SQL INJECTIONS

INTRODUCTION

1. What is a Structured Query Language?

• SQL is widely used in various applications and industries where data management is essential, including web development, enterprise software, data analysis, and more.
• SQL is a programming language used for managing and manipulating relational databases.
• It provides a standardized way to interact with databases, enabling users to perform tasks such as querying data, updating records, inserting new data, and deleting data.
• Its syntax consists of commands like SELECT, INSERT, UPDATE, DELETE, and others, which are used to perform specific operations on databases. for example:

SELECT products FROM shopping_cart WHERE username="John"        

Note: where words are in all caps are the keywords reserved for sql. You can not use it anywhere else.

2. What is SQL Injection (SQLi) and How to Prevent It

• SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities
• It is a type of an injection attack that makes it possible to execute malicious SQL statements that control a database server behind a web application.
• Attackers can use SQL Injection vulnerabilities to bypass application security measures. by going around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database.
• They can also use SQL Injection to add, modify, and delete records in the database.
• Criminals may use SQL Injection vulnerability to gain unauthorized access to the victim's sensitive data: customer information, personal data, trade secrets, intellectual property, and more.

3. Types of SQL Injection attacks:

There are 4 main types of SQL Injection Attacs:

1. in-band SQLi - In-band SQLi occurs when an attacker is able to use the same communication channel to both launch the SQL injection attack and retrieve the results of that attack. This typically involves injecting malicious SQL code into input fields, such as login forms or search queries, of a vulnerable web application.

Request 1 will bring back the response or output of the injected query in the same response of the request.        

a) Error Based Injection - Error-based SQL injection is a type of SQL injection attack that exploits error messages generated by a database server to extract information about the structure and content of a database. In this type of attack, the attacker injects malicious SQL code into input fields of a vulnerable web application to provoke errors in the SQL query execution.

The fundamental principle behind error-based SQL injection is to manipulate the SQL query in such a way that it generates an error message containing valuable information, such as database, table names, columns, or even specific data values. For example:

if the attacker injects a malicious SQL query that causes an error, the error message returned by the database server might provide insights into the database structure or reveal sensitive data.         

By iteratively injecting different SQL payloads and analyzing the error messages, attackers can gradually piece together information about the database schema and contents, allowing them to perform further exploitation or extract sensitive data.

b) Union Based Injection - Union-based SQL injection is a technique used by attackers to exploit vulnerabilities in web applications that are susceptible to SQL injection. In a union-based SQL injection attack, the attacker manipulates the structure of an SQL query to combine the results of multiple SELECT statements into a single result set, known as a "union."

The attack typically involves injecting a malicious payload into input fields, such as search forms or login fields, of a vulnerable web application. The injected payload modifies the original SQL query executed by the application's database, allowing the attacker to retrieve sensitive information from the database.

One common scenario involves injecting a UNION operator followed by additional SELECT statements crafted by the attacker. These additional SELECT statements can retrieve data from other tables or columns within the same database, enabling the attacker to extract information that they are not authorized to access.

For example, suppose a vulnerable web application constructs an SQL query to retrieve user information based on an input parameter, such as a username:        

An attacker could exploit this vulnerability by injecting a malicious payload containing a UNION operator and additional SELECT statements:

SELECT products FROM shopping_cart WHERE username="John"  UNION SELECT * FROM Shopping_cart         

2. Out-of-band SQLi - is a type of SQL injection attack where the attacker is unable to directly retrieve the results of the injected SQL query through the same channel used to inject the payload. Instead, the attacker leverages alternative communication channels to obtain the results of the injected query.

Out-of-band SQL injection attacks are often used when direct retrieval of data through the web application's response is not possible due to security measures such as output sanitization or firewalls. However, they can still pose a significant threat to the confidentiality and integrity of a web application's data if proper security measures are not in place.

INTO OUTFILE “SERVER LINK” - It is a clause in SQL that allows the results of a SELECT query to be written to a file on the server's filesystem. This feature is commonly used in database management systems like MySQL.

When using the INTO OUTFILE clause, the syntax typically involves specifying the file path where the results should be written. For example:

SELECT FROM USERS INTO OUTFILE '/path/to/output/file.csv' FROM table_name;        

blind SQL injection, is a type of SQL injection attack where the attacker is unable to directly view the results of the injected SQL query in the application's response. Instead, the attacker infers information about the database by observing differences in the application's behavior or responses.

In this type of attack, the attacker typically injects malicious SQL code into input fields of a vulnerable web application. However, unlike traditional SQL injection where the attacker can directly see the results of the injected query in the application's response, inferential SQL injection relies on exploiting differences in the application's behavior to indirectly infer information about the database.

4. Inferential SQL injection

There are two main subtypes of inferential SQL injection:

a) Boolean-based SQL injection: In this subtype, the attacker injects SQL code that alters the logical conditions of the original query, causing the application to behave differently based on whether the injected condition is true or false. By observing these differences in behaviour, such as changes in error messages or response times, the attacker can infer information about the database.

E.g 1+1=2 #True
1+5= #False        

SELECT * FROM USERS WHERE USERNAME = “JOHN” and PASSWORD=(INPUT)
SELCT * FROM USERS WHERE USERNAME = “JOHN” and PASSWORD=”ABC” OR 1+1#TRUE        

Time-based SQL injection: In this subtype, the attacker injects SQL code that introduces delays in the execution of the query. By measuring the time it takes for the application to respond to requests, the attacker can infer information about the database based on whether the injected condition causes a delay or not.

E.g Sleep(5000)= Sleep 5 sec        

Inferential SQL injection attacks can be more challenging to detect and exploit compared to traditional SQL injection, as they do not rely on direct feedback from the application. However, they can still pose significant security risks to web applications and their underlying databases if not properly mitigated.

Preventing inferential SQL injection attacks requires implementing secure coding practices such as input validation, parameterized queries, and least privilege principles. Additionally, developers and administrators should conduct thorough security testing to identify and address vulnerabilities in web applications before they can be exploited by attackers.

Detecting and mitigating SQL Injection threats necessitates robust security measures, including input validation, parameterized queries, and least privilege principles. Developers and administrators must diligently conduct security testing to identify and remediate vulnerabilities before exploitation. By adopting these proactive measures, organizations can safeguard their databases and web applications against SQL Injection attacks, ensuring data integrity and user privacy.