SQL INJECTION

Structured Query Language Injection (SQLi) is when an attacker can provide data (for example, via a a text input field) and the data is included as part of a SQL query. This can lead to an attacker accessing data that they are not supposed to access. 


NOTE: Basic cheat sheet for SQL queries can be found here: SQL Basics Cheat Sheet | DataCamp
NOTE: SQLi Cheat sheet: SQL injection cheat sheet | Web Security Academy (portswigger.net)

A simple example of an Sql injection could be visiting a a blog and viewing the post with the id of 1:

https://example.com/blog?id=1

If the application is using SQL, the query that is used to retrieve the post with the id of 1 would look something like:

SELECT * FROM blog WHERE id=1 AND private=0 LIMIT 1;

This would return to the user the one blog post with the id of 1, that had a private value of 0. In this case, the private value is used to determine if the blog post is private or not. 

One way an attacker could get around this privacy filter is by using SQL injection. An attacker could instead use the following payload:

https://example.com/blog?id=2;--

This payload will request the blog post with the id of 2 and comment out the rest of the query that the developers have written in their code.


In-Band SQLi

In-Band refers to the same method of communication being used to exploit the vulnerability and received the results. For example, preforming an SQLi to a website and receiving the results back on the same page. 

Error-Based SQLi
This is when error messages from databases are printed directly to the screen. This can be used to enumerate over a whole database.

Union-Based SQLi
This type on injection utilises the SQL UNION operator to return additional results to a page and therefore extracting large amounts of data. 

Blind SQLi

Blind SQLi is where we get little or no feedback from out SQLi attempts regardless if they are successful or not. This is because error messages have been disabled, however we only need a little bit of feedback to enumerate an entire database.

Authentication Bypass
One of the most straightforward Blind SQLi techniques is bypassing log in forms. In this instance, we aren't interested in seeing the data in database, but instead just bypassing a login. When using a database for log in forms, a web application isn't concerned with the content of the username or password, but instead just making sure the user input matches an entry in the database. For example, when asking a database "do you have a user called Jon with a password of Password123?" the web page is only concerned with true/false.

Boolean Based
Boolean based SQLi refers to the response we receive back from our injection attempts, which only ever have Boolean outcomes. At first, this sounds limited, but it is possible to enumerate and entire database structure and its contents.

Time Based
A time-based SQLi is very similar to the above Boolean based method in that there is no visual indicator of the outcome of queries. Instead the indicator of a correct query is based on the time a query takes to complete. The time delay is introduced by using methods such as SLEEP() alongside UNION . The SLEEP() method will only work upon a successful UNION SELECT statement. 

Out-of-Band SQLi

Out-of-Band SQL Injection isn't as common as it either depends on specific features being enabled on the database server or the web application's business logic, which makes some kind of external network call based on the results from an SQL query.

An Out-Of-Band attack is classified by having two different communication channels, one to launch the attack and the other to gather the results. For example, the attack channel could be a web request, and the data gathering channel could be monitoring HTTP/DNS requests made to a service you control.

1) An attacker makes a request to a website vulnerable to SQL Injection with an injection payload.

2) The Website makes an SQL query to the database which also passes the hacker's payload.

3) The payload contains a request which forces an HTTP request back to the hacker's machine containing data from the database.


Remediation

Whilst SQLi can be very damaging, developers do have ways to protect their web apps from SQLi vulnerabilities:

  • Prepared Statements: The developer writes the whole SQL query first, only allowing the user to change the parameters of the query.
  • Input Validation: Only allowing certain strings or using string replacement methods to only allow certain inputs.
  • Escaping User Input: Allowing users to use characters such as ' " $ \ can be dangerous, so prepending them with a backslash (\) to these characters will allow them to be parsed as a regular string instead of a special character.


Comments

Post a Comment

Popular posts from this blog

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address o...
Read more

PASSIVE AND ACTIVE RECONNAISSANCE

Image
In this post we will learn about passive and active reconnaissance. Passive reconnaissance lets us gather information about a target without any kind of direct engagement. Active reconnaissance requires us to make some kind of contact with out target. Some Passive Reconnaissance tools we will explore: whois nslookup dig DNSDumpster Shodan.io Some Active Reconnaissance tools we will explore: ping traceroute telnet nc Passive Reconnaissance In passive reconnaissance, we rely on publicly available knowledge that can be accessed without directly engaging the target. Passive recon may include: Looking up DNS records from a public DNS server Checking job ads related to the target website Reading news articles about the target company Visiting social media sites of the company or their employees Whois Whois is a request and response protocol that follows the  RFC 3192  specification. A whois server listens on port 43 for incoming requests. A domain registrar is responsible for mainta...
Read more

CROSS-SITE SCRIPTING

Image
Cross-Site Scripting (XSS) is an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.  XSS Payloads In XSS the payload is the JavaScript code we wish to be executed on the targets machine. The payload is comprised of two parts, the intention and the modification. The intention is what the attacker intends the JavaScript to execute and the modification is the changes the attacker needs to do on the code to make it execute in each specific scenario.  Proof of Concept This is a simple payload in order to prove that an attacker can actually achieve XSS on a website: <script>alert('XSS');</script> Session Stealing Details of a users session, such as log in tokens are often kept in cookies on the targets machine. The below JavaScript takes the target's cookie, base64 encodes it to ensure successful transmission and then posts it to a website under the attackers control <script>fet...
Read more