If you are starting your journey with Web Application Penetration Testing and Android Penetration Testing the SQL Injection performs a good role in penetration testing. The SQL Injection comes under the OWASP TOP 10 Vulnerabilities. For a better understanding of SQL injection first, we know about SQL. let’s read the Beginner’s Guide To SQL Injection
Beginner’s Guide To SQL Injection
What is SQL ?
SQL stands for Structured Query Language. SQL is a kind of programming language that’s designed to facilitate retrieving specific information from databases it is used to storing, manipulating and retrieving data stored in a relational database .
When we used to fill some form on the Web the form contains the users details and it will store the user details in a background database which are configured by the developers they use Query Language to manage the database for CREATE, ALTER,DELETE and UPDATE the databases.
What is SQL Injection ?
It allows the attacker to view the data that they are not normally able to retrieve in many cases the attacker can alter or delete the data it causes to change the database .
In some cases SQL Injection can even be used to execute commands on the operating system , potentially allowing an attacker to escalate to damaging more attacks that are behind the network.
Types of SQL Injection :
- In Band
- Out of Band
- Blind SQLi
SQL Injection Exploitation Technique :
- Error Based SQLi
Add the single quote character ‘ in the parameter and look for errors or other anomalies.
- Union Based SQLi
Add some SQL-specific syntax on parameters that evaluates to the base value of the entry point, and to a different value, and look for systematic differences in the resulting application responses.
- Time Based SQLi
Add payloads designed to trigger time delays when executed within an SQL query, and look for differences in the time taken to respond.
- Out of Band SQLi
Add OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.
Try to identify the Parameter in the application that interact with the Database :
- Authentication Page
- Search Field
- Post Field
- Get Field
- HTTP Header
Example Error based SQLi :-
First , go to this lab site :- https://www.hacksplaining.com/exercises/sql-injection#/start
The vulnerable bank application page will be open
Enter the username and password and check the any error are find the log file or not
Username = email@example.com
Password = password
Then check the log it shows user “firstname.lastname@example.org” are available in database but the password is invalid .
Then try to use SQLi on the password parameter ilke password’
Add the inverted comma it shows the error in the log
An error occurred: PG::SyntaxError: ERROR: unterminated quoted string at or near “‘password” limit 1″ LINE 1: …ers where email = ‘email@example.com’ and password = ‘password’… ^ : select * from users where email = ‘firstname.lastname@example.org’ and password = ‘password” limit 1.
Unable to login this user due to an unexpected error.
The error will show the application is vulnerable to SQL injection.
Then try to fire the SQLi query ‘ or 1=1–
So usually the SQL query will check the database for the data where the username and password match with the one stored in the database. But, since we forcefully made the website to check whether the universally true statement, i.e., 1=1 is true, it passes the check. Since it is given with an ‘OR’ to the username-password validation part, it will return the details from the User table and the “–“ will comment the other code in my SQL query.
SELECT * FROM User WHERE email = ‘email@example.com’ AND password =” OR 1=1
This query will execute in the database the user will successfully login.
Basic SQL function:-
- SELECT :- Read the data from the database based on search criteria.
- INSERT :- Insert new data in the database.
- UPDATE:- Update existing data based on given criteria.
- DELETE:- Delete existing data based on given criteria.
- Order By:- Use or sort the result-set in ascending or descending order.
- Limit BY :- The statement is used to retrieve records from one or more tables.
How to Prevent SQL Injection:-
- Validate user Input :-
The first step to preventing SQL injection attacks is validating user inputs. First, identify the essential SQL statements and establish a whitelist for all valid SQL statements, leaving unvalidated statements out of the query. This process is known as input validation.
- Sanitize the data by Limiting special Character :-
SQLi attackers can use unique character sequences to take advantage of a database, sanitizing data not to allow string concatenation is critical.
- Actively Manage Patches and Update :-
Vulnerabilities in applications and databases that are exploitable using SQL injection are regularly discovered and publicly identified. keeping all web application software components, including database server software, frameworks, libraries, plug-ins, and web server software, up to date.
- Use Virtual or Physical Firewall :-
We strongly recommend using a software or appliance-based web application firewall (WAF) to help filter out malicious data.
- Apply Encryption :-
It’s assumed internet-connected applications are not secure. Therefore encryption and hashing passwords, confidential data, and connection strings are of the utmost importance.
Tell us how was the post about Beginner’s Guide To SQL Injection. if you want to learn this then Apply Now.