{% extends 'introduction/base.html' %}
{% block content %}
{% block title %}
<title>SQL Injection</title>
{% endblock %}
<div class="content">
    <h3>Sql Injection</h3>
    <div class="box">

        <h4>What is SQL Injection</h4>
        <p class="bp"> A SQL injection attack consists of insertion or “injection” of a SQL query via the input data
            from the client to the application. A successful SQL injection exploit can read sensitive data from the
            database, modify database data (Insert/Update/Delete), execute administration operations on the database
            (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some
            cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which
            SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

        </p>
        <button class="coll btn btn-info">Lab Details</button>
        <div class="lab">
            <p class="bp">

                SQL injection errors occur when:

                Data enters a program from an untrusted source.
                The data used to dynamically construct a SQL query
                The main consequences are:

            <p class="bp">
                This lab helps you to exploit the common type of sql injection vulnerability, caused due to the lack of
                input validation and directly exposing input into the query.<br>

                The user on accessing the lab is given a log in page . The user has to try to login in as admin.
                SQL Injection vulnerability can be identified by injecting a <i>'</i> in any of the fields. If it
                results in an SQL error, SQL injection vulnerability is identified
                <br>

                <b>Exploiting SQL Injection Vulnerability</b>
            <ul>
                <li>Enter the user name as admin</li>
                <li>Enter the password as <code>anything' OR '1' ='1</code></li>
                <li>This should log you in as admin, without knowing the admins password.</li>
            </ul><br>
            <b>Understanding the Exploit</b><br>
            <br>
            <p class="bp">
                The website logs a user in by checking the entered username and password against the ones stored in the
                database. If they match, the user is logged in.
                Lets first analyse the sql query used to compare the username and password in the database.
                <br><code>"SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"</code><br>
                The name and password parameters are the ones you give as input, which is directly inserted into the
                query.<br>

                <br><b>Why the error?</b><br><br>

                When we inserted a <i>'</i> in the input it threw an error , this is because the sql query was not
                balanced and it threw an error.
                <br><code>SELECT * FROM introduction_login WHERE user='admin' AND password='''</code><br>
                The query quotes in the password field are unbalanced, this can be balanced by adding another quote to
                it.

                <br><br>Lets just plug our payload into the query and see what it looks like.
                <br><code>SELECT * FROM introduction_login WHERE user='admin' AND password='<b>anything' OR '1' ='1</b>'</code><br>

                Now the query means select username = admin where password is <code>anything OR '1'='1'</code> . <br>
                <code>'1'='1'</code> will always result in TRUE and the query fetches the user with name admin and
                password=TRUE.

                <br>Thus allowing us to login in as admin.

            </p>
            </p>
            </p>

            <br>
            <div align="right"> <button class="btn btn-info" type="button"
                    onclick="window.location.href='/sql_lab'">Access Lab</button></div>

            </p>
        </div>
        <br>
        <h4>Mitigation</h4>
        <p class="bp">
        <ul>
            <li> Use of Prepared Statements (with Parameterized Queries)</li>
            <li> Use of Stored Procedures</li>
            <li> Allow-list Input Validation</li>
            <li> Escaping All User Supplied Input.</li>
        </ul>

        </p>



    </div>
</div>



{% endblock %}