</body>

</html>

Output of the Index Page