SQL Injection | SQLI

Intro to SQL Injection

📚 What is SQLI?

(SQLi) attack exploits the injection of SQL commands into the SQL queries of a web application.

A successful SQLi attack lets malicious hackers access and manipulate a web application’s backend database.

To interact with databases, entities such as systems operators, programmers, applications, and web applications use the Structured Query Language (SQL).

You Can Know More About SQL HERE

SQL Like:

SQL is a powerful interpreted language used to extract and manipulate data from a database.

🤔 Why SQLI happen?

A web developer's trust in users and missing to put any input validation or output encoding prevent users from interacting with database queries

Modern web frameworks nowadays solved this problem with predefined functions that defend against sqli like Laravel framework based on php

Example:

$id Parameter is vulnerable to sqli

try to provide the id parameter with the values payload above to achieve your sqli attack

🔎 Finding SQL Injection

The most straightforward way to find SQL injections within a web application is to probe its inputs with characters that are known to cause the SQL query to be syntactically invalid and thus forcing the web application to return an error.

Input parameters are carried through GET and POST requests,HEADERS, and COOKIES. So, we have to check all the channels where data is retrieved from the client.

🌀 What are the types of SQLI?

In-band SQL injections:

leverage the same channel used to inject the SQL code (i.e., the pages generated by the web application).

1. Error-Based SQL injection attack:

The penetration tester tries to force the DMBS to output an error message and then uses that information to perform data exfiltration.

2. Union-Based SQL injection attack:

The ability of the user to add another sql query to the original query to make some sql operation to retrieve data like this:

Blind SQL injection:

This does not reflect the results of the injection on the output. In this case, the penetration tester must find an inference method to exploit the vulnerability

1. Blind Boolean-Based SQLI: Currently, most production websites do not display such errors. This happens both because of the usability of the application; it is useless to display errors to end users who cannot understand or fix them, and to achieve security through obscurity.

IF SQL Statement is TRUE ✅ Render page Well. IF SQL Statement is FALSE ❌ Render page Bad.

2. Blind Time-Based SQLI Time is used to infer a TRUE condition from a FALSE condition.

This SQL syntax is used:

%SQL condition% waitfor delay '0:0:5’
If condition true response will wait 5 seconds

🌀 What is the impact of a successful SQL injection attack?

A successful SQL injection attack can result in:

unauthorized access to sensitive data such as

passwords
credit card details
personal user information.

Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period.

SQL injection examples

Retrieving hidden data, where you can modify an SQL query to return additional results.
Subverting application logic, where you can change a query to interfere with the application’s logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version and structure of the database.
Blind SQL injection, where the results of a query you control are not returned in the application’s responses.

🐍 SQLMAP

sqlmap is an open-source penetration testing tool developed by Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, and fetching data from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

you can automation find many sqli with SQLMAP