Tools for checking SQL Injection Vulnerability
[ Removed by moderator ]
php - How to test my website for basic sql injection vulnerabilities? - Stack Overflow
How do I test for SQL injection vulnerabilities on a site with input fields? - Information Security Stack Exchange
What is SQL injection?
Is SQL injection illegal?
Does SQL injection still work?
Videos
Have a new client with a SQL DB application from a vendor and app I'm not familiar with. The application has a web interface and my client would like it internet accessible for his staff to use. Right now it's LAN-side only.
Before I do that I wanted to check the server security settings. I have some tools that look for web vulnerabilities and general server security, but I also wanted to explicitly check this for SQL injection vulnerability. Was hoping there was some tools that can be used that can do this.
Can anyone point me in the right direction?
There are a number of ways of testing an application for vulnerabilities such as SQL Injection. The tests break down into three different methodologies:
Blind Injection:
MySQL example:
http://localhost/test.php?id=sleep(30)
If this SQL statement is interpreted by the database then it will take 30 seconds for the page to load.
Error Messages:
http://localhost/test.php?id='"
If error reporting is enabled and this request is vulnerable to sql injection then the following error will be produced:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"' at line 5
Tautology Based Injection:
http://localhost/test.php?username=' or 1=1 /*&password=1
In this case supplying a Tautology, or a statement that is always true provides a predictable result. In this case the predictable result would be logging in the attacker with the first user in the database, which is commonly the administrator.
There are tools that automate the use of the methods above to detect SQL Injection in a web application. There are free and open source tools such as Wapiti and Skipfish that do this. Sitewatch provides a free service that is a lot better than these open source tools. I can say that because I am a developer for Sitewatch.
Its best to not test your site for SQL injection. Its best to just avoid the potential SQL injection. Never forming SQL queries by doing string processing yourself when there's user input. Use bound parameters in all queries (also sanitize all user data if it could be used in any harmful way and put sensible limits on queries). That is the query sql_execute("select user from user_db where id="+input_id) is unsafe (imagine if its input_id = "1 OR 1==1 --"), but stored_procedure = "select user from user_db where id = ? LIMIT 1;", sql_execute_with_param(stored_procedure, input_id); is safe.
Obviously, this is only if you are trying to make your own site safe. If you are trying to find flaws in other applications its another story, and potentially against the FAQ which states this site is not for black hats. But OWASP has a very good article on testing for SQL injection.
SQL injection is the attempt to issue SQL commands to a database through a website interface, to gain other information. Namely, this information is stored database information such as usernames and passwords.
First rule of securing any script or page that attaches to a database instance is Do not trust user input.
Your example is attempting to end a misquoted string in an SQL statement. To understand this, you first need to understand SQL statements. In your example of adding a ' to a paramater, your 'injection' is hoping for the following type of statement:
SELECT username,password FROM users WHERE username='$username'
By appending a ' to that statement, you could then add additional SQL paramaters or queries.: ' OR username --
SELECT username,password FROM users WHERE username='' OR username -- '$username
That is an injection (one type of; Query Reshaping). The user input becomes an injected statement into the pre-written SQL statement.
Generally there are three types of SQL injection methods:
- Query Reshaping or redirection (above)
- Error message based (No such user/password)
- Blind Injections
Read up on SQL Injection, How to test for vulnerabilities, understanding and overcoming SQL injection, and this question (and related ones) on StackOverflow about avoiding injections.
Edit:
As far as TESTING your site for SQL injection, understand it gets A LOT more complex than just 'append a symbol'. If your site is critical, and you (or your company) can afford it, hire a professional pen tester. Failing that, this great exaxmple/proof can show you some common techniques one might use to perform an injection test. There is also SQLMap which can automate some tests for SQL Injection and database take over scenarios.
SQL Injection can be done on any input the user can influence that isn't properly escaped before used in a query.
One example would be a get variable like this:
http//www.example.com/user.php?userid=5
Now, if the accompanying PHP code goes something like this:
$query = "SELECT username, password FROM users WHERE userid=" . $_GET['userid'];
// ...
You can easily use SQL injection here too:
http//www.example.com/user.php?userid=5 AND 1=2 UNION SELECT password,username FROM users WHERE usertype='admin'
(of course, the spaces will have to be replaced by %20, but this is more readable. Additionally, this is just an example making some more assumptions, but the idea should be clear.)