2. 2
SQL Injection
SQL Injection is a type of attack that asks the database
true or false questions and determines the answer based
on the application response. This attack is often used
when the web application is configured to show generic
error messages, but has not mitigated the code that is
vulnerable to SQL injection.
Error Based
Error based is the response from the server when
Error occurs and we get a response back from the
server.
By breaking the query in a malicious way and
getting the error back from the server the attack
can be executed more easily.
Blind SQL
Blind SQL injection is nearly identical to normal SQL
Injection, the only difference being the way the
data is retrieved from the database. When the error
doesn’t visible on the web page, an attacker is
forced to inject data by asking the database a series
of true or false questions. This makes exploiting the
SQL Injection vulnerability more difficult, but not
impossible.
3. SQL Injection – Error Based
Example:
By breaking the query with a single quotes ‘
or double quotes “ (it dependent which
SQL version the server is running) And
getting an error back it means we have an
indication of SQL Injection Error based.
Comments can be used as well while trying
to extract data.
The most common comments are:
1) --
2) #
SQL commands:
1) order by 1,2,3,4
2) union all select 1,2,3,4
3
4. SQL Injection – Error Based
4
For example in the URL below, we have 1
variable (title).
http://example.com/bWAPP/sqli_1.php?title
=‘&action=search
From this variable ,you can extract data from
the database once we know we have SQL
Injection.
We use “order by” command to discover how
many columns are in the table.
http://example.com/bWAPP/sqli_1.php?title
=' order by 1,2,3,4,5,6,7,8#&action=search
We got an error
Error: Unknown column '8' in 'order clause’
It means we have 7 column and now we can
extract all the data from the database.
5. SQL Injection – Error Based
After we discover how many columns
are in the table we can use “union all
select” command to discover the
DATABASE version and which user is
running the SQL service.
Use the following function to discover
the version() and user() to discover the
user.
Example:
http://example.com/bWAPP/sqli_1.php?
title= ' union all select
null,user(),version(),null,null,null,null#
5
6. SQL Injection - Blind
Blind SQL Injection is more difficult to
identify.
In case we suspect we have a blind SQL we
can use the function SLEEP() and define the
amount of second.
For Example:
Iron man' and 1=1 and SLEEP(5)#
The WebServer Freeze for 5 Second it
means we have an indication for Blind SQL
Injection.
6
7. 7
SQL Injection Prevention
Example:
<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
Protection
To Prevent SQL Injection use mysqli_real_escape_string
function on the Input variables before Send to the DATABASE.
MySQL Escape String
mysqli_real_escape_string(connection,escapestring);
MySQL_Escape_String is applying in the PHP code.