How to hack a website

I want to worry you.

I want to show you just one way that hackers can get in to your website and mess it up, using a technique called SQL Injection. And then I'll show you how to fix it. This article touches on some technical topics, but I'll try to keep things as simple as possible. There are a few very short code examples written in PHP and SQL. These are for the techies, but you don't have to fully understand the examples to be able to follow what is going on. Please also note that the examples used are extremely simple, and Real Hackers™ will use many variations on the examples listed.

If your website doesn't use a database, you can relax a bit; this article doesn't apply to your site — although you might find it interesting anyway. If your site does use a database, and has an administrator login who has rights to update the site, or indeed any forms which can be used to submit content to the site — even a comment form — read on.

Warning

This article will show you how you can hack in to vulnerable websites, and to check your own website for one specific vulnerability. It's OK to play around with this on your own site (but be careful!) but do not be tempted to try it out on a site you do not own. If the site is properly managed, an attempt to log in using this or similar methods will be detected and you might find yourself facing charges under the Computer Misuse Act. Penalties under this act are severe, including heavy fines or even imprisonment.

What is SQL Injection?

SQL stands for Structured Query Language, and it is the language used by most website databases. SQL Injection is a technique used by hackers to add their own SQL to your site's SQL to gain access to confidential information or to change or delete the data that keeps your website running. I'm going to talk about just one form of SQL Injection attack that allows a hacker to log in as an administrator - even if he doesn't know the password.

Is your site vulnerable?

If your website has a login form for an administrator to log in, go to your site now, in the username field type the administrator user name.

In the password field, type or paste this:

x' or 'a' = 'a

If the website didn't let you log in using this string you can relax a bit; this article probably doesn't apply to you. However you might like to try this alternative:

x' or 1=1--

Or you could try pasting either or both of the above strings into both the login and password field. Or if you are familiar with SQL you could try a few other variations. A hacker who really wants to get access to your site will try many variations before he gives up.

If you were able to log in using any of these methods then get your web tech to read this article, and to read up all the other methods of SQL Injection. The hackers and "skript kiddies" know all this stuff; your web techs need to know it too.

The technical stuff

If you were able to log in, then the code which generates the SQL for the login looks something like this:

$sql =
"SELECT * FROM users
"WHERE username = '" . $username .
"' AND password = '" . $password . "'";

When you log in normally, let's say using userid admin and password secret, what happens is the admin is put in place of
$username
and secret is put in place of
$password
. The SQL that is generated then looks like this:

SELECT * FROM users WHERE username = 'admin' and PASSWORD = 'secret'

But when you enter
x' or 'a' = 'a
as the password, the SQL which is generated looks like this:

SELECT * FROM users WHERE username = 'admin' and PASSWORD = 'x' or 'a' = 'a'

Notice that the string:
x' or 'a' = 'a
has injected an extra phrase into the WHERE clause:
or 'a' = 'a'
. This means that the WHERE is always true, and so this query will return a row contain the user's details.

If there is only a single user defined in the database, then that user's details will always be returned and the system will allow you to log in. If you have multiple users, then one of those users will be returned at random. If you are lucky, it will be a user without administration rights (although it might be a user who has paid to access the site). Do you feel lucky?

How to defend against this type of attack

Fixing this security hole isn't difficult. There are several ways to do it. If you are using MySQL, for example, the simplest method is to escape the username and password, using the mysql_escape_string() or mysql_real_escape_string() functions, e.g.:

$userid = mysql_real_escape_string($userid);
$password = mysql_real_escape_string($password);
$sql =
"SELECT * FROM users
"WHERE username = '" . $username .
"' AND password = '" . $password . "'";

Now when the SQL is built, it will come out as:

SELECT * FROM users WHERE username = 'admin' and PASSWORD = 'x\' or \'a\' = \'a'

Those backslashes ( \ ) make the database treat the quote as a normal character rather than as a delimiter, so the database no longer interprets the SQL as having an OR in the WHERE clause.

This is just a simplistic example. In practice you will do a bit more than this as there are many variations on this attack. For example, you might structure the SQL differently, fetch the user using the user name only and then check manually that the password matches or make sure you always use bind variables (the best defence against SQL injection and strongly recommended!). And you should always escape all incoming data using the appropriate functions from whatever language your website is written in - not just data that is being used for login.

There's more

This has just been a brief overview. There are many more hacking techniques than SQL Injection; there are many more things that can be done just using SQL Injection. It is possible to directly change data, get access to confidential information, even delete your whole database — irrespective of whether the hacker can actually log in — if your website isn't set up correctly.

