Types of SQL Injection (SQL)
SQL injection is the code injection method that is used to attack the data-driven applications.
This may cause many serious problems. The attacker would able to access, modify , bypass
the authentication and delete the data within the database. In some of the cases this might be
used to execute the commands on the operating system, by allowing an attacker to increases
the risk of damaging attack inside of network that sits behind the firewall.
There are major three types,
1. In-band SQL,
2. Inferential SQL and
3. Out-of-band SQL.
In-band SQL (Classic SQL)
In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-
band SQL Injection occurs when an attacker is able to use the same communication channel
to both launch the attack and gather results.
it further divides in to two types.
1. Error-based SQL
2. Union-based SQL.
Error-based SQL
This is subtype of the in-based SQL injection. That depends on the error messages thrown by
the database server in order to get the information about structure of the database. Few times
error-based SQL injection alone is enough for an attacker to enumerate an entire database.
While errors are very useful during the development phase of a web application, they should
be disabled on a live site, or logged to a file with restricted access instead..
Union-based SQL
Union-based SQL is also the in-band SQL injection technique that leverages the UNION
SQL operator to combine the results of two or more SELECT statements into a single result
which is then returned as part of the HTTP response.
Inferential SQL (Blind SQL)
Inferential SQL injection id different from in-band SQL, in this attacker need more time for
exploiting whereas this is also harmful like the other SQL injection. In this injection there is
no data transfer through the web application and in-band injection attacker is not able to see
the results of the attack that is why this is known as the blink SQL injections attack. However
the attacker is able to reconstruct the database structure through mean of sending payloads,
and through observing the web application’s response and resulting behavior of the database
server.
There are further two more types of inferential SQL
1. Blind-boolean-based SQL
2. Blind-time-based SQL.
Boolean-based (content-based) Blind SQL
This is subtype of inferential SQL Injection technique in which SQL query is being send to
the database which forces application to return different results That depend on the results of
query that whether it returns TRUE or False results.
Content of the HTTP response will change or will remain same depends on the results
obtained. This allows an attacker to infer if the payload used returned true or false, even
though no data from the database is returned. This attack is typically slow (especially on large
databases) since an attacker would need to enumerate a database, character by character
Time-based Blind SQL
This is also subtype of the inferential SQL Injection technique In which SQL query has been
send to the database that force the database to wait for some time before responding .this
response time will tells the attacker that whether results of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returned
immediately. This allows an attacker to infer if the payload used returned true or false, even
though no data from the database is returned. This attack is typically slow (especially on large
databases) since an attacker would need to enumerate a database character by character.
Out-of-band SQL
This is not much common as It depends on the features of the database server which are used
by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use
the same channel to launch the attack and gather results.
Out-of-band techniques, allow the attacker an alternative to inferential time-based techniques,
especially if the server responses are not very stable .Out-of-band SQL techniques would rely
on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker.