SQL injections đ- Injecting to hacking
SQL stands for Structured Query Language.
SQL Injection, mostly referred to as SQLi, is an attack on a web application database server that causes malicious queries/code to be executed.
When a web application communicates with a database using input from a user that hasnât been properly validated, there runs the potential of an attacker being able to steal, delete or alter private and customer data and also attack the web applications authentication methods to private or customer areas.
SQLi is one of the oldest web application vulnerabilities and is often exploited by attackers. It is so famous that, injection is on the OWASP top ten list.
What is a database?
A database is a way of storing collections of data in an organized manner electronically.
Databases is controlled by a DBMS (Database Management System), DBMSâs fall into two camps Relational or Non-Relational. Within a DBMS, you can have multiple databases, each containing its own set of related data.
For example, you may have a database called âshopâ. Within this database, you want to store information about products available to purchase, users who have signed up to your online shop, and information about the orders youâve received. Youâd store this information separately in the database using something called tables, the tables are identified with a unique name for each one. You can see this structure in the diagram below, but you can also see how a business might have other separate databases to store staff information or the accounts team.
What is SQLi?
SQL is a feature-rich programming language used for querying databases, these SQL queries are better referred to as statements.
The simplest of the commands which weâll discuss in this article is used to select, update, insert and delete data. Although, some databases servers have their own syntax and slight changes to our existing commands can make do to get things to work. Since, SQLi injection is so famous, you can easily find these commands on the web.
SELECT
- SELECT query used to retrieve data from the database.
select * from users;
2. In our third query, we extract data we require by returning data that matches our specific clauses.
select username,password from users;
3. This will only return the rows where the username is admin.
select * from users where username='admin';
4. This will only return the rows where the username is NOT equal to admin
select * from users where username != 'admin';
5. This one return the rows where the username is equal to admin, and the password is equal to p4ssword.
select * from users where username='admin' and password='p4ssword';
Further more, I wonât waste your time with more queries, you can find them all here from the link below.
INSERT
It inserts a new row of data into the table. It provides the columns we are providing data for and then âvalues (âusername, passwordâ);â provides the data for the previously specified columns.
insert into users (username,password) values ('bob','password123');
UPDATE
It basically updates one or more rows of data within a table.
update users SET username='root',password='pass123' where username='admin';
DELETE
The DELETE statement tells the database we wish to delete one or more rows of data.
delete from users where username='martin';
SQL Injection Example
A hacker who wishes to execute SQL injection manipulates a standard SQL query to exploit non-validated input vulnerabilities in a database. The first step, before any manipulation, is getting access to the SQLi database, only then a hacker can begin the manipulation
For example, the above-mentioned input, which pulls information for a specific product, can be altered to read like this.
SELECT ItemName, ItemDescription
FROM Items
WHERE ItemNumber = 999 OR 1=1
Types of SQL injection attacks
1. Unsanitized Input
Unsanitized input is a common type of SQLi attack in which the attacker provides user input that isnât properly sanitized for characters that should be escaped, and/or the input isnât validated to be the type that is correct/expected.
For example, a website used to pay bills online might request the userâs account number in a web form and then send that to the database to pull up the associated account information. If the web application is building a SQL query string dynamically with the account number the user provided, it might look something like this:
"SELECT * FROM customers WHERE account = '" + userProvidedAccountNumber +"';"
While this works for users who are properly entering their account number, it leaves the door open for attackers. For example, if someone decided to provide an account number of ââ or â1â = â1â, that would result in a query string of:
"SELECT * FROM customers WHERE account = '' or '1' = '1';"
Due to the â1â = â1â always evaluating to TRUE, sending this statement to the database will result in the data for all customers being returned instead of just a single customer.
Blind SQL Injection
It is also referred to as Inferential SQL Injection.
A Blind SQL injection attack doesnât reveal data directly from the database being targeted. Rather, the attacker closely examines indirect clues in behavior. Details within HTTP responses, blank web pages for certain user input, and how long it takes the database to respond to certain user input are all things that can be clues depending on the goal of the attacker. They could also point to another SQLi attack avenue for the attacker to try.
Out-of-Band Injection
This attack is a bit more complex and may be used by an attacker when they cannot achieve their goal in a single, direct query-response attack. Typically, an attacker will craft SQL statements that, when presented to the database, will trigger the database system to create a connection to an external server the attacker controls. In this fashion, the attacker can harvest data or potentially control behavior of the database.
If you wanna learn more about SQL injections, I would recommend this webpage by OWASP too. It contains various examples and modules.
Here is another great resource for learning SQLi. Itâs from an engineering perspective.
SQL injections cannot be learnt only by reading an articles though, youâll have to practice a lot of these queries/syntax in real life. So, I would highly suggest doing some CTF (Capture the flag) challenges, so that you can understand better.
Be safe, be secure, and happy hacking :)