- Messages
- 24
- Reaction score
- 0
- Points
- 26
Hello Guys, JhonelPaulo here, gusto ko lang kayo iguide kung papaano ang tamang pagreread ng SQL (designed for login pages) para di ma SQL INJECTION Attack ang inyong login page. para to sa mga gumagawa ng web application na may username & password..
So ano, game !
Kadalasan, lalo na yung mga nagsisimula pa lang na programmer ganto sila mag query sa sql...
NOTE: This is C# Code:
sa napapansin niyo vulnerable sa SQL ATTACK ang ating query.. bakit ?
LETS START INVESTIGATING
pagpahalimbawa ang tinype ng ating magaling na hacker sa textbox ay ito:
'OR''=' nasa textBox1 ID siya nakalagay. to get the text we will use TextBox1.Text.
AND THE QUERY STRING OVER HERE:
SqlCommand sqltakbo = new SqlCommand("SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'", sqlkoneksyon);
LETS MAKE IT SIMPLE:
dito na lang tayo sa query.. para malaman niyo kung anong magiging resulta ng sql query natin:
"SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'"
OK, HERE WE GO LET'S REPLACE textBox1.Text with our hackers input..
"SELECT * FROM Tauhan WHERE Pangalan = '" + 'OR''=' + "'"
and the result of the query:
------------------ SELECT * FROM Tauhan WHERE Pangalan =''OR'='' ---------------------------------
O.O wow.. mukang patay tayo jan.. iniescape natin ung '(single quote) para masingitan si command ng panibagong command..
to make this more understanding, parang tyeke (check) lang..
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred
vulnerable si amount ... bakit ? kasi ung Php.200 pwede maging 200,000 lagyan natin ng thousand Pesos...
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Thousand Pesos
see ? punta ka sa bank at iencash mo ung check and voila instant money
so how to prevent this vulnerability ? add the "PESOS ONLY" result:
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Pesos Only
equals 100% PRANK/HACK PROOF !..
di na magwowork ang paglalagay ng Thousand sa huli.. common programmer logic
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Pesos Only Thousand Pesos Only
====== WILL NOT DAMN WORK YARI KA SA TELLER NIYAN PAG GINAWA MO YAN ===
so ang pinakaabangan ng lahat ang update ko.. ito na po: the best solution jan is called:
" SQL PARAMETERIZED QUERY "...
here's the code from my friend (renz) open source software project Construction Management Software.. Coded in C# Hosted as ASP.NET..
it's so hard to explain guys later ule .. kayo na muna bahala magunderstand kung ano pinagkaiba nung dalwa ha tulog na muna uli ako tommorow na lang ule
So ano, game !
Kadalasan, lalo na yung mga nagsisimula pa lang na programmer ganto sila mag query sa sql...
NOTE: This is C# Code:
Code:
// ----------------------------------------------------------------------------------------------------------------------
// DITO NATIN ISESET ANG MGA VARIABLES NG SQL KONEKSYON NATIN
// ITO ANG KADALASANG GINAGAWA NG ATING MGA PROGRAMMER AND THIS IS WRONG :(
// AND VERY UNSECURED VULNERABLE SIYA SA SQL ATTACK !
// ----------------------------------------------------------------------------------------------------------------------
SqlConnection sqlkoneksyon = new SqlConnection(ConfigurationManager.ConnectionStrings["databaseconnectionname"].ToString());
// SA NAKIKITA NIYO, NAPAKADALING PASUKAN TO NG HACK KASI AS YOU CAN SEE textBox1.Text variable depends on the user input.
// KUNG EXPERT KA NA SA CODING, ANG MGA CHARACTERS NA SEMICOLON, QUOTES ETC. AY VULNERABLE SA SQL INJECTION ATTACK..
// TRY IT YOURSELF. SA LOGIN PAGE NIYO TYPE NIYO SA USERNAME AND PASSWORD: [B]'OR''='[/B] LOGIN KAYO JAN PROMISE PAG
// GANTO ANG FORMAT NG CODE NIYO....
SqlCommand sqltakbo = new SqlCommand("SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'", sqlkoneksyon);
sqlkoneksyon.Open();
SqlDataReader sqlbasa= sqltakbo.ExecuteReader();
// -------------------------------------------------------------------------------------------
// OK ORAS NA PARA IEXECUTE ANG ATING SQL QUERY PARA BASAHIN
// ANG ATING DATA
// -------------------------------------------------------------------------------------------
while (sqlbasa.Read()) {
// * GAWIN NIYO NA ANG GUSTO NIYO DITO.
// * PARA SA DI NAKAKAALAM NG FORMAT PARA MAREAD ANG TABLE:
string sqldata = sqlbasa["PANGALAN NG COLUMN"].ToString();
}
// -------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------
sa napapansin niyo vulnerable sa SQL ATTACK ang ating query.. bakit ?
