Skip to main content

SQL Injection

What is SQL Injection?

A vulnerability which allows and attacker to interfere with the queries that a web application makes to its database to retrieve and view data that they are not normally able to access. Attacker would be able to modify or completely delete the data and causing persistent data corruption.

In some cases the attacker might be able to escalate the attack to compromise and access the underlying server or perform a DoS attack!

Impact

  • Unauthorized access to sensitive data (passwords, credit card details, personal information, etc.).
  • Comporomising underlying infrastructure.
  • Obtain a persistent backdoor which leads to a long-term compromise of the infrastructure.

Common SQLi Examples

  • Retrieving hidden data

    • Modifying an SQL query to return additional results.

      https://insecure-website.com/products?category=Gifts'--

      SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
      https://insecure-website.com/products?category=Gifts'+OR+1=1--
      SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1

      OR 1=1 results in returning all items.

  • Subverting application logic

    • Changing a query to interfere with the application's logic.

      Upon logging into a web application, it checks for user's credentials by performing a SQL query:

      SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'

      If the query returns user's details, then the login is successful.

      Attacker may modify the query in such a way that would be able to log in as any user by commenting the password part of the query out.

      SELECT * FROM users WHERE username = 'administrator'--' AND password = ''

      This modified query which comments out everything after username = 'administrator', will return the user whose username matches the provided username and the web application will successfully log in without the need of a password to be provided.

  • UNION attacks

    • Retrieving data from different database tables.

      Attacker would be able to get the list of all the tables on the database and then modify a query to also retrieve data from other tables in the results.

      SELECT name, description FROM products WHERE category = 'Gifts'

      Modified to:

      SELECT name, description FROM products WHERE category = 'Gifts' UNION SELECT username, password FROM users--

  • Examining the database

    • Extracting information about the version and structure of the database and also determine what other tables exist on the database.

      SELECT * FROM information_schema.tables

  • Blind SQLi

    • Results of a query you control are not returned in the application's responses.