Advanced SQL Injection

by | Jul 9, 2022 | Uncategorized | 0 comments

Introduction

Advanced SQL queries can be utilized in the circumstances of SQL injections where there is no response from the web server. Part 1 of the SQL injection attack is available. You should read this article if you wish to learn the principles of SQL injection.

This article discusses advanced SQL injection techniques and tools for enumerating websites and evading security barriers.

What is Advanced SQL injection?

Over the years, awareness of SQL injection attacks has been raised. Such attacks are avoided by implementing specific preventive measures.

Advanced queries can be time-consuming, but they are just as hazardous as regular injection attacks. And advanced SQL injection techniques, on the other side, can be used to overcome the measures.

Types of SQL injection 

In-band SQLi: This basic SQL injection is the simplest to attack and the most popular of the three types. This injection employs the same channel to launch the attack and collect the results.

Out-of-band SQLi: Out-of-band SQLi is the least common of the three types of injection. This attack occurs when an attacker cannot launch the attack and gather results over the channel.

Inferential SQLi: The data is not transferred over the web application in this injection, and the attacker cannot see the results, and the attacker delivers payloads and waits for a response from the server. This allows the attacker to recreate the database and collect information.

Blind-SQL injection

What is Blind SQL injection?

Blind SQLi (also known as inferential SQLi) is an attack in which the web application does not respond with results.

It is performed by sending True or False questions to the database with SQL queries. Techniques such as the UNION attack are ineffective against blind SQL injection vulnerabilities and It has two types: Boolean-based and Time-based.

Types of Blind-SQL injection

Boolean-Based: The attacker sends SQL queries to the database and causes it to deliver a result based on True or False results in Boolean-based injections.

Time-based: In this form of SQL injection, the attacker sends SQL queries to the database and then waits for the database to provide the results.

When there are no other means to retrieve a response from the database, a time-based SQL injection attack will be utilized. Because the query will generate a time delay for the time supplied by the attacker. Using the browser’s inspection feature, you can see how long the response took.

Intruder Enumeration

A brute-force attack on HTTP requests can be carried out using the Burp Suite intruder.

It is possible to automatically enumerate the database names and tables using an intruder. And it is also possible to dump all the table content into a file.

SQLMap

What is SQLMap?

SQLMap is a Python-based automated tool for detecting and exploiting SQL injection problems.

It supports a wide range of SQL database systems, including MySQL, Oracle, PostgreSQL, Microsoft Access, and many others. As SQLMap offers the ability to list users, password hashes, privilege roles, databases, tables, and columns.

Because it supports six injection techniques: Boolean, Time-based, Error-based, Union Query, Stacked Query, and Out-of-Band.

Advantages & disadvantages

advantages:

  • supports a large number of database management systems.
  • Six different injection procedures are supported.
  • Allows for direct database access.
  • Enumeration of users, password hashes, rights, and more are supported.
  • It can recognize password hashes automatically.
  • Dumping whole database tables.

Disadvantages

  • If a complicated context escape is permitted, the test will be ineffective.
  • The relevant injection is not always updated.
  • Make a lot of commotion on the network.

Capture Request

Some online apps require special headers or cookies for requests to be sent to them.

The Burp Suite may be used to intercept “POST” requests and alter specified parameters using SQLMap.

Database Enumeration

Enumeration is a crucial SQLMap functionality. A simple command can be used to enumerate databases.

SQLMap can list several database types and save the results to a file. The command is sqlmap -u “TARGET-URL” -D bWAPP –dbs

Table Enumeration

SQLMap can also enumerate tables, and it can be utilized in combination with captured requests.

The attacker needs to know what to look for to uncover sensitive information in databases. The command is sqlmap -u “TARGET-URL” -D bWAPP –tables.

Bypassing Security Measures

Web Application Firewall

WAF (Web Application Fire) is a network traffic filtering application that filters incoming and outgoing network traffic based on predefined settings and rules.

A WAF can detect and prevent attacks that exploit website vulnerabilities by monitoring HTTP traffic. Since the level of awareness of SQLi attacks has risen over the years, web applications have begun implementing WAF.

WAF Detection

WAFs can be detected both manually and automatically with dedicated tools. And can be a widely used tool to identify a WAF is wafw00f, which sends a legitimate HTTP request and analyses the response.

It is also possible to use the nmap http-waf-detect script, which can detect the presence of many security measures.

Obfuscated Queries

WAFs use blacklists to filter functions and words that contain familiar keywords such as AND, OR, ORDER BY, etc. And to bypass this protection, an attacker can use obfuscation so that the WAF will not be able to detect the words.

Obfuscations

When it comes to avoiding regex rules or detection mechanisms, it is the same as in other areas of command execution. But it is advised to utilize obfuscation. SQL has restricted variations, but they can still be used.

MethodExplanation
1’OR’1’=’1Some queries can be written without the use of spaces.
1’%20OR%20’1’=’1URL encoding is another technique for escaping spaces.
1’%09OR%09’1’=’1This should be used instead of spaces in SQL tabs.
1’/**/9OR/**/1’=’1In some cases, comments can be used to conceal information.
COUNTThe number of data rows returned by the query.
ALTERColumns are renamed, deleted, or added to or from a table.

Tamper Scripts

Guidelines must be followed when using tamper scripts. Because the tamper function must exist to receive the SQL query in an argument called “payload.” At the end of the function, it returns a statement that should return the tampered query.

solutions for security

Input Filtration: From a coding standpoint, SQL injection is protected by filtering input and using predefined queries, which is considered a secure technique to filter input, and using a prepared statement prevents harmful queries from being executed.

SQL protection is essential because SQL stores sensitive information. Another method for preventing SQL injections is to use a prepared statement. The goal is to detect strings that contain requests such as “to ban,” “to quote,” and so on.

Order By Clause

The information rows are returned in no particular sequence by the SELECT operation. The ORDER BY clause performs data sorting in ascending or decreasing order. ORDER BY allows you to rearrange the rows as needed.

It can enumerate data and ORDER BY injections are performed differently than other injection procedures.

An ORDER BY clause can be effective when a database rejects WHERE, OR, AND, and UNION. The query will enable a user to understand if the first character in the first name is A, according to the ASCII number.

If A is the first character, the list will be sorted by the first name. It will be arranged by userid if it is not A. With this query, a brute-force assault can be performed to extract the complete string.

It is easy to optimize this method using a script or SQLMap.

Website Enumeration

Enumerating a website’s directories, pages, and files is important in Web Application Penetration Testing. This can be accomplished by conducting a brute force attack on the site’s path.

Programs like Drib and GoBuster transmit requests for pages, directories, and files that are either listed in a wordlist or produced by rules. And we can tell if the request element exists by inspecting the answer.

Although a web spider also enumerates a website. It only finds content that contains hyperlinks.

Dirb

Dirb is a website application scanner that uses brute force to enumerate directories based on wordlists. It sends an HTTP request to a web application and observes the response code.

Dirb includes a wordlist with more than 4000 words and is used for a brute-force attack. And it can also work with customized wordlists.

DirBuster

DirBuster is a brute-force GUI attack tool that finds directories and files in web applications.

OWASP created DirBuster, regarded as one of the most powerful web application inspection tools. It is extremely simple, requiring only a URL and a wordlist.

GoBuster

GoBuster is a brute-force program for searching directories and files for URLs and DNS sub-domains. It is capable of locating usernames, passwords, and even specific extensions. The command for GoBuster is gobuster dir -u “URL” -w /usr/share/wordlists/common.txt (directory path).