SQL injection is another approach used by attackers whereby they are able to insert a malicious SQL code in to the database query through input fields. This leads to unauthorized access, data modification or even control of the database in question.
Common Methods with Examples:
Tautology Attack:
Example: Just like you enter your username and password to perform the login on any website. The application might run a query like:The application might run a query like:
Query: GET all data from the users table WHERE the username equates the value of ‘admin’ AND the password equates to a ‘password’.
An attacker could input the following into the password field:An attacker could input the following into the password field:
' OR '1'='1
The query becomes:
SELECT * FROM users WHERE username = ‘admin’ AND password = ” OR ‘1’=’1’;
This query is always true and will thus allow an attacker to gain access to many different systems.
- Union-based Attack:
- Example: An example of an input the attacker might enter would be:
’ UNION SELECT username, password FROM users
If the original query was:If the original query was:
These statements tests a basic SELECT query with includes the columns name and email and filters the contacts table by the ID which is value of 1.
It now becomes:
Query where I will like to obtain the contacts name and email from the contact table with ID ‘1’ while at the same time extracting the user name and password from the user table is:
This could disclose information regarding the users table, which could be sensitive at times.
Error-based Attack:
Example: An attacker may enter:
SELECT * FROM [Table_1] WHERE price_per_dose < ‘$500<50’ AND 1=CONVERT(int, (SELECT @@version))
This might compel the database to return an error that indicates to the attacker the specific SQL server version, in which the attacker could plan for other operations.
Blind SQL Injection:
Example: An attacker could enter, for example, to check whether a condition is true or false:
’ OR id = ‘ ‘ AND (SELECT CASE WHEN (username = ‘admin’) THEN 1 ELSE 0 END) = 1 —
If the application reacts in any way different when this input is employed, the attacker knows that the username ‘admin’ is predefined.
Top comments (0)