If you are starting your journey with Web Application Penetration Testing and Android Penetration Testing the SQL Injection performs a good role in penetration testing. The SQL Injection comes under the OWASP TOP 10 Vulnerabilities. For a better understanding of SQL injection. Firstly, we know about SQL.
Let us begin!
What is SQL?
SQL stands for Structured Query Language. SQL is a kind of programming language that’s designed to facilitate retrieving specific information from databases. It is used to storing, manipulating, and retrieving data stored in a relational database.
When we used to fill some form on the Web the form contains the users’ details. And it will store the user details in a background database that is configured by the developers. They use Query Language to manage the database for CREATE, ALTER, DELETE and UPDATE the databases.
What is SQL Injection?
Certainly, it allows the attacker to view the data that they are not normally able to retrieve in many cases the attacker can alter or delete the data it causes to change the database.
But, in some cases SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to damaging more attacks that are behind the network.
Types of SQL Injection :
SQL Injection Exploitation Technique :
Add the single quote character ‘ in the parameter and look for errors or other anomalies.
Add some SQL-specific syntax on parameters that evaluates the base value of the entry point, and a different value, and look for systematic differences in the resulting application responses.
Add payloads designed to trigger time delays when executed within an SQL query and look for differences in response time.
Add OAST payloads designed to trigger an out-of-band network interaction. When executed within an SQL query and monitor any resulting interactions.
Try to identify the Parameter in the application that interacts with the Database :
Example Error based SQLi:-
Firstly, go to this lab site:- https://www.hacksplaining.com/exercises/sql-injection#/start
The vulnerable bank application page will be open
Enter the username and password and check any errors are find the log file or not
Username = email@example.com
Password = password
Then check the log it shows user “firstname.lastname@example.org” is available in the database but the password is invalid.
Then try to use SQLi on the password parameter like password’
Add the inverted comma it shows the error in the log
An error occurred: PG::SyntaxError: ERROR: unterminated quoted string at or near “‘password” limit 1″ LINE 1: …ers where email = ‘email@example.com’ and password = ‘password’… ^ : select * from users where email = ‘firstname.lastname@example.org’ and password = ‘password” limit 1.
Unable to log in to this user due to an unexpected error.
Meanwhile, The error will show the application is vulnerable to SQL injection.
Then try to fire the SQLi query ‘ or 1=1–
So usually the SQL query will check the database for the data where the username and password match with the one stored in the database. But, since we forcefully made the website to check whether the universally true statement. i.e., 1=1 passes the check. It will return the details from the User table. And the “–“ will comment on the other code in my SQL query.
SELECT * FROM User WHERE email = ‘email@example.com’ AND password =” OR 1=1
That is to say, This query will execute in the database the user will successfully log in.
Basic SQL function:-
How to Prevent SQL Injection:-
The first step to preventing SQL injection attacks is validating user inputs. Firstly, identify the essential SQL statements and establish a whitelist for all valid SQL statements. Meanwhile, leaving unvalidated statements out of the query. This process is known as input validation.
Meanwhile, SQLi attackers can use unique character sequences to take advantage of a database, sanitizing data not to allow string concatenation is critical.
However, vulnerabilities in applications and databases that are exploitable using SQL injection are regularly discovered and publicly identified. Further, keeping all web application software components. Including database server software, frameworks, libraries, plug-ins, and web server software, up to date.
Above all, we strongly recommend using a software or appliance-based web application firewall (WAF) to help filter out malicious data.
Certainly, it’s assumed internet-connected applications are not secure. Therefore encryption and hashing passwords, confidential data, and connection strings are of the utmost importance.