Why and How to do SQL Injection?
We will discuss about SQL injection in a detailed way
Web Exploits, many exploits can be performed on the web like XSS, CSRF, SSRF, OAuth Vuln, and many more, as of now we will discuss the most popular and one of the top 10 OWASP, The SQL Injection (SQLi)
Some information I post here belongs to Port swigger, Let's Begin 🤪
SQL is a structured language developed by oracle, And we all know there has to be something to store all the data we post
For example, the website has to store our credentials somewhere to verify us and log us in, and then the database comes into the picture, So to store, retrieve or even delete the data in the database. We will be using a language called SQL[Structured Query Language] and there are many Non-Oracle languages to replace SQL, but SQL is the most popular one and widely used!
Now, we all know what is SQL and where we will be using it, and let us consider an example for understanding this better. We are in an online store say https://www.iamcyberstore.com where we can buy some accessories like books, gifts… Etc. and as a hacker, you need to observe what happens when we click something and how the data gets processed
Now we are having categories like gifts, books, etc. on our website :
Now if we click on the pens section the website will automatically redirect to https://www.iamcyberstore.com/category?id=Pens and the processing of the URL completely depends on the website developer
So they may vary from site to site and this type of interpretation can be prone to SQL Injection, before getting into the real attack mechanism
We need to understand some basics of SQL and how SQL works, SQL is a vast topic to discuss
Please consider watching some basic tutorials of SQL to get a better understanding but still, I will explain everything I write here 😊
SELECT * FROM products WHERE category = 'Pens'
This SQL query asks the database to return:
- all details (*)
- from the products table
- where the category is Gifts
Now this query will return all the products which are under the “pens” category, we can understand that whatever value we pass into the id parameter it will process and returns us the output for the query passed in
What if we can break that query and retrieve all other information that the database contains?
Yes, it’s possible, one can break the query and pass in some other input which returns the output accordingly, leading to SQL injection where we will be injecting our queries using the vulnerable parameter “id”. And this only works that the developer fails to validate the input given before processing the query.
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
- Retrieving hidden data, where you can modify an SQL query to return additional results.
- Subverting application logic, where you can change a query to interfere with the application’s logic.
- UNION attacks, where you can retrieve data from different database tables.
- Examining the database, where you can extract information about the version and structure of the database.
1. Retrieving hidden data.
Let us get back to our example, but now there is a hidden value that is getting passed every time which is not visible to the user
But still the URL the user may see looks like https://www.iamcyberstore.com/category?id=Pens, and the released parameter is already present in the query.
i.e select * from products where category =’<Category value>’ and released =1
Where the released parameter is all about released products, product releases then the value equals 1
if isn’t it is 0, and the website wants to show all its users only about the released products and wants to hide the products which are about to release
SELECT * FROM products WHERE category = ‘Pens’ AND released = 1
As of now, we know that there can be some hidden values passing after the query so all we need is to comment out the query that left after our pens
So to do that we need to break the query first bypassing (apostrophe)‘ which will break the query and help us to intervene within the SQL Query
So we will be passing
The modified query will return all items where either the category is Pens, or 1 is equal to 1. Since
1=1 is always true, the query will return all items.
And the query will be interpreted as :
SELECT * FROM products WHERE category = ‘Pens’ OR 1=1 #’ AND released = 1
The apostrophe after pens will break the query and from there one can intervene and modify the queries. Where after # everything will be considered as a comment and SQL will ignore everything that comes after #
2. Subverting application logic.
Let's bypass some logins the same happens the main logic revolves around the comment out mechanism for login pages the username and password you post will be interpreted as:
SELECT * FROM users WHERE username = 'sumo' AND password = 'iamcybermight'
where sumo and iamcybermight are the username and passwords of a website respectively
Let's say the owner of the website had a login username as administrator and I don't know his password, then what will happen if we provide the values, as shown below as input:
SELECT * FROM users WHERE username = 'administrator'--' AND password = ''
In the username input box :
administrator'-- and leaving the password as null
where I fixed the username and commented out everything after it. There you go, Logged in as administrator.
There are many ways one can pass different values to change the working logic of an application to bypass login pages and there are many payload values that one can pass into the login pages and bypass them, Ask Google 😉
3. UNION attacks.
Union is a syntax that one can execute an additional select query by intervening the id parameter
For example, if an application executes the following query containing the user input “Pens”:
SELECT name, description FROM products WHERE category = 'Pens'
then a hacker can submit the input like this :
' UNION SELECT username, password FROM users--
This will cause the application to return all usernames and passwords from the user’s table, along with the names and descriptions of products from the products table. And the input in the URL will be passed as:
There are some rules for the union to work, they are:
- The individual queries must return the same number of columns.
- The data types in each column must be compatible between the individual queries.
Here in our example 2 values [products, description] are retrieved from the products table, and again the 2 values [username, password] are retrieved from the user's table, the number of values that are being retrieved has to be the same then? :
- How many columns from the original query returned?
- Which columns returned from the original query are of a suitable data type to hold the results from the injected query?
I am leaving this to you, please figure it out yourself 🤗 [Refer to this Link]
4. Examining the database.
So you know how to intervene in the working query and pass in some value, or you even know how to execute a query on your own by using union
Some default queries will return the version of the working database, from this one can prepare or modify his attack vector
He can search for some open exploits in the database version and try to exploit them
The input can be ‘ UNION SELECT @@version
-- and there is a default table that stores information about all the tables present in the database. There is a table called information.schema which will store basic information like table name, column names in the table, and their data types.
And also there is one more injection type called Blind Injection Technique, the query results are not returned to the application’s responses.
- You can change the logic of the query to trigger a detectable difference in the application’s response depending on the truth of a single condition. This might involve injecting a new condition into some Boolean logic or conditionally triggering an error such as a divide-by-zero.
- You can conditionally trigger a time delay in the processing of the query, allowing you to infer the truth of the condition based on the time that the application takes to respond.
- You can trigger an out-of-band network interaction, using OAST techniques. This technique is extremely powerful and works in situations where the other techniques do not. Often, you can directly exfiltrate data via the out-of-band channel, for example by placing the data into a DNS lookup for a domain that you control.
We will discuss this in great detail in the upcoming post!
That's it if you want to try this on hands-on please visit [Link]
Thanks for making up to here ❤️