Hope you are doing well…
Today we will discuss SQL Injection.
What is SQL Injection?
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access.
Impact of this Attack:
The impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables, and in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
This means that the query that was executed back in the database was the following:
SELECT First Name, Last Name FROM users WHERE ID=’1′;
The injectable parameter on the URL is of course the id field so before we do anything else, we can try to change the ID number on the URL to other values (i.e. 2,3,4 etc.) in order to find the first names and surnames of all the users. For example, we have discovered the following:
id=2 —–> First Name: Gordon Surname: Brown
id=3 —–> First Name: Hack Surname: Me
id=4 —–> First Name: Pablo Surname: Picasso
id=5 —–> First Name: Bob Surname: Smith
An alternative solution that would extract all the First names and Surnames from the table would be to use the following injection string. The SQL query, in this case, will be something like this:
SELECT First Name, Last Name FROM users WHERE ID=a’ OR ”=’;
The above statement it is always true so it will cause the application to return all the results.
How Does a SQL Injection Attack Work?
A SQL injection attack targets vulnerability in dynamic SQL statements. Think of a dynamic SQL statement like a multivariate function in mathematics, of which the parameters are fixed, while the values substituted in the independent variables determine the result.
Similarly, a dynamic SQL statement also consists of a predetermined set of parameters (such as a web form), of which the complete statement is only generated when a user fills in their inputs. See the following example of a SQL statement of a login form:
SELECT * FROM users WHERE username = ‘$username’ AND password = bcrypt (‘$password’)
After the user enters their username and password, the statement would be completed, after which a query would be sent to the server to retrieve the user’s information from the database.
When a vulnerability exists in a dynamic SQL statement, the attacker would be able to enter complex scripts into the forms to interfere with the preexisting parameters to alter the meaning of the complete statement.
How to detect SQL injection vulnerabilities
The majority of SQL injection vulnerabilities can be found quickly and reliably using Burp Suite’s web vulnerability scanner.
SQL injection can be detected manually by using a systematic set of tests against every entry point in the application. This typically involves:
- Submitting the single quote character ‘ and looking for errors or other anomalies.
- Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
- Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application’s responses.
- Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
- Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.
Recommendation: Try this only for educational and Security purposes.
Learn More about SQL injection with the Course from Securium Solutions Pvt Ltd. Contact us through the Query Box.