Saturday, 1 June 2019


SQL INJECTION

Basic of SQL Injection:-

            SQL Injection is a code injection method. It is used to attack data driven application, In which SQL statements are inserted into an entry field. SQL injection exploits the security vulnerability in an applications software. SQL injection is usually known as an attack vector for website but can be used to attack any type of SQL database. The basic idea is to bypass the server level in they web application so as to gain to the backed.

Web application working:-

             A web application is an application stored on a server most often remotely and delivered to the user through the Internet using a browser interface.
Web application have three layers or tiers model. The first tier is on the users side and has a basic browser. The second tier contains a dynamic content generation tool which could be java, active server pages or PHP. Tire three is where the data is stored and has back end database software.

Prologue to Server-side Technologies:-

Server-side scripting alludes to the dynamic age of Web pages served up by the Web server, rather than "static" website pages in the server stockpiling that are served up to the Web program. As such, some piece of the substance sent in light of a HTTP solicitation is resolved on-the-fly by a program that executes on the server after the HTTP solicitation has been gotten and produces content because of the execution.

Point by point reason and real employments of server-side scripting:-

1.         Insertion of persistently changing substance into a website page, for instance - climate or stock statements. Additionally, any self-assertive rationale can be utilized to decide certain substance will be appeared or not. This reason and (10) underneath are the main roles of server-side scripting.
2.         Authentication, approval and session following - albeit simple confirmation and approval is upheld by most Web servers, anything over the "Fundamental" HTTP validation and ACLs (get to control records) over static assets requires server-side projects. So also, dealing with treats and keeping data about the session as well as the client is best taken care of by server-side scripting.
3.         Template-driven page age. Counting rehashed substance like header/footers and route menus around the "content zone" of a site page.
4.         Rationalization and customization of substance dependent on verification and approval characterized above in (2). This additionally incorporates the serving of substance dependent on the substance of the page (for example promotions) or the perusing conduct of the client.
5.         Dynamic picture age, for example page counters, comprehensible characters for security, maps, overlays and so on.

6.         Dynamic age of CSS and Javascript.
7.         Generating and perusing HTTP headers. Despite the fact that web servers give simple capacities, server-side scripting can best create reserve control and other complex headers.
8.         Handling POST structure input - tolerating the contribution of a structure and composing it to capacity (document framework, database, session and so on.). This additionally incorporates business exchange duty control (ALL or NONE) and information blunder dealing with.
9.         Device mapping - producing various kinds of substance (HTML, XML, WML) in view of the client operator that sent the HTTP demand.
10.       Retrieval of information in light of inquiry string parameters and addition into a site page. This is maybe the most well-known motivation behind using scripting in creating content as a major aspect of a GET demand. for example sports insights, staff list, downloadable records list and so on. The information can be recovered from a database, record framework or different types of capacity.
11.       Communication with different projects, libraries and APIs - for example conveying email, taking care of message lines, LDAP and so forth.
12.       Re-utilization of persevering business objects. HTTP is stateless, yet the setup and tear-down of business articles has a high overhead regarding time and server assets. Server-side scripting enables us to collaborate with such re-usable business objects for example application servers, EJBs, .NET administrations and Web administrations.

Mainstream server-side scripting dialects - and precedents

Before we take a gander at well known server-side scripting dialects, we will partition them into three gatherings dependent on how the scripting programs:
1.         Older, benchmarks based scripting dialects - these incorporate SSI (server-side incorporates) and CGI (normal portal interface) and were characterized in the first NCSA principles for web servers.
2.         In-process scripting dialects like PHP, ASP and Perl (at times).
3.         Out-of-process scripting dialects like JSP and servlets (Java) and XSLT.
Another arrangement depends on whether it is page-driven or content driven. A page-driven language is a HTML page with implanted extraordinary labels (SSI and all the *SP dialects) while content driven are Perl and servlets. Contents in content driven dialects can delivered various "pages" and need to yield the whole HTML utilizing system capacities.
Page-driven contents are installed into a HTML page just where dynamic substance is required; however they can likewise be utilized to create the whole substance, for example pictures, XML, headers and so forth. These generally keep running in-procedure and utilize the filesystem namespace of the web server.

SSI (Server Side Includes)

1: These are expanded remark labels embedded into a static HTML page to incorporate different pages (layouts), factors, and furthermore execute outer projects and incorporate them in the info. Any static HTML document characterized with a unique expansion (ordinarily ".shtml") powers an appropriately designed Web server to parse the record before sending and supplant the uncommon labels with the suitable substance. This is maybe the most straightforward model of server-side scripting however shockingly, it is the basic instrument of server-side scripting.

