Skip to main content

What Is SQL Injection? How To Do SQL Injection & It’s Features?



 SQL Injection

When you are running a web application, so what do you think is the most important thing for you? Can you guess it? It’s none other than the database. You have to provide the best security to the database for the sake of service continuity but imagine even after providing the best network protocols to the database, any attacker is just able to manipulate the database even without entering the internal network of your organization. Such is the case with “SQL Injection”.


It is the most common and most used web-based attack. Moreover, it is there in the OWASP top 10 vulnerabilities since the beginning.


If you have a web application that uses a database then you must have to look at what exactly SQL injection is and how it works that will cause your application to perform beyond your controls.

Definition:

“SQL Injection is a type of attack in which an attacker can access the database of any web application by manipulating the queries with the inputs that cause displaying of information that wasn’t intended to be displayed.”

What is SQL Injection?

Consider a web application using a database. It is taking input from the user and storing data on the database or fetching data from the database to display it to the user.

In this case database query is generated on the web application which is sent to the database and executed there to return the desired output to the web application. Above all, This is what expected to happen.

But when the attacker uses SQL Injection, the query that is generated to be executed on the database is manipulated. Therefore, it will perform certain actions which it isn’t supposed to do.


So first the attacker frames certain SQL statements to manipulate the query generated by the web application by injecting some malicious strings in it. Now, this query is sent to the database.


Now as the query is manipulated it gets executed which results in spitting the output that attacker wants instead of the one that should be ideally returned by that SQL query otherwise.


So we can simply say it as a technique in which code is injected in SQL queries to execute malicious statements on the database.

But when the attacker uses SQL Injection, the query that is generated to be executed on the database is manipulated. Therefore, it will perform certain actions which it isn’t supposed to do.


So first the attacker frames certain SQL statements to manipulate the query generated by the web application by injecting some malicious strings in it. Now, this query is sent to the database.


Now as the query is manipulated it gets executed which results in spitting the output that attacker wants instead of the one that should be ideally returned by that SQL query otherwise.


So we can simply say it as a technique in which code is injected in SQL queries to execute malicious statements on the database

Example:

Suppose there is any web application. To use this web application you have to first login to the application. For this, you have to enter your assigned username and the corresponding password.


Usernames and passwords of all the users are stored in the database of the web application. While you are attempting to login to the application when you enter your username and password it will generate a query that is passed to the database.

It will match the users entered data with the data stored in the database of the application. If the entered data is matched with the data stored in the database then only the login is succeeded. Even if any of the entered value is wrong then login access is denied.

Consider the web application that has the following database of username and password.



Suppose the attacker enters the login credentials of user San_123.

This will generate a query to the database such as


This query simply implies to fetch any number of rows that match the condition mentioned after the where clause.

When this query is executed, if there is a username “San_123” stored in the users’ table having a corresponding password “1234d678“, then this particular row is returned.

 If any of the inserted fields are not matched with that of in the users’ table, then no row is returned. So whenever the above SQL query returns a TRUE value, then login is successful and when it returns a FALSE value then login is unsuccessful.

Now let’s see how the hackers use this SQL query to launch a SQL injection attack.

select * from users where username=’San_123’ and password=’1234d678’

As shown above, the SQL query is pre-generated with the above syntax, only the highlighted part has to be input by the user. So the user has only control over the Highlighted portion.

And to execute SQL injection, a user has to manipulate the input part of the query.

In order to make a successful login attempt, we have to manipulate the above query such that it should always return TRUE even if we are unaware of Username and Password.

We will be using the OR logic gate for this. In the case of OR logic, the query will always return TRUE even if one of the Inputs is TRUE.

So this feature of the OR logic gate makes it compatible with using the SQL injection attack, as we will be not knowing the username or password, hence the first field will be FALSE.

But we can give another input to the query having a certain condition that will always be set to TRUE with the OR logic gate. Therefore it will always return TRUE and login is successful as the query will be executed successfully.

Now we manipulate the SQL query so that it will always return TRUE and execute SQL Injection attack.

So the modified query is:

Select * from users where username=‘xyz’OR 1=1–  and password=‘1234d678’

Here we have manipulated the query with the input:

xyz’OR 1=1-

Now look at the part of the statement, OR 1=1

It is always going to return the value TRUE.

For instance, let’s understand the input we have provided to the web application.

 xyz’

Whenever any input is given to the Web application, it will be treated as a string. Therefore we entered any random string followed by a single quote that is used to close the string parameter. So it will close the first parameter (String parameter) in the input.

 OR

We use it to evaluate the condition between the two parameters. Our first parameter is the username in this case. As we are not sure about what the username is, our first parameter is going to be FALSE. Therefore now the focus is on the second parameter.

 1=1

This statement is always going to return a TRUE value.

As we know, in case of OR function if one of the inputs is TRUE, then irrespective of the other input the output will always be TRUE. As a result SQL query will always return TRUE.

   —

You must be thinking that what will be happening with the password input which is after the ‘and’ part. It’s not going to execute. As the double hyphen, we have used will comment the rest of the SQL query.

So the further query will not make any changes to the database. Hence you can see we have used light shade for the following section in the modified query

   and password=‘1234d678’

This is the mechanism of how a SQL query works when it is input to the web application.


HOW TO DO SQL INJECTION:

How to perform SQL Injection depends upon how the web application is built. So attackers must initially find out about the structure of web application and its application code.

The attacker finds out the method by which data is passed to the web application. Once he knows this, he will proceed to SQL Injection.

There are 2 ways by which data is passed to the web application.

1.) GET Method

2.) POST Method

Let’s see how to execute the SQL Injection attack in both scenarios.

I] Using a GET method:

GET method is used to pass the data that is input by the user to the application. In the application code, while building a web application, the GET method is declared and used to request data from a specified resource.

Its general syntax is:

$username= $_GET[‘username’];

$password= $_GET[‘password’];

Here the parameters in the single quote are the user inputs.

When this GET method is used to send data from the web page to the database then data is sent through the URL of the request without encryption in plain text. So the sent data is visible in the URL.

Consider again the above example of a Login page.

Now when you log in to such application which is using the GET method to pass the data, the URL request can be observed in the URL section as:

localhost/index.php?username=San_123&password=1234d678

As it is a valid username and password, your login is successful.

Now suppose you don’t have any idea about the username or password, in this case, such web application is vulnerable to SQL Injection.

Steps to launch SQL Injection:

1.) Enter any random username and password combination in the respective field and press login.

2.) It will generate a request to the application which can be seen through the URL section.

localhost/index.php?username=Tim&password=sdfgh76

As this is invalid credentials, hence, the failure of login.

3.) Now to manipulate the query we use OR function with the username field. As the URL request is visible in the URL section, you have to just edit the username portion of the URL as follows.

localhost/index.php?username=Tim’ or 1=1–  &password=sdfgh76

Now as discussed above, the code Tim’ or 1=1–  will manipulate the query such that it will always return TRUE. Thus as the user hits the ENTER button, he will be prompted inside the web application with a successful login message.


II] Using a POST method:

If we use the POST method to pass the data to the web application, then data is not visible in the URL string.

POST method transfers data via headers, thus the data is encoded and put into a header called QUERY_STRING. We send data in the request body of the request.

Data sent by this method goes through HTTP header hence its security depends upon how secure HTTP is.

Now, in this case, you won’t be able to manipulate the string in the URL.

Suppose you first enter the valid credentials to the Login page. Then the Login will be successful but without showing username or password in URL.

So following is the way to launch an SQL injection attack on such web applications.

Enter the string xyz’ or 1=1– in the username field and enter some random text in the password field (As it will not going to execute so whatever password you input doesn’t matter.)

Now again the SQL query that is generated with the above input will always set the output as TRUE. Hence the successful login to the application.

SQL Injection Impacts:

SQL Injection has a disastrous impact on any organization. We can summarize it as follows.

1.) Confidentiality and Integrity of data are at stake.

2.) It allows attackers to spoof the identity of any employee working in an organization.

3.) The attacker can steal the sensitive data of the organization and sell it to the rival organization.

4.) The attacker can tamper the existing data in the database which causes repudiation issues.

5.) The attacker can gain administrator access of the database which will allow him to destroy all the data or disclose it publically.




SQL Injection Types:

Comments

Post a Comment

Popular posts from this blog

What is applications security testing ?

 What is Application Security Testing? The term security testing refers to the software testing category that helps to uncover: Risks associated with the software applicationContinuous security threatsPossible vulnerabilities Added to this, web application security testing also prevents malicious cyber-attacks and threats coming from intruders. The main working behind the application security testing is to recognize the digital and software system related weaknesses and every possible loophole that can cause significant damages to the concerned business, like: Loss of reputationLoss of dataLoss of revenue The central ideology behind web app security is to recognize the different types of threats present in your system following its potential vulnerabilities. After identifying those, the application security testing uses various security aspects to prevent your order from being exploited or inappropriately cease to function. The web application security testing also acts as a digital gu
Post a Comment
Read more

What is SEEKER

seeker - Accurately Locate Smartphones using Social Engineering .   Concept behind Seeker is simple, just like we host phishing pages to get credentials why not host a fake page that requests your location like many popular location based websites. Read more on thewhiteh4t's Blog .Seeker Hosts a fake website on In Built PHP Server and uses Serveo to generate a link which we will forward to the target, website asks for Location Permission and if the target allows it, we can get : ⭕️Longitude ⭕️Latitude ⭕️Accuracy ⭕️Altitude - Not always available ⭕️Direction - Only available if user is moving ⭕️Speed - Only available if user is moving Along with Location Information we also get Device Information without any permissions : ⭕️Operating System ⭕️Platform ⭕️Number of CPU Cores ⭕️Amount of RAM - Approximate Results ⭕️Screen Resolution ⭕️GPU information ⭕️Browser Name and Version ⭕️Public IP Address ⭕️IP Address Reconnaissance This tool is a Proof of Concept and is for Educational Purpose
Post a Comment
Read more

SMS bombing, Call Bombing, pranks with friends using termux app

  This is only for educational purposes Don't misuse it  The script requires working network connection to work. No balance will be deducted for using this script to send SMS/calls. While doing infinite bombing use 2-3 seconds delay and 10 to 20 threads for maximum performance. Don't put spaces in between phone number (Ex- 99999 99999) Make sure you are using the latest version of TBomb Make sure you are using Python3. $ python -V If output looks like Python 3 - Congrats, Python 3 is installed properly. 👉 Do not use this to harm others. 👉 This script is only for educational purposes or to prank. 👉 None of the developers/contributors are responsible for the misuse of TBomb. Features: 👉 Lots of integrated SMS/call APIs 👉 Unlimited (Limited against abusing) and super-fast bombing 👉 International bombing available (APIS Dead. Try Your Luck.) 👉 Call bombing 👉 Frequent updates 👉 Automatic updating mechanism 👉 Easy to use and embed in code                            
Post a Comment
Read more