SQL Injection

SQL Injection is an old-but-gold vulnerability responsible for many high-profile data beaches.

Althoughrelatively simple to learn, it can potentially be used for some high-severity Exploit.

this makes it an ideal first topic for beginners, and essential knowledge even for more experienced users.

 

 

 

 

 

 

 

What is a SQL injection

  • SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

 

  • It generally allows an attacker to view data that they are not normally able to retrieve.

 

  • This might include data belonging to other users, or any other data that the application itself is able to access.

 

  • In many cases, an attacker can mod ify or delete this data, causing persistent changes to the application's content or behavior.

 

  • In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

Machine generated alternative text:
m.110N SELECT username, 
password FROM users-- 
SELECT name, description FROM products WHERE category 
'Gifts' I-NION SELECT username, password PROM users- - 
* All passwords 
All usernames

 

 

 

 

What is the impact of a successful SQL injection attack?

    • A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information.
    • Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines.
    • In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.

     

 

 

 

SQL injection types

    There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

     

    1. Retrieving hidden data: where you can modify an SQL query to return additional results.
    2. Subverting application logic: where you can change a query to interfere with the application's logic.
    3. UNION attacks: where you can retrieve data from different database tables.
    4. Examining the database: where you can extract information about the version and structure of the database.
    5. Blind SQL injection: where the results of a query you control are not returned in the application's responses.

     

     

     

     

 

 

1. Retrieving hidden data

Consider a shopping application that displays products in different categories. When the user clicks on the Gifts category, their browser requests the URL:

https://insecure-website.com/products?category=Gifts

 

This causes the application to make an SQL query to retrieve details of the relevant products from the database:

 

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

 

This SQL query asks the database to return:

  • all details (*)
  • from the products table
  • where the category is Gifts
  • and released is 1.

 

The restriction released = 1 is being used to hide products that are not released. F or unreleased products presumably released = 0

 

The application doesn't implement any defenses against SQL injection attacks, so an attacker can construct an attack like:

https://insecure-website.com/products?category=Gifts'--

 

This results in the SQL query:

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

 

The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment.

This effectively removes the remainder of the query, so it no longer includes AND released = 1

This means that all products are displayed, including unreleased products.

Going further, an attacker can cause the application to display all the products in any category, including categories that they don't know about:

https://insecure-website.com/products?category=Gifts'+OR+1=1--

This results in the SQL query:

SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1

 

The modified query will return all items where either the category is Gifts, or 1 is equal to 1. Since 1=1 is always true, the query will return all items.

 

 

 

1

 

 

 

2. Subverting application logic

Consider an application that lets users log in with a username and password. If a user submits the username yahya and the password 123456 , the application checks the credentials by performing the following SQL query:

 

SELECT * FROM users WHERE username = 'yahya' AND password = '123456'

 

  • If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.

 

 

Here, an attacker can log in as any user without a password simply by using the SQL comment sequence -- to remove the password check from the WHERE clause of the query. For example, submitting the username yahya'-- and a blank password results in the following query:

SELECT * FROM users WHERE username = 'yahya'--' AND password = ''

 

This query returns the user whose username is yahya and successfully logs the attacker in as that user

 

 

 

 

1

 

 

 

3. Retrieving data from other database tables

In cases where the results of an SQL query are returned within the application's responses, an attacker can leverage an SQL injection vulnerability to retrieve data from other tables within the database. This is done using the UNION keyword, which lets you execute an additional SELECTquery and append the results to the original query.

For example, if an application executes the following query containing the user input "Gifts":

SELECT name, description FROM products WHERE category = 'Gifts'

then an attacker can submit the input:

' UNION SELECT username, password FROM users--

This will cause the application to return all usernames and passwords along with the names and descriptions of products.

 

 

 

 

 

 

 

 

 

SQL injection UNION attacks

  • When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack.

 

  • The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:

 

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

 

This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2.

 

For a UNION query to work, two key requirements must be met:

 

  1. The individual queries must return the same number of columns.
  2. The data types in each column must be compatible between the individual queries.

 

To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. This generally involves figuring out:

  1. How many columns are being returned from the original query?
  2. Which columns returned from the original query are of a suitable data type to hold the results from the injected query?
    • Determining the number of columns required in an SQL injection UNION attack

     

    When performing an SQL injection UNION attack, there are two effective methods to determine how many columns are being returned from the original query.

     

     

    The first method involves injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs. For example, assuming the injection point is a quoted string within the WHERE clause of the original query, you would submit:

    ' ORDER BY 1--

    ' ORDER BY 1--

    ' ORDER BY 3--

    etc.

     

    This series of payloads modifies the original query to order the results by different columns in the result set. The column in an ORDER BY clause can be specified by its index, so you don't need to know the names of any columns. When the specified column index exceeds the number of actual columns in the result set, the database returns an error, such as:

    The ORDER BY position number 3 is out of range of the number of items in the select list.

     

    The application might actually return the database error in its HTTP response, or it might return a generic error, or simply return no results. Provided you can detect some difference in the application's response, you can infer how many columns are being returned from the query.

     

    The second method involves submitting a series of UNION SELECT payloads specifying a different number of null values:

    ' UNION SELECT NULL--

    ' UNION SELECT NULL,NULL--

    ' UNION SELECT NULL,NULL,NULL--

    etc.

     

    If the number of nulls does not match the number of columns, the database returns an error, such as:

    All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.

     

     

     

    Again, the application might actually return this error message, or might just return a generic error or no results. When the number of nulls matches the number of columns, the database returns an additional row in the result set, containing null values in each column. The effect on the resulting HTTP response depends on the application's code. If you are lucky, you will see some additional content within the response, such as an extra row on an HTML table. Otherwise, the null values might trigger a different error, such as a NullPointerException.

    Worst case, the response might be indistinguishable from that which is caused by an incorrect number of nulls, making this method of determining the column count ineffective.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

 

Created with OneNote.