SQL injection usually occurs when a web application uses untrusted data, such as data entered into web form fields, as part of a database query. When an application fails to properly sanitize this untrusted data before adding it to a SQL query an attacker can include their own SQL commands which the database will execute.
In order to understand SQL injecton you have some basic knowledge of Structured Query Languag (SQL) and need to be familier with SQL queries. SQL language used for storing, retrieving, modifying and removing data from a database. Now lets see an example of SQL injection vulnerability. As we know that the SELECT Statement used to retrieve data from the database :
SELECT column FROM table WHERE condition;If the condition is true the the query will be successfully executed. Now lets see the below login system SQL query :
SELECT username, password FROM users WHERE username='USER_INPUT_1' AND password='USER_INPUT_2';At above the USER_INPUT_1 and USER_INPUT_2 are user supplied data. So according to above query the database will only return the username and password when the username and password will matched for that row. In this scenario an attacker can put malicious input in the USER_INPUT_1 to bypass the login. For example the malicious code aaa' or 1=1 --+ will bypass the login query.
SELECT username, password FROM users WHERE username='aaa' or 1=1 --+' AND password='USER_INPUT_2';At the above query the --+ (double dash with plus sign) acts like a comment sign and it comments out the rest of the query, and the username = aaa is invalid but just after that, the attacker will used or 1=1, where 1=1 is always true and as we know that in or operation, if one side is true then it always return true. So by this way the database will returns all the username passwords on the database.
Now lets see an exmple of SQL injection vulnerability in web application, for demonstration we are going to use DVWA Vulnerable Web App. To know more about DVWA or install it on your system pleas visit the below link :
http://www.sec-art.net/2018/06/how-to-install-dvwadamn-vulnerable-web.html
Now first change the security level of DVWA to low and then start to follow the below steps.
In DVWA at the SQL Injection tab, when we provide the user ID (1, 2, 3 ..) and press submit button, then the page will return the user's First name and surname.
Now we need to put the invalid inputs, in order to break the query. For example like single column ('). Now when we submit the invalid input, then the page will show the below error message :
The output is :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Now we know that the page is vulnerable to SQL injection attack. Then Lets try to balance the query with 1=1 and comment out rest of the query by using --+.
When we submit the above data, then it will again shows the error message, now lets try to comment rest of the query by # instead --+.
Now this time our query works and the page will show all users data.
When we check the source code of the page, then we can see that the sql query is :
SELECT first_name, last_name FROM users WHERE user_id = '$id'Now when we submit our crafted input the the above SQL query will be look like this :
SELECT first_name, last_name FROM users WHERE user_id = '' or 1=1 # $id'And as we can see the last part of the query $id' will be commented, and when the query executes it will returns all users information on the page. The above vulnerability is Error-Based SQL injection.
Consequences of SQL Injection Vulnerability :
If the SQL injection vulnerability exists on a web application then there are very serious consequences of it. For example :
- An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
- An SQL Injection vulnerability could allow the complete disclosure of data residing on a database server.
- Since web applications use SQL to alter data within a database, an attacker could use SQL Injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.
- An attacker could use an SQL Injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an application’s availability until the database is restored.
- Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating system commands on the database server. Given the right conditions, an attacker could use SQL Injection as the initial vector in an attack of an internal network that sits behind a firewall.
Types of SQL Injections
There are four Types of SQL Injection :
- Union Based injection
- Error-based injection
- Blind injection
- Time-based injection
We will look all the above types of SQL injection in more details in next post.
Conclusion :
In this post we learnt the basics of SQL injection. Now in the next post we can see the different types of sql injection in more details.