SQL Injection

SQL Injection

What is an SQL Injection?

When any application uses un-sanitized user input directly in the SQL query, SQL injection arises. SQL Injection is on top of OWASP Top 10 because of its severity and impact on the application. If successfully exploited, an attacker can get lots of sensitive and private information.

How does an SQL Injection work?

When user-supplied inputs are used to craft an SQL query, the user may apply malicious payload to input. This payload can change the behavior of the query to perform malicious activity on the application.

What an attacker can do?

SQL Injection vulnerability has a very high impact on the database as an attacker can read, modify or delete data from the database. An attacker can get information regarding the database and data itself.

Which information can be disclosed by exploiting an SQL Injection?

Following information regarding database may be at risk:

·      List of database

·      List of database users

·      List of database privileges

·      Current user privileges

·      If the current user is DBA or not

·      Password hashes of all DB users

An attacker may also perform the following actions on data:

·      Get the list of tables

·      Get the list of columns

·      Dump whole table

·      Get table name from column name like password

If some misconfiguration is there it may be riskier at the system level. An attacker can write files to the internal system, which can be used as a backdoor for further exploitation. If the current user is DBA, for e.g. in case of MSSQL then an attacker can access the shell by enabling xpCmdShell and then an attacker can reach to AD as a part of further exploitation – pivoting

What are the types of SQL Injection?

There are 3 major categories of SQL Injection, inferential, In-Band and Out band. Detailed categorization would be as following.

·      Inferential SQL Injection includes all blind SQL Injection

o   Blind-Boolean based SQL Injection

o   Blind-Time based SQL Injection.

·      In-band SQL Injection contains all other which gives output via the same band

o   Stack-based SQL Injection

o   Error-based SQL Injection

o   Union-based SQL Injection

·      Out of band SQL Injection includes all which gives output via another channel

How to detect an SQL Injection?

We can detect or find SQL Injection manually and via SQLMap or burp scanner. In manual testing, we can basically apply payloads like a single quote to a two-time single quote, etc. If we find any error or difference in response or in response time, we can confirm by providing payloads like SLEEP in MySQL and Oracle or WAITFOR DELAY in MSSQL. Once we can confirm it we can move to the exploitation part where we can break the existing query and try to create or join a new one.

Example:

strSQL = “SELECT * FROM Users WHERE user_id = ” + strUserId;

In the above statement, an SQL query is constructed from user input, which is strUserId. If the user_id parameter is vulnerable to SQL Injection, an attacker can use this vulnerability to get data of all users by applying payload “222 OR 1=1”; here 222 is the user id. After applying the payload, the query will be modified to get all users as shown below.

strSQL = “SELECT * FROM Users WHERE user_id = 222 OR 1=1”

“1=1” condition is always true and the above statement will return all details of each user including contact information, password, etc.

How to exploit an SQL Injection?

For exploitation, we can use automated tools like SQLMap or we can exploit it manually. For exploiting manually, exploitation depends on the type of the SQL Injection and type of Database. To know more about exploitation, please read the next blogs.

How to prevent SQL Injection?

The most important and efficient way of preventing any kind of SQL Injection is to use a parameterized query so user inputs may not affect the intended behavior of the original query. Other small things may be crucial like the use of proper validations and encoding of un-trusted or un-sanitized user inputs.