SQL Injection: The Tiny Typo

As we all know that the “data” is fuel for current generation. Data is basically unorganized information and collection of large amounts of data is done under database. Databases hold secrets and so does the risk; which can be either financial, emotional and reputational.

SQL is Structured Query Language which is used for storing, manipulating and accessing the data from the database. By understanding SQL queries, you can create, update, delete, or access data in databases such as MySQL, Oracle, PostgreSQL, etc.

What is SQL Injection?

SQL Injection is a web-based vulnerability which is used by attackers to extract or manipulate the data from the databases by injecting malicious SQL codes or commands. When web servers want to get or save user data, they talk to database servers. Attackers create SQL statements that can run while the web server is fetching content from the application server, putting the security of a web application at risk.

Types of SQL Injection

1. In-band SQL Injection (Classic SQLi):

In-band SQLi is a common and easily exploitable attack where the attacker uses the same communication channel to launch and gather results.

-> Error-based SQL Injection:

Error-based SQLi relies on exploiting database error messages to gain insights into the database structure. A website vulnerable to Error-based SQLi might reveal database details through error messages, such as displaying database structure information to an attacker.

-> Union-based SQL Injection:

Union-based SQLi utilizes the UNION SQL operator to combine results from multiple SELECT statements into a single response. An attacker might manipulate SQL queries to perform union-based SQLi, combining two different details for unauthorized access.

2. Inferential SQL Injection (Blind SQLi):

It involves an attacker reconstructing the database structure by observing the application’s responses without actual data transfer. In this type of injection, no data is transferred through the web application and attacker would not see the result of attack; that’s why it is called “Blind” SQLi.

-> Time-based Blind SQL Injection:

It relies on the delaying technique of the query. the response time, for the passed query, will indicate that whether the result of that query is TRUE or FALSE. Depending on the result, attacker thinks whether the payload is correct or not. This type of attack is typically slow.

3. Out-of-band SQL Injection:

It relies on features like DNS or HTTP requests for data delivery when the attacker can’t use the same channel for both attack and results and the server responses are not very stable. This is difficult to find also very uncommon type of SQLi.

Why SQL Injection is a security concern?

1. Hackers can modify, delete, or even create fake data, causing chaos and disrupting operations.

   
   

2. Attackers can impersonate others and can lead to identity theft.

   
   

3. SQL injection can lead to unauthorized access with can break CIA triad.

   
   

4. Malicious SQL code can lead to loss of trust and reputational damage.

   
   

5. This can lead to regulatory compliance violations.

   
   

   

Features of SQLmap.

1. SQL map automatically identifies SQL injection vulnerability.

   
   

2. It supports wide range of databases like MYSQL, Oracle, PostgreSQL etc.

   
   

3. Its open source and under active development so it remains updated.

   
   

4. It allows user to manage sessions, resume uninterrupted scans to maintain requests.

   
   

5. This even supports multi-threaded execution, which enables fast and parallel scanning.

   
   

PRACTICAL APPLICATION OF SQLMAP

Installation :- This generally comes pre-installed in Kali Linux but if it’s not present you can install by the following command. “sudo apt install sqlmap” and you can verify the version by “sqlmap –version” .

Find the website which has the “id”/GET parameter so using that website we can find the database.

1) Write this command and it will crawl the website and give an output in a file which will have the list of vulnerable sites.

In the last line you will get the file path in which these links are stored.

2) The query “crawl” which we saw above, had many questions which we had to answer. In most of the cases we chose default responses. So, for choosing default responses we use the query “batch”. Run the same command shown above and add “--batch” to check the result.

3) Now, our mission is to find the database. “--dbs” will provide list of databases along with its type. (If you are testing any other website then focus and observe the parameter block carefully.)

4) Once SQL injection Vulnerability is identified we can use different flags to obtain the data. For finding the number of tables present, we will use “--tables” flag.

5) Now it’s the turn for columns.

6) To retrieve the data from a specific column.

7) Once you have found the URL and some enough information which proves that a website is vulnerable to SQL injection, your next step should be enumeration. This enumeration will help you to make your vulnerability look more critical and stronger. Let’s see some of the flags related to this. –current-user shows the name of current present user, — current-db shows the current database and –hostname shows the name of the current system.

8) Now if we want the data of the database we will use –dump. If the page has any login, it will ask the question that if you want to perform the dictionary attack or not. (here batch will select all default answers). You will get a table containing username and password.

9) If you want to see the data of all the tables, you can use the flag “--dump-all” specifying the name of database. Run this command by yourself and you will get the output of all the data present in all the tables. (This is one of the example.)

Now that you’ve gained the understanding of SQL concepts, it’s time to put your knowledge to the test. Dive into the challenges of the TryHackMe | SQL Injection room and feel free to reach out on LinkedIn if you have any further questions.