-->

  • How SQL Query works in database and how to hack database


    How SQL Query works in database and how to hack database


    SQL Injection


    SQL injection attacks uses SQL websites or web applications. It relies on the strategic injection of malicious code or script into existing queries. This malicious code is drafted with the intention of revealing or manipulating data that is stored in the tables within the database. SQL injection

    SQL Injection is a powerful and dangerous attack. It identifies the flaws and vulnerabilities in a website or application. The fundamental concept of SQL injection is to impact commands to reveal sensitive information from the database. Hence, it can result to a high profile attack. How SQL Query works in database and how to hack database


    Attack Surface of SQL Injection


    Bypassing the authentication
    Revealing Sensitive Information
    Compromised Data Integrity
    Erasing The Database
    Remote Code Execution




    https://www.youtube.com/channel/UCa2s3RmE4B-hRsgKSjJLx_w



    How SQL Query Works ?

    Injection of SQL query will be executed on the server and replied by the response. For example, following SQL Query is requester to the server.



    • SELECT  *  FROM  [ Orders ]
    • SELECT column1, column2, ....  FROM table_name;


    These commands will reveal all information stored in the databse "Oredrs" table. If an organization maintains records of their orders into a database, all information kept in this database table will be extracted by the command.


    Learn and understand CEH from scratch. A complete beginner's guide to learn CEH.

    Try it :- It's a Free 





    Otherwise let's understand with another Example



    In the following example, an attacker with the username link inserts their name after the = sign following the WHERE owner, which used to include the string 'name'; DELETE FROM items; -- for itemName , into an existing SQL command, and the query becomes the following two queries:



    • SELECT * FROM items WHERE owner = 'link' AND itemname = 'name'; DELETE FROM items;--






    Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary
    commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.



    If an attacker enters the string 'name'; DELETE FROM items; SELECT * FROM items WHERE   'a' = 'a' ,   the following three valid statements will be created:





    • SELECT * FROM items WHERE owner = 'link' AND itemname = 'name'; 

    • DELETE FROM items; SELECT * FROM items WHERE 'a' = 'a';



    A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.


    Database





    SQL Delete Query

    The DELETE statement is used to delete existing records in a table. To understand, consider a table "Customers" in a database. The following information is the table "Customers" is containing.






    Execution of  "delete" command will eraase the record.


    • DELETE FROM Customers WHERE CustomerName='Alfreds Futterkiste';


    Now the database table will be like this :-






    There are lots of SQL query commands that can be used. Above are some of the most common and effective commands that are being used for injection.
    for example :-


    • UPDATE Customers SET ContactName = 'KumarAtulJaiswal', city= 'Delhi' WHERE CustomerID = 56;
    • INSERT INTO Customers (column1, column2, column3, ...)
      VALUES (value1, value2, value3, ...); 

    • Customers is a Table Name.


    SQL Injection Tools

    There are several tools available for SQL injection such as :-

    • BSQL Hacker
    • Marathon Tool
    • SQL Power Injecto
    • Havij


     Server Side Technologies

    Server-side technologies come in many varieties and types, each of which offers
    something specific to the user. Generally, each of the technologies allows the creation of dynamic and data-driven web applications. You can use a wide range of server-side technologies to create these types of web applications; among them are the following:

    • ASP
    • ASP.NET
    • Oracle
    • PHP
    • JSP
    • SQL Server
    • IBM DB2
    • MySQL
    • Ruby on Rails

    All of these technologies are powerful and offer the ability to generate web applications that are extremely versatile. Each also has vulnerabilities that can lead to it being compromised, but this chapter is not about those.



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)




    • 2 comments:

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.