SQL Injection

What is SQL Injection ?

SQL injection is one of the most used and most common web based attack. For SQL injection to work , one require a web application that uses a database.

Consider a example, where a web application using a database , this web application might be taken input from the user storing the information onto the database or it may fetching any data from the database and displaying data to the user.In this process a database query is created which is sent to the database and this query get executed on the database and hence any related data is displayed on user side.

In SQL injection, user manipulate this query sent this malicious query to batabase , it execute there and relevant result are displayed.

SQL Injection is a code injection technique used to execute malicious SQL statements.

A successful SQL injection attack is capable of:

• Modifying, altering or deleting data from the database
• Reading and extracting sensitive and confidential data from the database
• Retrieving the content of a specific file present on the database management system (DBMS)

Types of SQL injection attack

1.In-band SQLi (Classic SQLi)
In-band SQL Injection is the classic SQLi technique and is the most common and easy-to-exploit of SQL Injection attacks.This type of attack takes place when an attacker is able to use the same communication channel to both launch the attack and gather results from it.

The types of in-band SQL Injection are Error-based SQLi and Union-based SQLi.

• Error-based SQLi
  Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

• Union-based SQLi
  Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

2.Inferential SQLi (Blind SQLi)
Inferential SQL Injection, may take longer for an attacker to exploit. It is the most dangerous form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application but the attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.

The types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.

• Boolean-based Blind SQLi
  Boolean-based SQL Injection is an inferential SQL Injection technique that depends on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

• Time-based Blind SQLi
  Time-based SQL Injection is an inferential SQL Injection technique that depends on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

3.Out-of-band SQLi
Out-of-band SQL Injection occurs when an attacker is not able to use the same channel to launch the attack and gather results from it i.e when two different channel is used.

How SQL injection works ?

In most of the web application ,first page is login page where user has to input their credentials to open it.

SQL query can be written is
select * from database_table
where username=' ' and password=' '

Malicious query is
select * from database_table
where username=''OR 1=1--' and password=' '

In SQL injection 'OR' logic is use. User don't have control over sql query and but have control over input . In above example OR 1=1-- is always return true, first inverted comma ['] is used to close the string parameter, 1=1 is always true and -- is used to comment the remaining sql query
Thus the entire query becomes true and it get executed.

How to use SQL injection ?

GET Method :
In GET method data is sent to database through the url of the request due to which it is visible in the url.

  Example : https://localhost/index.php?username=abc&password=pass123  

In the url data can be easily seen , to apply sql injection we insert the above malicious string .

POST Method :
In POST method data which is being sent is not visible in the url.

  Example : https://localhost/index.php

In post method , to use sql injection enter the malicious string into the input box as shown above.

How to prevent SQL injection ?

In the database prepare and bind parameter is used.bind parameter holds malicious string as a single string

select * from database_table
where username=''OR 1=1--' and password=''OR 1=1--'

when bind parameter is used 'OR 1=1-- is considered as single string and this statement becomes false as inverted comma is not closing, thus string is logically incorrect.
Therefore bind parameter is used to prevent SQL injection . This is a one method of SQL injection.