In this article, we will discuss SQL Injection comprehensively. We will explore SQL Injection from basic to advanced levels. SQL Injection is an incredibly important topic in web security. We will divide SQL Injection into different parts, as it is a vast subject. Therefore, we will write multiple articles to fully explore SQL Injection.
SQL Injection is a web security vulnerability that allows an attacker to access the data from a database through the application’s interface. If a website or web application is vulnerable to SQL Injection, an attacker can gain unauthorized access to data, manipulate or delete it, and even perform other actions. They can extract sensitive information from other users, such as user credentials or credit card details. In some cases, SQL Injection can also be used to damage the backend infrastructure of a server, causing a Distributed Denial of Service (DDoS) attack.
What is the impact of a successful SQL injection attack?
If an attacker successfully performs an SQL Injection attack, they can gain unauthorized access to sensitive data, including passwords, credit card details, and personal user information. We have recently witnessed high-profile data breaches, which were the result of successful SQL Injection attacks. Such attacks can cause financial and reputational losses to an organization. Once an attacker gains access through SQL Injection, they may either sell the data or make it public. Additionally, they may deface the website as well.
Mystery lab challenges
- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- SQL injection vulnerability allowing login bypass
- SQL injection UNION attack, determining the number of columns returned by the query
- SQL injection UNION attack, finding a column containing text
- SQL injection UNION attack, retrieving data from other tables
- SQL injection UNION attack, retrieving multiple values in a single column
- SQL injection attack, querying the database type and version on Oracle
- SQL injection attack, querying the database type and version on MySQL and Microsoft
- SQL injection attack, listing the database contents on non-Oracle databases
- SQL injection attack, listing the database contents on Oracle
- Blind SQL injection with time delays
- Blind SQL injection with out-of-band interaction
- Blind SQL injection with out-of-band data exfiltration
- SQL injection with filter bypass via XML encoding
- Blind SQL injection with conditional responses
- Blind SQL injection with conditional errors
- Visible error-based SQL injection
- Blind SQL injection with time delays and information retrieval
SQL injection examples
- Retrieving hidden data: You can modify the SQL query to retrieve hidden data.
- Subverting application logic: In this method, you can manipulate the SQL query to manipulate the application’s logic.
- UNION Attack: By performing a UNION attack, you can retrieve data from different tables in the database.
- Examining the database: With this attack, you can gather information about the database, such as its name, version, and type.
- Blind SQL injection: In blind SQL injection, you may not see the output directly on the application’s interface.
Retrieving hidden data
Let’s assume that we have a website where we are testing SQL Injection. The domain of the shopping site is example.com. Now, on example.com, there are various categories with product listings. Some products in these categories have not been released by the admin yet.
For example, consider the URL: https://example.com/products?category=Gifts
If SQL Injection is possible here, we can create an SQL injection-based query to fetch all the data from the database.
The query would be:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
With this query, we can fetch all the data from the product table that is stored under the gift category. The “*” denotes fetching all the data. In this case, there might be some data in the gift category that the admin has not released yet, but due to the SQL Injection flaw, we can fetch that data as well. An important thing to note is that the condition “AND released = 1” means that only data with a release status of 1 will be shown.
Now, since the developer has not implemented any defense system against SQL Injection, an attacker can construct an attack like this:
The corresponding SQL query would be:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
In this query, the “–” indicates a comment, meaning that the condition “AND released = 1” will not be executed. The attacker can display both released and unreleased products from the database.
If we further analyze this attack, the attacker can fetch data from categories that they may not even be aware of.
For instance: https://example.com/products?category=Gifts’+OR+1=1–
The resulting query would be: SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1–‘ AND released = 1
In this query, the attacker is fetching all the products under the Gifts category or when the condition 1=1 (which is always true) is met. Since 1=1 is always true, the attacker can successfully fetch all the items.
Subverting application logic
We have a website called example.com/login. Now, if I want to log in to this website, I will need to enter my username and password to authenticate myself. Let’s assume the username is “wiener” and the password is “peter”. If these are the accurate credentials, I will successfully log in to the website.
The SQL query for this would be:
SELECT * FROM users WHERE username = 'wiener' AND password = 'peter
This query will directly go to the database and check if the username and password match any user in the credentials. If there is a match, I will be logged into the application. Otherwise, I will receive an error message.
Now, if there is an SQL Injection vulnerability, an attacker can log in to the application or website without even entering a password. The attacker can enter the username as “admin’–“. In this case, “admin” acts as the username, and the password is commented out. Based on this, I can log in to the application without providing a password.
The SQL query for this would be:
SELECT * FROM users WHERE username = 'admin'--' AND password = ''
Using this query, I can successfully log in to the application without entering a password.
Retrieving data from other database tables
If we further explore SQL Injection, we can retrieve data from other database tables. For example, if there is a table named “Gifts” in the database, and I want to fetch its name and description, I can do it easily with an SQL query:
SELECT name, description FROM Products WHERE category = 'Gifts'
In the same way, I can retrieve usernames and passwords from any table in the database:
' UNION SELECT username, password FROM Users--
In this SQL Injection query, I can fetch usernames and passwords from the “Users” table.
Examining the database
Whenever an attacker discovers an SQL Injection vulnerability on a website, the first thing they do is collect information about the database. We have various types of databases like Oracle, MySQL, etc. If we gather information about the database, such as its version and the schemas and tables being used, we can easily construct further SQL queries.
To find the database version, we can use the following SQL query:
SELECT * FROM v$version
To retrieve details about the schemas and tables in the database, we can use the following SQL query:
SELECT * FROM information_schema.tables
Remember, if you have a good understanding of SQL, exploiting SQL Injection becomes relatively easy. Understanding SQL is essential if you want to master SQL Injection.
Blind SQL injection vulnerabilities
Blind SQL injection is a type of SQL injection. Exploiting blind SQL injection is slightly more challenging compared to regular SQL injection. In blind SQL injection, we don’t get errors or application data displayed, which is why it is called blind SQL injection. However, it is still possible to exploit it and retrieve sensitive data from the database.
- To exploit blind SQL injection, we need to understand the application’s logic and observe the database’s responses. We can exploit blind SQL injection using the following technique:
- The easiest way to exploit blind SQL injection is to use time-based SQL injection payloads and check the response. If there is a delay in the response that corresponds to the time set in your payload, you can confirm the presence of blind SQL injection.
- You can also exploit blind SQL injection using the out-of-band technique through the OAST (Out-of-Band Application Security Testing) technique. This technique is considered the most powerful, and tools like the Burp Suite Professional version provide this capability.
- There are many other techniques you can learn about on the official PortSwigger Web Security website in their SQL injection articles.
How to detect SQL injection vulnerabilities
There are two methods to detect SQL injection: manual and automation tools. My favorite method is using automation tools. In this method, we use Burp Suite Professional version, which helps us hunt for SQL injection vulnerabilities and extract data from any application. You can simply scroll through the complete site and run an active scan with SQL injection selected.
For manual methods to exploit SQL injection, the following techniques can be used:
- To find SQL injection, you can use a single quote ‘ or double quote “. If the application is vulnerable, it will generate an error in response.
- You can apply boolean conditions such as OR 1=1 and OR 1=2 to check the application’s response and analyze it.
- You can use OAST (Out-of-Band Application Security Testing) payloads, specifically designed to detect out-of-band SQL injection.
The next topic to continue this series is Authentication Vulnerabilities, You must have to complete the SQL Injection topic before starting the next topic in this series. Good Luck!
Reference: PortSwigger Web Security