GitHubPortfolioTwitter/XMediumCont@ctHome

5.2 SQL Injection (SQLi)

SQL Injection (SQLi)

SQL Injection (SQLi) is an attack method that exploits the injection of SQL commands into a web application's SQL queries. A successful SQLi attack allows a malicious hacker to access and manipulate the backend database of a web application.

Web applications, ranging from complex systems to Content Management Systems (CMSs) and simple personal web pages, often utilize databases like MySQL, SQL Server, Oracle, PostgreSQL, and others to store data, user credentials, or statistics. Structured Query Language (SQL) is employed by entities such as system operators, programmers, applications, and web applications to interact with databases.

SQL, a powerful interpreted language, is used to extract and manipulate data from databases. Web applications embed SQL commands, known as queries, in their server-side code, with connectors serving as middleware between the web application and the database.

Before delving into attack techniques, understanding some SQL basics is essential. This includes knowledge of SQL statement syntax, query execution, union operations, the DISTINCT and ALL operators, and how comments function.

Here below the three common types of SQL:

SQL Statements

SQL allows the selection of constant values, such as:

SELECT 22, 'string', 0x12, 'another string';

Understanding the UNION command is crucial, as it performs a union between two results:

<SELECT statement> UNION <other SELECT statement>;

The DISTINCT operator eliminates duplicate rows, and a UNION statement implies DISTINCT by default. To allow duplicates, the ALL operator can be used:

<SELECT statement> UNION ALL <other SELECT statement>;

Comments in SQL can be denoted by either '#' or '-- '.

Example: The following queries showcase SQL operations on a database with two tables, "Products" and "Accounts."

SELECT Name, Description FROM Products WHERE ID='1';
SELECT Name, Description FROM Products WHERE Name='Shoes';
SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username, Password FROM Accounts;
SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT 'Example', 'Data';

SQL Queries Inside Web Applications

In web applications, SQL queries are executed through the following steps:

  1. Connect to the database.

  2. Submit the query.

  3. Retrieve and use the results in the application logic.

An example PHP code snippet demonstrates the process:

$dbhostname = '1.2.3.4';
$dbuser = 'username';
$dbpassword = 'password';
$dbname = 'database';

$connection = mysqli_connect($dbhostname, $dbpassword, $dbname);
$query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username, Password FROM Accounts;";

$results = mysqli_query($connection, $query);
display_results($results);

Finding SQL Injection

To exploit SQL Injection, the initial step is to identify the injection point and then craft a payload to gain control over the dynamic query of the target. The most direct method to discover SQL injections within a web application involves probing inputs with characters known to cause SQL query syntax errors, prompting the application to return an error.

Note: Not all inputs of a web application contribute to constructing SQL queries. In the Information Gathering module, it was recommended to categorize different input parameters, focusing on those used for database data retrieval and manipulation.

In the following sections, we will explore how to utilize gathered information to recognize and exploit SQL Injection vulnerabilities.

Input parameters are conveyed through GET and POST requests, HEADERS, and COOKIES. It is essential to examine all channels where data is retrieved from the client. The examples provided here, for simplicity, will focus on scenarios where inputs come directly from the URL (using the GET method), but similar techniques apply to other channels.

Simple SQL Scenario

For explanatory purposes, consider a small, vulnerable e-commerce web application displaying cell phones for sale. In this example, ecommerce.php takes an input parameter named id to retrieve product features from the database and display them on the page.

  • The id parameter is expected to be an integer.

  • Sending the id=1 GET parameter makes the application behave correctly.

  • Sending id=, makes the application throw an error.

Testing for SQL injection involves injecting:

  • String terminators: ' and "

  • SQL commands: SELECT, UNION, and others

  • SQL comments: # or -- Checking for abnormal behavior in the web application.

SQL Errors in Web Applications

The web application in question prints internal errors on its input pages, aiding developers and penetration testers in understanding the application's internal processes. Different Database Management Systems (DBMS) respond to incorrect SQL queries with varying error messages. Recognizing these errors is crucial for identifying vulnerabilities.

Example:

  • MS-SQL error: "Incorrect syntax near [query snippet]"

  • MySQL error: "You have an error in your SQL syntax."

Similar errors during an engagement suggest vulnerability to an SQL injection attack, though educated guesses may be necessary.

Boolean Based Detection

Many production websites do not display errors for usability and security reasons. In such cases, Boolean-based detection can be employed to test for SQL injection. This technique involves crafting payloads that transform web application queries into True/False conditions, allowing the penetration tester to infer query results based on changes in the application's behavior.

Example:

  • Crafting payloads like id=1444' to detect Boolean-based SQLi in an image gallery.

It is possible to test both always true and always false conditions:

  • id=1444' or '1'='1

  • id=1444' or '1'='2

After identifying a potential injection point, further testing and exploitation techniques are explored in subsequent chapters.

BurpSuite & SQLMap

A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).

We will then open that file with SQLMap and check for vulnerabilities or not.

sqlmap -r sql_request_captured.xml
Previous5.1 DB & SQL IntroductionNext5.3 In-Band SQLi

Last updated