LETS START INVESTIGATING
pagpahalimbawa ang tinype ng ating magaling na hacker sa textbox ay ito:
'OR''=' nasa textBox1 ID siya nakalagay. to get the text we will use TextBox1.Text.
AND THE QUERY STRING OVER HERE:
SqlCommand sqltakbo = new SqlCommand("SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'", sqlkoneksyon);
LETS MAKE IT SIMPLE:
dito na lang tayo sa query.. para malaman niyo kung anong magiging resulta ng sql query natin:
"SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'"
OK, HERE WE GO LET'S REPLACE textBox1.Text with our hackers input..
"SELECT * FROM Tauhan WHERE Pangalan = '" + 'OR''=' + "'"
and the result of the query:
------------------ SELECT * FROM Tauhan WHERE Pangalan =''OR'='' ---------------------------------
O.O wow.. mukang patay tayo jan.. iniescape natin ung '(single quote) para masingitan si command ng panibagong command..
to make this more understanding, parang tyeke (check) lang..
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred
vulnerable si amount ... bakit ? kasi ung Php.200 pwede maging 200,000 lagyan natin ng thousand Pesos...
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Thousand Pesos
see ? punta ka sa bank at iencash mo ung check and voila instant money
so how to prevent this vulnerability ? add the "PESOS ONLY" result:
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Pesos Only
equals 100% PRANK/HACK PROOF !..
di na magwowork ang paglalagay ng Thousand sa huli.. common programmer logic
PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Pesos Only Thousand Pesos Only
====== WILL NOT DAMN WORK YARI KA SA TELLER NIYAN PAG GINAWA MO YAN ===
so ang pinakaabangan ng lahat ang update ko.. ito na po: the best solution jan is called:
" SQL PARAMETERIZED QUERY "...
here's the code from my friend (renz) open source software project Construction Management Software.. Coded in C# Hosted as ASP.NET..
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections.Specialized;
using System.Text;
using System.Data.Sql;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;
using System.Net.Mail;
namespace CMS
{
public partial class cmslogin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
public void Login_Action(object sender, EventArgs e)
{
string readuser = null;
string readpass = null;
string user = txtuser.Value;
string pass = txtpass.Value;
string hash = Functions.SHA1HashStringForUTF8String(pass);
if (user == "" || pass == "")
{
passerror.Attributes["style"] = "visibility:visible";
passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">Username and Password Fields cannot be blank.</p>";
}
else
{
var connect = ConfigurationManager.ConnectionStrings["cms_7930"].ToString();
var query = "SELECT * FROM Users WHERE Username = @Username COLLATE SQL_Latin1_General_CP1_CS_AS";
using (var conn = new SqlConnection(connect))
{
using (var cmd = new SqlCommand(query, conn))
{
cmd.Parameters.Add("@Username", SqlDbType.NVarChar);
cmd.Parameters["@Username"].Value = Convert.ToString(user);
conn.Open();
//Process results
SqlDataReader sqreader = cmd.ExecuteReader();
while (sqreader.Read())
{
readuser = sqreader["Username"].ToString();
readpass = sqreader["PasswordHash"].ToString();
}
}
}
if (readuser == null)
{
passerror.Attributes["style"] = "visibility:visible";
passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">Sorry, you entered an invalid username.</p>";
}
else
{
if (hash == readpass)
{
Session["AuthenticatedUser"] = user;
hdn.Value = "0";
if (Request.QueryString["redirect"] == null) { Response.Redirect("index.aspx"); }
else { Response.Redirect(Request.QueryString["redirect"]); }
}
else
{
passerror.Attributes["style"] = "visibility:visible";
passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">Password entered for user '" + user + "' is incorrect.</p>";
hdn.Value = "" + (Convert.ToInt32(hdn.Value) + 1);
if (Convert.ToInt32(hdn.Value) >= 10)
{
var msgrsl = Functions.itexmo("09061067930", "User \"" + user + "\" has attempted to login with more than 10 incorrect passwords. Client's IP Address: " + Request.UserHostAddress + "\r\n\r\nAuto SMS by CMS. do not reply.", "API_CODE_CENSORED");
passerror.Attributes["style"] = "visibility:visible";
passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">You tried to many attempts. Admin will be warned with IP: " + Request.UserHostAddress + " via SMS & Email. SMS Result Code: " + msgrsl.ToString() + "</p>";
}
}
}
}
}
public void ShowAlert(string s)
{
ScriptManager.RegisterClientScriptBlock(this, this.GetType(), "alertMessage", "alert('" + s + "')", true);
}
}
}
it's so hard to explain guys later ule .. kayo na muna bahala magunderstand kung ano pinagkaiba nung dalwa ha tulog na muna uli ako tommorow na lang ule
Last edited: