How to hack a site?
To begin with, let’s determine that by this article I do not in any way urge anyone to hack someone’s Internet resources using the methods described below.
The main goal of the article is to demonstrate to the user the importance of the topic of data protection on the Internet using an example of a site that is not properly protected. Perhaps, the most common method of hacking a site will be used as a method of attacking a site – SQL injection.
To begin with, we will determine that all, without exception, modern, voluminous, complex sites are built on the basis of a database. Work with data stored in the database of your site is carried out through the structural query language SQL.
SQL injection is the technique of introducing certain code (not violating the structure of the query itself) into the original SQL query in order to gain access to the data contained in the database.
Thus, under certain conditions related, as a rule, to the lack of functions in the code and site requests aimed at protecting data, an attacker can read the contents of any tables through SQL injection, as well as delete, modify or add data, get the opportunity to read and / or writing local files and executing arbitrary commands on the attacked server. We will not stop for a long time on the theory and move on to action.
So, for starters, let’s get acquainted with such a concept as data transmission using the GET method. Have you noticed, while traveling through the pages of the endless Internet, that the links that you travel are often of the form:
www.xxxxxx.ru / index.php? something = something & something else_ something else = something else,
where in place of my conditional “something” and “something” are all sorts of meanings.
So, know that urls that look like this contain certain information, namely: the question mark is followed by the variable (its name), and then = its value. The sign & separates the variables from each other.
And this is done only so that the page you are accessing can change depending on these variables, that is, their values are transmitted by the GET method to the code of the site pages, there these values are processed, and on the basis of the results obtained our web page.
But just think about it! After all, no one can forbid you to take and manually correct this url, make it as you need, press the enter key after that, and send the data of this url to the database server for processing !! This is where the possibility of introducing SQL injection arises.
So, let’s begin. We have a website that, based on the id parameter passed by the GET method, takes certain data from the database and forms our page on its basis. Here is the code for this SQL query that processes our data from the url:
$ result3 = mysql_query (‘SELECT * FROM raspisanie WHERE cat = $ id’).
If translated into Russian, the query selects all the data from the raspisanie database, where the field cat = $ id. In fact, everything in the request follows our $ id variable, which we pass from the url, it doesn’t matter to us anymore, and later I will explain why. Now let’s deal with the url itself. Let it initially look like this:
www.xxxxxx.ru / index.php? id = 3.
That is, we pass the parameter id = 3 with this url query, and the page is formed on the basis of this parameter, so it is placed in our SQL query and it turns out that all the data from the raspisanie table is extracted from the database, where the field cat = $ id = 3. And now for the fun part. Suppose we know that in the database of the attacked site in the users table the username and password from the administrator’s zone of the site are stored – in the login and password fields, respectively. And then, just changing our url like this:
www.xxxxx.ru / index.php? id = 3 + union + select + 1,2, login, password, 5,6,7 + from + user / *
– the page will put all this big variable in our request, which will look like
$ result3 = mysql_query (‘SELECT * FROM raspisanie WHERE cat = 3 union select 1,2, login, password, 5,6,7 from user / *’).
And, having processed such a new request, which does not violate the structure of the database tables, the server itself will return to us, in addition to the usual information corresponding to the value id = 3, also a login with a password from the site!
To make it completely clear, I will translate our new “magic request”:
“Select all the data from the raspisaniе table, where the field is cat = 3, and also make another request: display, in addition to the data received, the username and password from the users table.”
Numbers 1, 2, etc. are arbitrary and are used to preserve the structure of the query, and the number of such values is determined by selection – until the number of such values becomes equal to the number of values that are output from the database by default.
The names of the users table and the values of the fields for the login and password are also determined by the selection, because you must admit that everywhere they have approximately the same names. And finally, the characters at the end of our url “/ *” serve to discard the tail of the initial request if it is present, so that it does not violate the structure of the embedded request.