SQL Injection Attack – Explained
SQL query is a trusted command! The biggest lie believed by web developers when they are unaware of the ways to tamper the queries. SQL queries can get around the access controls bypass standard authentication checks and offer access to the host operating system level commands.
A technique that lets the attacker create or alter the existing SQL commands to access the hidden data, or to create any other kind of disturbance on the database host can be said to be the Direct SQL command Injection. This task can be done by any application that takes the user input and combines it with certain static parameters to build an SQL query.
The attacker may create a super user in your database due to the lack of input validation.
What is an SQL Injection Attack?
A common interruption strategy to attempt to access sensitive information from a database is known as an SQL injection attack. Even if the database system contains little vulnerability, the computer security can affect the query to the desired database. Firstly, when a query is generated, it will cause the database parser to malfunction, which makes dealing with SQL injection more important than ever. Recently, the adoption of the internet has become a reason for rapid advancements in the Information Technology field.
The general population uses the internet to gain information which allows quick access to the owner’s information while blocking the break-in attempts. It has been found that almost 50% of the databases are used for one or other important purposes such as financial transactions or educational endeavors.
How is an SQL Injection Attack launched?
SQL injection can be used through various methods. Here, you will get all the basic concepts of SQL injection. Let us begin with an example, suppose you are on an eCommerce website and have already set some filters for shopping a product, its URL might go like
http://www.completeecommerce.com/categories.php? params=100
To test this website for SQL injection, you can try appending your SQL injection in the param or 1=1
http://www.completeecommerce.com/categories.php? params=100 ‘OR’1’=’1
If the above injection works and lets you have a glance at the products, it can be said that the website has a vulnerable type of SQL injection. This means that at the backend the script executed as shown: SELECT * FROM Categories WHERE OR ‘1’=’1’ ORDER BY Category Description as the condition 1=1 so this will give you a list of all the products.
Suppose a website uses the following logging into the admin panel
http://www.completeecommerce.com/admin/securelogin.php? username=Devit & password=dev.
Now if the above website is vulnerable to injection as mentioned in the above example, then by entering any username and password it can let you log into the admin panel.
http://www.completeecommerce.com/admin/securelogin.php? username=dnt & pass word=dnt‟OR‟1‟=‟1
Now, you can log in without a valid username and password to the admin panel of the website.
WHY?? (SQL Injection Attack Intent)
There can be various reasons an attacker may take over the SQL injection attack.
1. Identifying Injectable Parameters:
The attacker may need to probe the web application to discover the parameters and user input fields that are vulnerable to the attacks.
2. Performing Database Fingerprinting:
The attacker may want to discover the type and version of the database used by the web application. Various databases respond differently to different queries and attacks, which can be used to “fingerprint’ the database. When an attacker knows the type and version of the database, he/she is allowed to craft specific attacks.
3. Determining Database Schema:
In order to extract the data correctly from the database, the attacker is required to know the database schema information such as table names, column names, and column data types.
Types of SQL Injection Attack
1. Tautologies:
This attack means to inject code in one or more conditional statements to make them evaluate to be real. This technique can be mostly used to bypass authentication pages and extract the data. When the attack is successful, the code will either display all the returned records or perform some of the actions when at least one record is returned.
For example: In this attack, the attacker submits “ ‟ or 1=1 – -”. The query for login mode is SELECT * FROM user details WHERE loginID=‟‟ or 1=1 – – AND flag1=‟‟ The code injected in the conditional (OR 1=1)transforms WHERE clause into a tautology. The query evaluates to be true for every row in the table and returns all of them.
In our example, the returned set evaluates to a non-null value, which causes the application to conclude that the user authentication was successful. Therefore, the application would invoke the method user_main.aspx to access the application.
2. Union Query:
In union-query attacks, Attackers do this by injecting a statement of the form: UNION SELECT because the attackers completely control the second/injected query and they can use that query to retrieve information from a specific table. The result of this attack is that the database returns a dataset that is the union of the results of the original first query and the results of the injected second query.
Example: An attacker could inject the text “‟ UNION SELECT flag1 from user_details where secureloginID=‟secret – -” into the login field, which produces the following query: SELECT pass1 FROM user_details WHERE loginID=‟‟ UNION SELECT flag1 from user_details where secureloginID=‟secretkey‟ — AND flag1=‟‟ Assuming that there is no login equal to “”, the original first query returns the null set, whereas the second query returns data from the “user_details” table. In this case, the database would return column “flag1” for account “secretkey”. The database takes the results of these two queries, unions them, and returns them to the application. In many applications, the effect of this operation is that the value for “flag1” is displayed along with the account information.
3. Blind Injection:
Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database. By adding additional conditions to the SQL statement and evaluating the web application’s output, you can determine whether or not the application is vulnerable to SQL injection.
For instance, many institutions allow Internet access to the details of their alumni students. A URL for accessing the company’s fifth press release might look like this:
http://www.abccollege.com/alumni.jsp?params ID=5 The SQL statement, the web application would use to retrieve the alumni information might look like this (clientsupplied input is underlined): SELECT academics, course, leaving year, information FROM alumni WHERE paramsID = 5 The database server responds by returning the data of the alumni. The web application will then format the alumni data into an HTML page and send the response to the client.
To determine if the application is vulnerable to SQL injection, try injecting an extra true condition into the WHERE clause. For example, if you request this URL . . .
http://www.abccollege.com/alumni.jsp?params ID=5 AND 1=1 . . .
if the database server executes the following query… SELECT academics, course, leaving year, information FROM alumni WHERE paramsID = 5 AND 1=1 . . .
Also, if this query returns the same press release, then the application is susceptible to SQL injection.
Suppose you have a Web-based application that stores usernames alongside other session information. Given a session identifier such as a cookie, you want to retrieve the current username and then use it in turn to retrieve some user information. You might, therefore, have code for an “Update User Profile” screen somewhat similar to the following:
execute immediate 'SELECT studentname FROM datatable WHERE student='''||studentid||'''' into username;
execute immediate 'SELECT ssn FROM students WHERE studentname='''||studentname||'''' into ssn;
This will be injectable if the attacker had earlier on the “Create Account” screen created a username such as YYY’ OR username=’HARRY Which creates the query: SELECT ssn FROM students WHERE studentname=’YYY‟ OR username=’HARRY’
If the user YYY does not exist, the attacker has successfully retrieved HARRY‟s social security number. The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs.
For example, an attacker can create a table using a table name such as “tab’) or 1=1–“, which can be exploited later in a second-order SQL injection attack.
How to Prevent SQL Injection Attack?
Stay tuned! 8 ways to prevent SQL injection attacks are explained in detail.