SQL: Injection Attack

What is SQL Injection?

SQLi is a kind of attack in web based application where the attacker canrun malicious queries in the a website’s database. SQL is a code injection technique used to execute malicious SQL statements.

For example, if you want to login to the website and you forgotten the username and password , by using the SQLi injection we can login or access the webpage without knowing the password.

How SQL injection works?

SQL injection contain insert or inject the SQL query throught the input data from the client in the application. These are injected into the data-plane which affect predefined SQL commands.

SQL injection attacks target vulnerabilities in dynamic SQL statements. Think of a dynamic SQL statement like a multivariate mathematical function whose parameters are fixed while the result is determined by the values placed in the independent variables.

Similarly, a dynamic SQL statement also consists of a predefined set of parameters (such as a web form) and the full statement is generated only when the user provides input.

See the following example of a SQL statement of a login form:

SELECT * FROM users WHERE username = '$username' AND password = bcrypt ('$password')

The statement is completed when the user enters a username and password. A query is then sent to the server to retrieve the user’s information from the database.

If a vulnerability exists in a dynamic SQL statement, an attacker could enter complex script in a form to corrupt existing parameters and change the meaning of the entire statement.

Types of SQL injection:

In-band SQLi: In-band SQL injection is a type of SQL injection where the attacker receives the result as a direct response through the same communication channel. For example, if an attacker manually launches an attack through her web browser, the results of the attack will be displayed in the same her web browser. In-band SQL injection is also known as traditional SQL injection.

Error-based SQL injection — Here the attacker performs certain actions that cause the database to generate an error message. You can use the error message to determine what database is being used, what server version the handler is using, etc.
Union- Based SQL injection — A statement generated by the database to get a single HTTP response. You can construct the query in the URL or combine multiple statements in the input field to try to generate the answer

Blind SQLi :Blind SQL injection is a type of SQL injection in which the attacker does not get an explicit response from the database being attacked, but instead observes the behaviour of the database server and application to reconstruct the database structure incrementally. Blind SQL injection is also known as inferential SQL injection.

Boolean Based — Here, the attacker sends a SQL query to the database and asks the application to return different results depending on whether the query returns True or False.
Time Based — In this attack, an attacker submits a SQL query to a database and causes the database to wait a specified amount of time before sharing the results. Response time helps an attacker determine whether a query is true or false.

Out-of-Band SQLi:Out-of-Band SQL Injection (OOB SQLi) is a type of SQL injection in which the attacker does not receive a response from the application being attacked over the same communication channel, but can be tricked into sending data to a remote endpoint controlled by the attacker. Out-of-band SQL injection is only possible if the server you are using has commands that trigger DNS or HTTP requests. However, this applies to all popular SQL servers.

Example on SQLi

The first example is very simple. It shows, how an attacker can use an SQL Injection vulnerability to go around application security and authenticate as the administrator.

The following script is pseudocode executed on a web server. It is a simple example of authenticating with a username and a password. The example database has a table named users with the following columns: username and password.

# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”# Execute the SQL statement
database.execute(sql)

These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the input in a way that would alter the SQL statement executed by the database server. For example, they could use a trick involving a single quote and set the passwd field to:

password' OR 1=1

As a result, the database server runs the following SQL query:

SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'

Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no matter what the username and password are. The first user id in a database is very often the administrator. In this way, the attacker not only bypasses authentication but also gains administrator privileges. They can also comment out the rest of the SQL statement to control the execution of the SQL query further:

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16

How to Prevent SQL Injection ?

Organizations can apply the following policies to protect against SQL injection attacks.

Never trust user input. They should always be sanitized before using them in dynamic SQL statements.
Stored Procedures — Allows you to encapsulate SQL statements and treat all inputs as parameters.
Prepared Statements — Prepared statements that work by first constructing a SQL statement and then processing the submitted user data as parameters. This does not affect the syntax of SQL statements.
Regular Expressions — can be used to detect potentially malicious code and remove it before a SQL statement is executed.
Database Connection User Permissions — The account used to connect to the database should be granted only the necessary permissions. This helps reduce the performance of SQL statements on the server.
Error messages — These do not reveal sensitive information or the exact location of the error. “Sorry, a technical error has occurred. I have contacted the technical team. Try again later” instead of displaying the SQL statement that caused the error.

The only way to prevent SQL injection attacks is to set up input validation. This means that user-entered input should be monitored and sanitized to filter out potentially malicious code.

This is exactly what a web application firewall (WAF) does. Analyze all user input to your web application for matches with suspicious code.

We hope you understood the comparison and clear with the concepts.

Leave a comment and share your thoughts !!