{% extends "introduction/base.html" %} 
{% load static %} 
{% block content %} 
{% block title %}
<title>SQL Injection</title>
{% endblock %}
<h2 style="font-size: 2.7rem">CWE-89: <span>SQL Injection</span></h2>
<div class="box">
  <div class="desc">
    Without sufficient removal or quoting of SQL syntax in user-controllable
    inputs, the generated SQL query can cause those inputs to be interpreted as
    SQL instead of ordinary user data. This can be used to alter query logic to
    bypass security checks, or to insert additional statements that modify the
    back-end database, possibly including execution of system commands. SQL
    injection has become a common issue with database-driven web sites. The flaw
    is easily detected, and easily exploited, and as such, any site or software
    package with even a minimal user base is likely to be subject to an
    attempted attack of this kind. This flaw depends on the fact that SQL makes
    no real distinction between the control and data planes.
  </div><br><br>

    <button class="coll btn btn-info">Lab Details</button>
    <div class="lab">
        <p class="bp">
                SQL injection errors occur when:

                Data enters a program from an untrusted source.
                The data used to dynamically construct a SQL query
                The main consequences are:

                <p class="bp">
                    This lab helps you to exploit the common type of sql injection vulnerability, caused due to the lack of
                    input validation and directly exposing input into the query.<br>

                    The user on accessing the lab is given a log in page . The user has to try to login in as admin.
                    SQL Injection vulnerability can be identified by injecting a <i>'</i> in any of the fields. If it
                    results in an SQL error, SQL injection vulnerability is identified
                    <br>

                    <b>Exploiting SQL Injection Vulnerability</b>
                    <ul>
                        <li>Enter the user name as admin</li>
                        <li>Enter the password as <code>anything' OR '1' ='1</code></li>
                        <li>This should log you in as admin, without knowing the admins password.</li>
                    </ul><br>
                    <b>Understanding the Exploit</b><br>
                    <br>
                    <p class="bp">
                        The website logs a user in by checking the entered username and password against the ones stored in the
                        database. If they match, the user is logged in.
                        Lets first analyse the sql query used to compare the username and password in the database.
                        <br><code>"SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"</code><br>
                        The name and password parameters are the ones you give as input, which is directly inserted into the
                        query.<br>

                        <br><b>Why the error?</b><br><br>

                        When we inserted a <i>'</i> in the input it threw an error , this is because the sql query was not
                        balanced and it threw an error.
                        <br><code>SELECT * FROM introduction_login WHERE user='admin' AND password='''</code><br>
                        The query quotes in the password field are unbalanced, this can be balanced by adding another quote to
                        it.

                        <br><br>Lets just plug our payload into the query and see what it looks like.
                        <br><code>SELECT * FROM introduction_login WHERE user='admin' AND password='<b>anything' OR '1' ='1</b>'</code><br>

                        Now the query means select username = admin where password is <code>anything OR '1'='1'</code> . <br>
                        <code>'1'='1'</code> will always result in TRUE and the query fetches the user with name admin and
                        password=TRUE.

                        <br>Thus allowing us to login in as admin.

                    </p>
                </p>
            </p>

            <br>
            <div align="right"> <button class="btn btn-info" type="button"
                    onclick="window.location.href='/sql_lab'">Access Lab</button></div>

            
    </div><br>
    <h4>Mitigation</h4>
        <p class="bp">
        <ul>
            <li> Use of Prepared Statements (with Parameterized Queries)</li>
            <li> Use of Stored Procedures</li>
            <li> Allow-list Input Validation</li>
            <li> Escaping All User Supplied Input.</li>
        </ul>

        </p>

{% endblock %}