How to check if there's SQL injection vulnerability PROGRAMMATICALLY?_问答_开发者

How to check if there's SQL injection vulnerability PROGRAMMATICALLY?

开发者 https://www.devze.com 2023-02-09 08:36 出处：网络

I see some hack tools can find web pages with SQL injection vulnerability AUTOMATICA开发者_开发百科LLY.

How does it work?

Usually, one can make an educated guess about the SQL code structure, to allow the injection.

For example, with a vulnerable username/password verification code, it will be in most cases something like:

select count(*) from users where username=@username and password=@password;

so the hacker will attempt to inject something like:

@username=" 'blabla' or 1=1  "
@password=" 'blabla' or 1=1  "

so the result would be that count(*) will be > 0, hence login accepted.

An easy test can be to just put a single quote in the input field and see if you get a mysql error message back.

If you get something like 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 '

or if you get a php/mysql error (which could probably be programmatically recognized by its formatting or the common error message) then you also know you have an injection vulnerability.

If you just get a generic 'no such username' or a valid empty result set back, then you most likely don't have an injection vulnerability.

A lot of these tools have lists of parameters that are known to break web pages. They fire these parameters off in multiple requestsm inserting the parameters in:

form fields
the GET URL
HTTP Headers

Their tools will usually spider the site to ensure they are hitting as much of the site as possible.

One of the tricky bits is determining when you have found an exploitable web page. In some cases the web server might take longer to retuen the page, or certain parts of the page might be slightly different. Things to check for: