SQL Injection

by | Jun 25, 2022 | Uncategorized | 0 comments

What is SQL Injection?

A SQL injection is a technique in which a malicious SQL query is injected into the code of a web application. This query can be used to manipulate the server to divulge unauthorized information or modify data saved on the server.

An attacker can obtain significant amounts of sensitive information from a website’s database by using SQL Injections. SQLi assaults targeted companies such as Apple and eBay, and valuable company data was stolen as a result.

Any website or web application that uses a SQL database, such as MySQL, Oracle, SQL Server, or others, may be vulnerable to SQL Injection. Criminals may use it for illegal access to your sensitive data, including customer information, personal information, trade secrets, intellectual property, and other information.

SQL injection attacks are one of the most common, widespread, and deadly web application vulnerabilities. In their OWASP Top 10 2017 paper.

The OWASP association (Open Web Application Security Project) ranks injections as the top threat to web application security, and you can practice SQL injection labs from Port Swigger.

Injection Types

Two primary injections occur when they affect a vulnerable website.

Regular SQLi: When an attacker can inject a custom query into a genuine SQL query transmitted to the database, but the database responds with a non-legitimate result.

In this case, the website will respond to the attacker quickly by either supplying the desired data or generating an error if the SQL query is incorrect.

Blind SQL injection: It is the same in practically every way except that the server does not provide any errors because there are no indicators that suggest whether the injection was successful. Thus, it will be dependent on guesswork. However, there are various methods for performing blind SQL injection.

SQLi Types

Error-Based: In this sort of vector attack, the attacker depends on the server to reveal data as part of a possible fault.

Union-based injections: SQLi attack vectors that use unions are the most common. The attacker uses union statements to chain SQL queries, allowing for dynamic data retrieval from several tables.

Boolean-based injections are more common in blind SQL injection attacks, and they can be used to detect changes when injecting “true” and “false” values based on logical operators and statements such as “or 1=1”.

Time-based SQLi is rare and typically used as a last resort when detecting SQLi. In a time-based attack, the cyber attacker tries to force the database to wait for a specified amount of time before responding.

Execution

Database Enumeration

Version: When performing SQL injection, searching for database and server versions is essential. These details can be helpful when searching for CVE.

Users: The user who accesses the database is also usually the local user on the computer. One of the attacker’s goals is to enumerate users and databases.

Structure: When performing SQL injection, the attacker typically begins by trying to enumerate the different columns, tables, and databases on the server, which are found in a default database.

SQL Injection Detection

User Input

The first place to look for a SQL injection is usually a search from a user login or any input that might be sent as part of a SQL Query. The most straightforward test is to insert an apostrophe (‘) or a double quotation mark (“).

If there is an error, the service is most likely vulnerable. If there is no response received, additional configuration steps should be taken. A successful error-based injection is an initial indication that the vulnerability exists.

Goggle Dorks

Goggle Dorks can be used to find potentially vulnerable URLs, such as “item.php?id=” or “idlechat/message.php?id=.” A cyber attacker may be able to find websites vulnerable to SQLi attacks by using the Goggle Dorks search engine.

Checking for SQL

 It is the first step taken by an attacker or penetration tester to confirm that the website uses a SQL database. Because it closes the first quotation mark that wraps the value, inserting an apostrophe sign (‘) usually results in an error. Errors can provide information about the SQL version or type used.

SQL injection Attack

If user input is not sanitized on the server-side, there can be changes in the entire query and affect the database. The server-side store’s user input inside a variable is part of the query sent to the server in the request. An SQL injection attack happens when an attacker uses the input to deceive the database or display unauthorized data.

Error-Based Response

When a user inserts an apostrophe sign (‘), the logical purpose of the query is altered, and the database that receives it is “confused.” The database server does not recognize it as a valid query and returns an error that the user is not supposed to see.

Boolean-Based

This is a SQL injection attack vector that changes the original purpose of a query to a TRUE or FALSE condition by adding “or 1 = 1 —” (meaning “true”) to the query. Therefore, instead of requesting data for a specific value, the query requests data when a condition occurs. This attack vector can be run to get a login for evasion.

The user sends a malicious query to generate a “True” statement. Once the “True” statement occurs, the user gains access. The malicious query will escape from the legitimate query, and by using the comment note, the rest of the query will be ignored. The query is used with ‘or 1=1 —‘ to create a statement that is equal to “TRUE”

Original Query

Command

SELECT * FROM Credentials WHERE user = `admin’and password = ‘1234’.

The query gets all the data from the selected table.

All the data is in the credential table.

 WHERE is the condition that will follow the next parameters.

 Select all data from Credentials whose user name is equal to ‘admin’.

 Select all data from credentials whose password is equal to ‘1234’.

 Note: To perform SQL injection, an attacker must accept the original query to discover vulnerable parameters.

Query Customization

Manual testing may involve trial and error using customized queries.

URL Encoding: Some websites use GET queries with URL parameters to receive databases. To ensure that the payload is sent appropriately, URL encoding should be utilized.

Break-free: It may be necessary to add extra characters such as an apostrophe (‘) or a double quotation mark (“) to escape a parameter or to append “— -” to the end of the payload to remark the rest of the question. Depending on the server type, a hashtag sign (“#”) may also be used.

Union-Based SQL Injection

Union Enumeration Flow

Enumerating the database’s table and column names can aid in developing a bespoke query for sensitive data extraction. Table and column information is saved in a default database called “information_schema.” A customized query containing the extracted information can be generated after querying this database for database names, table names, and column names.

Column Enumeration

The “ORDER BY” clause is used to count how many columns are returned by a given query. When the argument “ORDER BY 1,2,3,4,5….” is injected, the server returns a response indicating the number of columns. The attacker must identify the maximum number of columns that will not result in an error.

Database Response

The page does not display all of the data retrieved from the database. A query such as “UNION SELECT 1,2,3,4…” can indicate which table columns will be returned to the page. Since the “UNION SELECT” query combines tables, the original query is useful for returning an empty result. The numbers in the inquiry could be letters, special characters, or anything else.

Database Enumeration

To begin enumerating the database, the names of the databases must first be enumerated. All database names are stored in the table “information schema.schemta.” To retrieve database names, query the “information schema.schemat” table’s column “schema name.”

Table Enumeration

The following step is to list all the tables in the database. The table “information schema.tables” contains the names of all the tables. To look for table names, use the following statement:

“aa’ UNION SELECT 1, table name,3,4,5,6,7 FROM information schema.tables WHERE table_schema=database()— -“. The predefined function “database()” points to the current database.

Table Columns

Columns can also be identified using the table “information schema.columns,” which allows you to list all of the columns in a given table. At this point, the attacker knows the table’s name and will utilize it in the query, which will return all of the columns in the “users” table.

Data Extraction

Once the attacker discovers the names of the databases, tables, and columns. The data in the table data can be queried using the enumerated data. The data retrieved from the database can be placed in the columns returned on the page. The query “aa’ UNION SELECT 1,email, password,4567 FROM users– -.” will extract the users, emails and passwords.

Group_Concat()

For each column in the query, most websites will display only one data entry. The function “group_concat” can be used to display many data elements in a single column. The query “UNION SELECT 1, group concat(email,” “, password),3,4,5,6,7 FROM users— -.” will display all the requested data entries in one place.

Exploiting SQL Injection: a Hands-on examples which can make you understand better.

SQLi to RCE

RCE

RCE is a mechanism that allows a cyber attacker to execute code, orders, or operations on a remote target server or computer. Once RCE is obtained, the attacker may conduct various operations on the remote system, including reading and altering files and processes, depending on the SQL server user’s permission settings.

Attackers seek RCE because it allows them to control the target server and other victim machines. Several RDBMS systems enable you to save the query result to a file. With “INTO OUTFILE,” an attacker may create a web shell on the target server with a corrupt query.

Prevention of SQL injection

Input validation and parameterized queries, including prepared statements, are the only surefire ways to prevent SQL Injection attacks. Never utilize input directly in the application code. The developer must sanitize every input and not only web form inputs like login forms.

They must delete potentially harmful code elements such as single quotes. They should also disable the visibility of database failures on your production website. Database failures can be utilized in conjunction with SQL Injection to learn more about your database.

See Avoiding SQL Injection Vulnerabilities in PHP Applications and Repairing them. And for details on how to prevent SQL Injection attacks in PHP.

Prevention of SQL injection.

Reference: https://bobby-tables.com/