SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details.
Impacts of SQL-Injection
The impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables, and, in some instances, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
When calculating the potential cost of an SQLi, it’s important to consider the loss of customer trust should personal information such as phone numbers, addresses, and credit card details be stolen.
Types of SQL-Injection
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
- Retrieving hidden data, where you can modify an SQL query to return additional results.
- Subverting application logic, where you can change a query to interfere with the application’s logic.
- UNION attacks, where you can retrieve data from different database tables.
- Examining the database, where you can extract information about the version and structure of the database.
- Blind SQL injection, where the results of a query you control are not returned in the application’s responses.
Bug Bounty
if you see at the hacktivity, you’ll see that sql-injection bugs are rarely found these days, but it doesn’t mean that it can’t be found, its critical impacts make it the most rewarded bug bounty, hunters have earned up to $25000 bounty on reporting critical SQL-Injection Bug. So, it’s better to learn it, could be a game changer for you!
SQL-Injection in MySQL
In SQL: select id, firstname, lastname from authors
If one provided: Firstname: evil'ex and Lastname: Newman
the query string becomes:
select id, firstname, lastname from authors where firstname = 'evil'ex' and lastname ='newman'
which the database attempts to run as:
Incorrect syntax near il' as the database tried to execute evil.
You can manipulate the string and get sensitive data from databases, this is how we’re able to perform SQL-Injection attacks, you’ll understand more clearly when we’ll do the practical labs.
Practical Labs
Very BIG shout out to ARZ for his contributions of writeups for the community.
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it can trigger conditional time delays to infer information.
To solve the lab, exploit the SQL injection vulnerability to cause a 10-second delay.
After Accessing the lab, intercept the page’s request using Browser Tools or Burp Suite, I’ll be using Firefox Tools, refresh the page and you’ll see the request in the “Network” tab,
Now, right-click on this tab and click on “Edit and Resend”
Modify the TrackingId cookie, changing it to: TrackingId=x'||pg_sleep(10)--
Submit the request and observe that the application takes 10 seconds to respond.
SQLMAP
When we talk about sql-injection this tool is what first comes to mind! SQLMAP is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. Using sqlmap, you could automate sql-injection attacks and dump the databases. we could also use the requests by saving in a file and running with sqlmap, you can find its simplest cheatsheet here.
Conclusion
So, we’ve covered the basic theoretical and practical knowledge to understand What SQLi vulnerability is and how to exploit it hands-on, we also covered how we can capture the request, modify it, and resend again using browser tools. we covered only the basic practical labs and the remaining of them are for you to practice and get more familiar with it and learn your own way through it, you will find video solutions of the labs under the “community solutions” section, and you can also find the writeups for them, but if you’re having any problem with anything feel free to contact me I’ll reply asap. So today’s topic is done here hope you guys liked it and learn something new from it, I will appreciate the support from you guys. Thanks for reading, and see you on the next topic.
References:
OWASP
Top comments (0)