Finding SQL injection points

If you want to do a SQL injection attack on a Web site, you first need to find the place where there is a SQL injection vulnerability, that is, finding the so-called injection point. Possible SQL injection points typically exist where users can find or modify data, such as landing pages, finding pages, or adding pages.

The most common way to find a SQL injection point is to look for a link to the following form of page in the website: Http://www.xxx.com/xxx.asp?id=YY

where "YY" may be a number, or it may be a string, respectively, is called the integer type data or the character type data. In this chapter we mainly explain SQL injection for integer data.

You can usually use the following two methods to determine whether the page link has a SQL injection vulnerability.

Tools/Materials

• SQL Injection Vulnerability

Steps/Methods

1. 1

.“ Quote "method

Add a single quotation mark after the page link address in the browser address bar, as follows:

Http://www.xxx.com/xxx.asp?id=YY '

Then visit the link address and the browser may return an error message similar to the following:

Microsoft JET Database Engine error ' 80040e14 '

The syntax error of the string is in the query expression ' id=yy '.

/xxx.asp Line 8

1.3, if a similar error message is returned on the page, there may be a vulnerability to a SQL injection attack on the Web site.

1. 2

.“ 1=1 and 1=2 "law

The "quote" method is straightforward and simple, but programmers with a certain understanding of SQL injection will filter out single quotes when they write programs. If you use the single-quote test again, you cannot detect the injection point. At this point, the classic "1=1 and 1=2" method can be used for testing.

If the normal page link address is: Http://www.xxx.com/xxx.asp?id=YY, enter the following two link addresses separately in the browser to see the result values they return.

Øhttp://www.xxx.com/xxx.asp?id=yy and 1=1.

Øhttp://www.xxx.com/xxx.asp?id=yy and 1=2.

If there is an injection point, the browser will be displayed as:

Ø normal display, content and normal page display results are basically the same.

Ø prompt for BOF or EOF (when the program does not make any judgments), or the hint cannot find the record, or the display content is empty (the program added on Error Resume Next), 1.4 is shown.

It is easy to judge if there is no injection point.

Both of these links generally have program-defined error prompts, or an error occurred while prompting for type conversions.

END

Precautions

• Possible SQL injection points typically exist in places where users can find or modify data such as login pages, find pages, or add pages

Finding SQL injection points