SQL Injection

From charlesreid1

Overview

SQL Injection is a web security vulnerability that allows attackers to execute custom SQL queries by taking advantage of unvalidated inputs.

SQL injections can have a high impact and are easy to carry out, making them one of the most common exploited vulnerabilities.

Cheat Sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

Notes

Types of SQL injection attacks

There are several types of SQL injection attacks:

  • Retrieving hidden data
  • Subverting application logic
  • UNION attacks
  • Examining the database
  • Blind SQL injection

Basic SQL injection attack

Start with a hypothetical web application. When you browse to this URL: 

https://insecure-website.com/products?category=Gifts

it runs this SQL query: 

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

(Here, the "released" field indicates products that have been made public.)

If the category name specified by the user is not sanitized, then this web app is vulnerable to SQL injection.

The value we provide for category should start with a single quote, to end the category string variable, followed by a custom SQL query for the server to run.

Here, we add the SQL symbol -- (which makes everything that follows a comment, ignoring the "AND" portion and bypassing the "released=1" condition check.) 

https://insecure-website.com/products?category=Gifts'--

This will show all products, including unreleased products.

Or the attacker can and an "OR" and a condition that is always true: 

https://insecure-website.com/products?category=Gifts'+OR+1=1--

Subverting application logic

If a login page of a web application is checking for a username and password, it might use the username/password in a query like this: 

SELECT * FROM users WHERE username = 'user' AND password = 'nopass'

If user inputs are not sanitized, SQL injection attack is possible.

An SQL injection attack could use the username 

administrator'--

which would terminate the SQL query before the "AND" check, bypassing the password check and making any password valid.

Retrieving data from other tables

Main article: SQL Injection/UNION Attack

Also known as a UNION attack, this type of attack uses an SQL injection vulnerability to retrieve data about other tables in the SQL database.

Suppose a web application runs an SQL query using a user-specified category like so: 

SELECT name, description FROM products WHERE category = 'Gifts'

In this case, if we run with the category 

' UNION SELECT username, password FROM users--

it would cause all usernames and passwords to be returned, in addition to product listings.

(Note, this example is oversimplified - it may take some extra work to craft the right UNION query.)

This type of attack is called a UNION attack. See SQL Injection/UNION Attack

Retrieved from "https://charlesreid1.com/w/index.php?title=SQL_Injection&oldid=29374"