Overview

SQL Injection is a web security vulnerability that allows attackers to execute custom SQL queries by taking advantage of unvalidated inputs.

SQL injections can have a high impact and are easy to carry out, making them one of the most common exploited vulnerabilities.

Notes

Types of SQL injection attacks

There are several types of SQL injection attacks:

• Retrieving hidden data
• Subverting application logic
• UNION attacks
• Examining the database
• Blind SQL injection

Basic SQL injection attack

Start with a hypothetical web application. When you browse to this URL:

https://insecure-website.com/products?category=Gifts

it runs this SQL query:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

(Here, the "released" field indicates products that have been made public.)

If the category name specified by the user is not sanitized, then this web app is vulnerable to SQL injection.

We start with a single quote to end the category string, then write our own SQL for the server to run.

Here, we add the SQL symbol -- (which makes everything that follows a comment, ignoring the "AND" portion and bypassing the "released=1" condition check.)

https://insecure-website.com/products?category=Gifts'--

This will show all products, including unreleased products.

Or the attacker can and an "OR" and a condition that is always true:

https://insecure-website.com/products?category=Gifts'+OR+1=1--

Subverting application logic

If a login page of a web application is checking for a username and password, it might use the username/password in a query like this:

SELECT * FROM users WHERE username = 'user' AND password = 'nopass'

If user inputs are not sanitized, SQL injection attack is possible.

An SQL injection attack could use the username

administrator'--

which would terminate the SQL query before the "AND" check, bypassing the password check and making any password valid.