What is SQL Injection (SQLi) Vulnerability?
- A security weakness in web applications that interact with databases using SQL (Structured Query Language). Malicious actors (attackers) can exploit this vulnerability by injecting malicious SQL code into user input fields, altering the intended SQL queries.
This allows attackers to potentially:
- Steal sensitive data (usernames, passwords, personal information)
- Modify or delete data (change website content, corrupt databases)
- Gain unauthorized access to the database or even the underlying server
Type of SQL Injection
- In Band
- Out of Band
- Blind SQLI
SQLI Exploitation Technique
- Error Based Exploitation
- Union Based Exploitation
- Boolean Based Exploitation
- Time-Based Delay Exploitation
- Out of Band Exploitation
Try to Identify- where the application interact with DB
- Authentication Page
- Search Fields
- Post Fields
- Get Fields
- HTTP Header
- Cookie
Basic SQL Functions
- SELECT - read data from the database based on search criteria
- INSERT - insert new data into the database
- UPDATE - update existing data based on given criteria
- DELETE - delete existing data based on given criteria
- Order By - used to sort the result-set in ascending or descending order
- Limit By - the statement is used to retrieve records from one or more tables
How to detect SQL injection vulnerabilities
- You can detect SQL injection manually using a systematic set of tests against every entry point in the application. To do this, you would typically submit:
- The single quote character ' or a semicolon ; and \ backslash look for errors or other anomalies.
- Boolean conditions such as OR 1=1 and OR 1=2, and look for differences in the application's responses.
1. Retrieving hidden data
- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data Modify the parameter valuse, giving it the value '+OR+1=1--
2. SQL injection vulnerability allowing login bypass
Subverting application logic
Imagine an application that lets users log in with a username and password. If a user submits the username wiener and the password bluecheese, the application checks the credentials by performing the following SQL query: SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.
In this case, an attacker can log in as any user without the need for a password. They can do this using the SQL comment sequence -- to remove the password check from the WHERE clause of the query. For example, submitting the username administrator'-- and a blank password results in the following query: SELECT * FROM users WHERE username = 'administrator'--' AND password = ''
This query returns the user whose username is administrator and successfully logs the attacker in as that user
3. SQL injection UNION attacks
- When an application is vulnerable to SQL injection, and the results of the query are returned within the application's responses, you can use the UNION keyword to retrieve data from other tables within the database. This is commonly known as a SQL injection UNION attack.
1. Determining the number of columns required
- When you perform a SQL injection UNION attack, there are two effective methods to determine how many columns are being returned from the original query. One method involves injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs. For example, if the injection point is a quoted string
within the WHERE clause of the original query, you would submit:
- ' ORDER BY 1--
- ' ORDER BY 2--
- ' ORDER BY 3--
2. The second method involves submitting a series of UNION SELECT payloads specifying a different number of null values:
- ' UNION SELECT NULL--
- ' UNION SELECT NULL,NULL--
- ' UNION SELECT NULL,NULL,NULL--
4. Using a SQL injection UNION attack to retrieve interesting data
-
When you have determined the number of columns returned by the original query and found which columns can hold string data, you are in a position to retrieve interesting data.
-
The original query returns two columns, both of which can hold string data.
-
The injection point is a quoted string within the WHERE clause.
-
The database contains a table called users with the columns username and password.
-
In this example, you can retrieve the contents of the users table by submitting the input:
-
' UNION SELECT username, password FROM users--
-
In order to perform this attack, you need to know that there is a table called users with two columns called username and password. Without this information, you would have to guess the names of the tables and columns. All modern databases provide ways to examine the database structure, and determine what tables and columns they contain