0

In class we're now learning about SQL injection attacks and my professor showed us examples where we either use only the username input for the attack, or both the username and password.

I started reading about SQL injection more and found that you can create attacks by typing 'admin' or 'xx' into the username input and then primarily using the password input for the attack.

My question is, is it possible to perform a SQL injection attack using only the password input and typing nothing in the username input?

EDIT: This question is in the context of using a SQL injection attack on a database via the password box of a login page of a website.

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
Katie Paige
  • 63
  • 1
  • 8
  • 1
    If it's badly/poorly coded; probably. Nothing's impossible in this day & age. – Funk Forty Niner Apr 29 '14 at 02:10
  • Not if the developer validates the input data before allowing it to be part of a query. – Dan Bracuk Apr 29 '14 at 02:13
  • 2
    @Dan Bracuk: define "validation"? You don't need to *validate* anything before using in an sql query – zerkms Apr 29 '14 at 02:14
  • @Katie Paige: your question doesn't make much sense. SQL injection is a sql query syntax tree modification. That's it. There are no any html fields or something else, it's just about some data that is dynamically inserted into a query (from any source) – zerkms Apr 29 '14 at 02:16
  • I meant my question in the context of going after a database via a login page using a query in the password input. – Katie Paige Apr 29 '14 at 02:25
  • @Katie Paige: still - doesn't matter. There is no such "context". It doesn't matter where data comes from. What matters - is how it's processed before being used as a part of sql query. – zerkms Apr 29 '14 at 02:33
  • 2
    The old saying still holds to this day: **Never trust user input**, *period*. You should take heed of the warnings already given in the multiple posts here on SO, etc. Whether it's a username/email/password/textarea/etc. "inputs", input is input, *period*. Using proper coding methods, up-to-date APIs and taking care against SQL injection will help fight against it. Just don't be sloppy and stay informed. ;-) – Funk Forty Niner Apr 29 '14 at 02:38
  • @Fred-ii- thanks for the advice, and I assumed as much, but I was simply wondering whether something was possible to do on a site that didn't take these precautions or if you had to use both username and password input. – Katie Paige Apr 29 '14 at 02:40
  • 1
    @Katie Paige: As a person "with emphasis in information security" you must understand that both "username" and "password" are just a part of request and don't have any magical meaning in general. – zerkms Apr 29 '14 at 02:41
  • You're welcome Katie. You can through Owasp.org's website https://www.owasp.org/index.php/Top_10_2013-Top_10 there's a lot you can read up on and our very own (*we're so proud of it*) here on SO http://stackoverflow.com/q/60174/ – Funk Forty Niner Apr 29 '14 at 02:43
  • The key to preventing SQL injection is **do not build executable code with data from the outside**. It's like making a pizza and part of what you put on the pizza is something that was left on your front steps. "Hey, look, the can says it's tomato sauce, I'll just put it on the pizza!" Do you trust the can of tomato sauce on something you're going to eat? Then don't trust user input in the code you're going to execute! – Andy Lester Apr 29 '14 at 03:07
  • [SQL injections is *not* a question of trust.](http://stackoverflow.com/a/22729097/53114) – Gumbo Apr 29 '14 at 04:31

3 Answers3

5

is it possible to perform a SQL injection attack using only the password input and typing nothing in the username input?

Yes.

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
1

If you're asking this, then your professor failed with explanation. He's not alone, though.

Most people in the world do confuse the injection and the exploit. Taking one for the another.

What your professor demonstrated to you was exploit. Yes, various particular exploits involve various particular query parts. But the principle of injection is breaking of the query integrity. That's all. As long as you can inject any code into query, it is vulnerable. Will you be able to exploit it or not - that's another matter, one have to learn SQL, not injections for this.

But the point of injection is just breaking of query integrity. And for this matter it doesn't matter, be it password or "remember me" checkbox. Comprehensible?

For the better understanding I'll recommend you an article, I wrote aiming protection from injections, but it surely can help you to understand the injection too. The first three chapters and appendices could be of the most help. Here it goes: The Hitchhiker's Guide to SQL Injection protection

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Yes it's possible depends on how code is written to validate . If code is written only to get a true/false result set. You can very much anything to get a true result and get into application . For example select '1' from xyz where username='xxx' or yy=yy

Ajay Khandelwal
  • 9
  • 1