May 19, 2021

SQL Injection

What is SQL injection?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

What is the impact of a SQL injection?

A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. In recent years, many high-profile data breaches have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period.

SQL injection examples

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

Retrieving hidden data, where you can modify an SQL query to return additional results.
Subverting application logic, where you can change a query to interfere with the application’s logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version and structure of the database.
Blind SQL injection, where the results of a query you control are not returned in the application’s responses.

Retrieving hidden data

Consider a application that displays results in different categories.

https://website.com/items?category=Fruits

This causes the application to make an SQL query to retrieve details.

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

It returns all the details from the database, attacker construct a SQL query like.

https://website.com/items?category=Fruits'--

!Query 
Select * From items where category = 'Fruits'--' AND released = 1

You can study more about Retrieving hidden data on PortSwigger

Subverting application logic

Suppose a application has login page where user can enter his username and password for example:

Username = Anonymous
Password = 12345

The application checks SELECT * FROM users WHERE username = 'Anonymous' AND password = '12345' If the query returns the details of a user, then the login is successful.

Here, an attacker make a simple change by using SQL comment sequence -- to remove the password check, so he has full access to login as any user. For example

Username = admin'--
Password = 
!Blank password

The query be like
SELECT * FROM users WHERE username = 'admin'--' AND password = ''

The attacker can login easily as admin

You can study more about Subverting application logic on PortSwigger

UNION attacks

If the application is vulnerable to SQL injection, the UNION can used to retrieve data from other tables within the database.

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

You can study more about UNION attacks on PortSwigger

Examining the database

When an attacker exploiting SQL injection vulnerability, it is necessary to gather information about the type of database.

Database type	Query	Payload
Microsoft, MySQL	`SELECT @@version`	`' UNION SELECT @@version--`
Oracle	`SELECT * FROM v$version`	`' UNION SELECT * FROM v$version`
PostgreSQL	`SELECT version()`	`' UNION SELECT version()`

You can study more about Examining the database on PortSwigger

Blind SQL injection asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

You can study more about Blind SQL injection on PortSwigger and OWASP

Get your hands dirty on SQL injection with TryHackMe

Link to the room
A detail writeup of SQL injection room My writeup
Checkout my THM profile Profile