If you are hungry for more, this detailed article from SecuriTeam explains other techiques hackers might use, as well as some of the methods hackers use to work out the structure of your database, the userid of the admin user, gain access to your system's configuration, etc.

Have a nice weekend!

Derek

Website Repairs title=
website not working?

Deborah Nielsen

debnielsen-625293

How to hack a website

Hi Derek Thank you for words of wisdom! Deborah Nielsen

0 comments

John Irwin

johnirwin2-614439

How to hack a website

I am recently new to your site, in fact I just joined it. I actually had a question, and keep in mind that I have literally NO experience in hacking, you mentioned in the beginning of this post that advanced hackers know how to cover their tracks. What I am wondering is, of an advanced hacker who knows how to cover their tracks, what are the chances they would use what some people are calling a "low level hack"? I know its not safe assume this but, do you feel your chances are greater at catching a hacker using this particular hack just because the chance is higher that they are a novice and do not know how to cover their tracks? I am curious because my uncle's website was hacked last year (which cost him a lot of money to fix) and no one even mentioned to use that there is a possibility that we could figure out who it was that did it. It just makes me think... Thanks

0 comments

Derek Sorensen

dereksorensen-69312

They say imitation is the sincerest form of flattery

I don't really feel all that flattered though. At least a couple of them had the good grace to link back to my site: LINK. Derek

1 comments

Sam Borrett

samborrett-372470

How to hack a website

Hi Derek, everyone must have been so freaked out THEY forgot to Like the post. So I did. Cheers and thanks for the input SAM Sam Borrett Mentor, Entrepreneur, Facilitator http://www.familyconstellation.com.au Mentoring4Change Jupiter Properties Pty. Ltd. EastWest Property Investments PO Box 241 Brunswick Heads, NSW, 2483 Australia

1 comments

TUSO TUSO

tusotuso-573700

How to hack a website - Can't hack PHP and MySQL

There is no such SQL injection in PHP & MySQL !!! PHP & MySQL was designed so that it won't be penetrated by the old SQL injection. In MySQL, when un-escaped values are passed, or if there are any incorrect syntax, it won't just process the request(sql command) and won't return any information about the database structure - so this won't give hackers any idea of how you designed your database. In case of any error, this is handled by the mysql_error() function which is not shown by default and it's only up to the programmer to display it or not. And again, mysql_error() won't give any information about your database structure, it only shows a certain part where error occurred and an enough idea where a fix to the latter mistake should takes place.

1 comments

Chinello Ifebigh

chinelloifebigh-444958

How to hack a website

Ugh!!!! Gives me the Creeps!!! Thanks! Chinello Ifebigh *Santa 09* "If we build it, they will come".

0 comments

Stephan van Kampen

stephanvan-kampen-527198

Please

Hi sir I have started to learn this type of work. it is a aim i am working to. i don't known much yet but am on the Virge of learning. If you maybe could contact me please. I want to ask you something personally. please. This is really good. It just mustn't be used for bad. how do you know if it is not miss used? thanks if you will. Stephan

1 comments

Andreas Wiedow

andreas_wiedow

Did you cut your article in pieces and . . .

. . . Make marketplace ads from it ? Hi, Derek, What comes across to me being an amateur in these things that you know your stuff and appear to be a honest and trustworthy techie. Have you already cut your excellent article in pieces and posted them in marketplace ? Have you already made questions out of it for your cold call sales approach ? Warm regards, Andreas Wiedow Sparkling Speaker ? | Want more exposure ?

1 comments

Jon Heath

maverick-33024

How to hack a website

thanks Derek, easy to follow & even easier to understand how people who know what they're doing can hack with a few simple steps. so how safe is Ecademy? Jon Jon Heath CMC Partnership, non-executive business advice - start-up, growth, rescue, sale & exit strategies for SME owner-managers Let's Go Lottie - one last epic adventure on Route 66, helping to raise money for charities & good causes www.thebusinessmix.com coming soon Blogs: Let's Go Lottie - news blog Let's Go Lottie - lottie's blog Me and My Big Ideas

1 comments

RealSteveHolmes Fading away soon

cvsage-38854

what a brilliant article

What a difference it makes when someone who actually knows something tells you something you might actually want to know. Thank you very much for this fabulous insight. I'm kind of sick of bombastic personal branding; please read my profile and call me; that's the adult way.

0 comments

John Amy - Graphic Design

johnamy

How to hack a website

cor blimey Derek!

0 comments