what is sql injection ?

SQL Injection: What is it?

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

SQL Injection: An In-depth Explanation
Web applications allow legitimate website visitors to submit and retrieve data to/from a database over the Internet using their preferred web browser. Databases are central to modern websites – they store data needed for websites to deliver specific content to visitors and render information to customers, suppliers, employees and a host of stakeholders. User credentials, financial and payment information, company statistics may all be resident within a database and accessed by legitimate users through off-the-shelf and custom web applications. Web applications and databases allow you to regularly run your business.
SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.
Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchased off-the-shelf or developed as bespoke programs.
These website features are all susceptible to SQL Injection attacks which arise because the fields available for user input allow SQL statements to pass through and query the database directly.

Example of a SQLInjection Attack

Here is a sample basic HTML form with two inputs, login and password.

<form method="post" action="http://testasp.vulnweb.com/login.asp">
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>

The easiest way for the login.asp to work is by building a database query that looks like this:

SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’

If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x

SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause.

The 'x'='x' part guarantees to be true regardless of what the first part contains.

This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

SQL INJECTION CHEAT SHEET

LIve Example of a SQLInjection Attack

http://www.youtube.com/watch?v=WGkntart6WI&feature=related

Maharashtra Highway Police website hacked

Not only International Law Enforcement and Police Under Hacker's attack, Even our Local Police websites and Database also become of Victim of breaches mostly once a day. A hacker With name "powerin10" take responsibility to hack Maharashtra Highway Police website. A mirror of this hack is available here.  Hacker is member of Bangladesh Cyber Army.

Hackers destroyed a pump used by a US water utility

Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery. Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas.

''This is arguably the first case where we have had a hack of critical infrastructure from outside the United States that caused damage,'' a managing partner at Applied Control Solutions, Joseph Weiss, said.

The network breach was exposed after cyber intruders burned out a pump. ''No one realised the hackers were in there until they started turning on and off the pump,'' he said.

It said hackers apparently broke into a software company's database and retrieved usernames and passwords of various control systems that run water plant computer equipment.Using that data, they were able to hack into the Illinois plant.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.

"At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," he said, declining to elaborate further. An FBI spokesman in Illinois did not return phone calls seeking comment.

US military's offensive operations in cyberspace to shoot Hackers

The US military is now legally in the clear to launch offensive operations in cyberspace, the commander of the US Strategic Command has said. The Pentagon has just sent a report to Congress where it says that it has the right to retaliate with military force against a cyber attack.


Air Force General Robert Kehler said in the latest sign of quickening U.S. military preparations for possible cyber warfare that "I do not believe that we need new explicit authorities to conduct offensive operations of any kind".

US Strategic Command is in charge of a number of areas for the US military, including space operations (like military satellites), cyberspace concerns, 'strategic deterrence' and combating WMDs.


"When warranted, we will respond to hostile acts in cyberspace as we would to any other threat to our country," the DoD said in the report. "All states possess an inherent right to self-defense, and we reserve the right to use all necessary means – diplomatic, informational, military, and economic – to defend our nation, our allies, our partners, and our interests."


This means that if anyone carries out a decent attack on the Pentagon website, the Navy Seals will land on his roof, run through his house shooting anything that moves and bury the body at sea. US security agencies are also training a crack team of highly skilled cyber forensics experts and are working with international partners to share information about cyber threats, including malicious code and the people behind it, it said.