CGI (Common Gateway Interface)

2: This is a system that teaches an appropriately arranged Web server to execute a particular record and send the yield of the execution as opposed to sending it "as-may be" to the customer. Any program (shell contents, DOS cluster records, C programs, Perl) can be executed through this system. Data about the solicitation, the question string and any structure parameters are sent as condition factors to the executed program. Any yield by the executed program is sent straightforwardly back to the program. It ought to be noticed that the program is in charge of creating all headers. The most ordinarily utilized language for CGI was Perl, because of its amazing content dealing with abilities.
$q = new CGI;
if (cgi_error()) {
  print "Content-type: text/plain\n\n";
  print "There was an error in your request!\n";
  print "Error is: ", cgi_error(), "\n";
  exit(1);
}

# print HTML headers
print $q->header, "\n";
print $q->start_html(-title => 'Your information request', -bgcolor => '#98B8D8'), "\n";
print $q->h1('Your information request'), "\n";

# print the HTML form
print $q->start_form(-method => 'POST'), "\n";
print "What's your name? ", "\n";
print $q->textfield(-name => 'yourname',
-default => 'Your name here',
-override => $override), "\n";

PERL

3: This is a translated language portrayed by its instinctive content dealing with, free sort checking, acquainted clusters, helpful circle builds and straightforward record and condition taking care of. It was the most famous server-side scripting language for a long time and it underpins a measured extension framework 4. A Perl content can be executed through the Perl Interpreter from the CGI interface (see above) or through a Web server augmentation that installs the Perl Interpreter in the Web Server forms (in-process). For instance, see CGI above. Its principle downside is that it pre-dates the Web and it is hard to spread out HTML in the code.

PHP (Hypertext Processor)

5: I like to portray this as a cross between Perl, C++ and SSI. This language was grown explicitly for Web server-side scripting and its utility has made it a standout amongst the most well known server-side scripting dialects. Rather than Perl, it is implanted into a completely spread out HTML page and gives unlimited authority over HTTP demand, reaction, treat and session. It contains increasingly vigorous sort checking (whenever required) and can be modified in an article arranged way. It is most regularly executed in-procedure and its greatest disadvantage is the absence of memory steadiness of business objects. Pages recognized by specific expansions (generally .phtml, .php, .php3) are parsed by the Web server and passed on to the PHP modules that passes the substance back to the Web server. It pursues a similar registry structure as HTML static pages and pictures and is along these lines simple to program and keep up. It has a broad library and API framework and some outsider merchants (Zend and so forth.) offer quickening agents for PHP that show extensive presentation improvement for complex applications.
<?php
$title = "Sample PHP Script";
$greeting = "Welcome to Sample PHP Script";
?>
<html>
  <head>
    <title><?php echo($title) ?></title>
  </head>
  <body>
    <h1><?php echo($title) ?></h1>
    <p><?php echo($greeting) ?></p>
  </body>
</html>

ASP (active server pages)

6: This is the Microsoft page-driven arrangement. It just keeps running on the IIS (Internet Information Server) albeit outsider usage on different stages are accessible, making it less exclusive than Cold Fusion underneath. Like other page-driven dialects, it implants dynamic builds into HTML pages:
<html>
  <body>
  <%
    response.write("Hello World!")
  %>
  </body>
</html>

7: This is a Macromedia page-driven arrangement. In any case, rather than having ONE unique tag to insert dynamic substance, it characterizes various labels that are parsed by a Web server module in-process. These exceptional labels (in red beneath) make it extremely amazing and joined with Macromedia Web Authoring instruments, settle on it the decision of numerous enterprises. Notwithstanding, it is exclusive:
<cfquery name="customer" datasource="customer" username="abc" password="123" debug="yes">
SELECT *  FROM custmast;
</cfquery>
<table>
<cfoutput query="cust">
  <tr>
    <td>#Customer_No#</td>
    <td>#name#</td>
    <td>#Street#</td>
  </tr>
</cfoutput>
</table>


8: This is principles based, prominent, half breed and out-of-process - in view of Java and J2EE standards9 . In spite of the fact that JSPs are page-driven at creator time, they are not parsed by a web server-module. They are gathered into servlets and conveyed in a different Web Container. The Web server speaks with the web holder utilizing attachments. Most web compartments actualize a basic web server incorporated with them which are normally not as hearty and adaptable as the main Web servers however are useful for testing and investigating.
Servlets are content driven and are customary Java programs. The accumulation of JSPs into servlets gives us the best of the two universes (creator time page-driven and arranged out-of-procedure) and both of these approach the full suite of Java libraries and APIs. The web holder likewise characterizes complex authorisation, confirmation and URL mapping procedures that make this an endeavor level Web improvement stage. Because of its being out of procedure, session articles and business items can be stored and re-utilized by numerous HTTP demands.


Here is a case of a similar code in servlet mode and JSP mode:

public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
    String title = "Hello World Servlet";
    res.setContentType("text/html");
    ServletOutputStream out = res.getOutputStream();
    out.println("<html>");
    out.println("<head><title>+title+</title></head>");
    out.println("<body>");
    out.println("<h1>+title+</h1>");
    out.println("</body></html>");
  }

JSP:

<HTML>
  <HEAD>
    <% String title = "Hello World JSP"; %>
    <TITLE><%= title %></TITLE>
  </HEAD>
  <BODY>
    <H1><%= title %></H1>
  </BODY>
</HTML>

In next blog we learn about Types of SQL Injection, Simpal SQL injection attack, Blind SQL injection, Advance SQL Injection and Last but not list Basic SQL Injecton Tools.

“Thank You” 


Posted by at
Labels: , , , , , , ,
Location: Unnamed Road, Amgaon kh., Maharashtra 441916, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

WEP INSECURITIES

  WEP I NSECURITIES Two researchers from the University of California at Berkeley and one from Zero Knowledge Systems Inc. published a repor...

  • Types of Hackers
    There are three types of hackers i)White Hat Hacker :- This is used to ethical hacker.  They are   t he good guys of the hac...