SQL Injection Attacks uses SQL websites or web applications. It relies on the strategic injection of malicious code or script into extisting queries. This malicious code is drafted with the intention of revealing or manipulating data that is stored in the tables within the database.
SQL Injection is a powerfull and dangerous attack. It identifiers the flaws and vulnerabilities in a website or application. The fundamental concept of SQL injection is to inject commands to reveal sensitive information from the database. Hence. it can result to a high profile attack.
The Scope of SQL Injection
SQL Injection can be a great threat to a website or application. SQL Injection impact can be measured by observing the following parameters that an attacker intended to overcome:-
- Bypassing the Authentication
- Revealing sensitive information
- Compromised Data integrity
- Erasing the database
- Remote Code Execution
How SQL Query Works
Injection of SQL query will be executed on the server and replied by the response. For example, following SQL Query is requested to the server.
These commands will reveal all information stored in the database “Orders” table. If an organization maintains records of their orders into a database, all informaton kept in this database table will be extracted by the command.
SQL Delete Query
The DELETE statement is used to delete existing records in a table. To understand, consider a table “Customers” in a database. The following information is the table “Customers” is containing.
Execution of “delete” command will erase the record.
DELETE FROM Customers WHERE CustomersName=’Alfreds Futterkiste’;
Now the database table will be like this :-
There are lots of SQL query commands that can be used. Above are some of the most comman and effective commands that are being used for injection.
SQL Update Query
The UPDATE statement is used to modify the existing records in a table. For example, consider the following command.
UPDATE Customers SET ContactName = ‘IPSpecialist, City = ‘Frankfurt’ WHERE CustomerID = 1;
Now the database will be :-
You Also Read This Hack Facebook Account
A SQL Injection, or SQLi, is a vulnerability which allows a hacker to “inject” a SQL statements into a target and access their database. The potential here is pretty extensive often making it a highly rewarded vulnerability. For example, attackers may be able to perform all or some CRUD actions (Creating, Reading, Updating, Deleting) database information. Attackers may even be able to achieve remote command execution.
SQLi attacks are usually a result of unescaped input being passed into a site and used as part of a database query. An example of this might look like:
$name = $_GET[‘name’];
$query = “SELECT * FROM users WHERE name = $name”;
Here, the value being passed in from user input is being inserted straight into the database query. If a user entered test’ OR 1=1, the query would return the first record where the name = test OR 1=1, so the first row. Now other times, you may have something like:
$query = “SELECT * FROM users WHERE (name = $name AND password = 12345”);
In this case, if you used the same payload, test’ OR 1=1, your statement would end up as:
$query = “SELECT * FROM users WHERE (name = ‘test’ OR 1=1 AND password = 12345”);
So, here, the query would behave a little different (at least with MySQL). We would get all records where the name is test and all records where the password is 12345. This obviously wouldn’t achieve our goal of finding the first record in the database. As a result, we need to eliminate the password parameter and can do that with a comment, test’ OR 1=1;–. Here, what we’ve done is add a semicolon to properly end the SQL statement and immediately added two dashes to signify anything which comes after should be treated as a comment and therefore, not evaluated. This will end up having the same result as our initial example.
SQL Injections Tools
There are several tools available for SQL injeciton such as :-
- BSQL Hacker
Drupal SQL Injection
Url: Any Drupal site with version less than 7.32
Report Link: https://hackerone.com/reports/31756
Date Reported: October 17, 2014
Bounty Paid: $3000
SQLi can be pretty significant and dangerous for a site. Finding this type of vulnerability could lead to full CRUD permissions to a site. In other cases it can be escalated to remote code execution. The example from Drupal was actually one such case as there are proofs of attackers executing code via the vulnerability. When looking for these, not only should you keep your eye out for the possibility of passing unescaped single and double quotes to a query, but also opportunities to provide data in unexpected ways, like substituting array parameters in POST data.