SQL INJECTION

Okay, this is not the injection I’m referring to, so don’t fear. SQL injection is one of the vulnerabilities. Before we get into how it happens and how to exploit it, let’s first define SQL.

SQL injection is a web security vulnerability that allows an attacker to interfere with database queries made by an application. Basically A SQL injection occurs when a vulnerability in a database-backed website allows an attacker to query or attack the site’s database using SQL (Structured Query Language) (SQLi). SQLi attacks are frequently rewarded because they may be destructive: attackers can change or retrieve information from the database, or even create an administrator login for themselves.

SQL injection vulnerabilities, attacks, and tactics come in many forms and are used in a number of contexts. The following are some examples of SQL injection:

• Retrieving hidden data, where you can modify an SQL query to return additional results.
• Subverting application logic, where you can change a query to interfere with the application’s logic.
• UNION attacks, where you can retrieve data from different database tables.
• Examining the database, where you can extract information about the version and structure of the database.
• Blind SQL injection, where the results of a query you control are not returned in the application’s responses.

WHY ARE THEY SO RISKY?

1. They’re all over the place.
2. Allow sensitive data in the database to be accessed.
3. Can read local files outside of the www root.
4. It can be used to log in as an administrator and exploit the system further.
5. It has the ability to upload files.

Let’s start with a simple example and then dig deeper…

This log now shows a SQL syntax error, indicating that the quote character has messed up something unexpectedly.

Behind the scenes, this is how it looks.

SELECT * FROM users WHERE email = 'kowosaw529@3dmasti.com' AND pass = 'password'' LIMIT 1

The quote is directly placed into the SQL string, thereby terminating the query.
The syntax issue we saw in the logs was caused by this. This behavior indicates that the application might be vulnerable to SQL INJECTION.

Behind the scenes, this is how it looks.

SELECT * FROM users WHERE email = ' ' AND pass = ' ' or 1=1--' LIMIT 1

Let’s take a closer look at this. Time to level up

Look at some types of SQLi

• SQL Injection Based on Batched SQL Statements — The majority of databases allow for batch SQL statements. A batch of SQL statements consists of two or more SQL statements that are separated by semicolons.
• In-band SQLi (Classic SQLi) — In-band SQL Injection is the most common and easy-to-exploit In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.
• Error-based SQLi — Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database
• Union-based SQLi — Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
• Inferential SQLi (Blind SQLi) — Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.
• Boolean-based (content-based) Blind SQLi — Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
• Time-based Blind SQLi — Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
• Out-of-band SQLi — Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Have A Look At Some Of The Found SQL Vulnerability And The Amount Bug Hunters Received…

Now let’s see ways to prevent it..

Preventing SQL Injection vulnerabilities is not easy. Specific prevention techniques depend on the sub-type of SQLi vulnerability, on the SQL database engine, and on the programming language. However, there are certain general strategic principles that you should follow to keep your web application safe.

1. SQL parameters — SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
2. Don’t trust any user input — Treat all user input as untrusted. Any user input that is used in an SQL query introduces a risk of an SQL Injection. Treat input from authenticated and/or internal users the same way that you treat public input.
3. Use whitelists, not blacklists — Don’t use blacklists to filter user input. A smart hacker will almost always find a way around your blacklist. If possible, always use strict whitelists to check and filter user input.
4. Adopt the latest technologies — SQLi protection is not available in older web development technologies. Use the most recent version of the development environment and language, as well as the most recent technologies linked with it. Use PDO instead of MySQLi in PHP, for example.
5. Scan regularly