SQL Injection
SQL injection is taking advantage of unsanitized input vulnerabilities to pass SQL commands to a web application.
Attack types
SQL injections can be used for various types of attacks:
Authentication Bypass
An intruder gains access to an application without a valid username and password, effectively obtaining administrative privileges.
Authorization Bypass
A hacker manipulates authorization data in a database by exploiting vulnerabilities, such as SQL injection.
Information Disclosure
An attacker acquires sensitive data from a database, potentially compromising the confidentiality of the information.
Compromised Data Integrity
Intruders vandalize web pages, insert malicious content, or alter a database's contents, compromising data integrity.
Compromised Data Availability
Aggressors delete database information, log records, or audit data stored in a database, leading to data unavailability.
Remote Code Execution
Intruders compromise the host operating system, potentially gaining control over the system's functionality.
SQL Injection example
Attackers can craft a query by inputting specific values in application fields, such as usernames and passwords. For example:
Username:
Bob' or 1=1 --Password:
Whatever
During query execution, these values replace placeholders, resulting in a query like this:
SELECT Count(*) FROM Users WHERE UserName='Bob' or 1=1 --' AND Password='Whatever';Analyzing this query reveals that the condition in the WHERE clause will always evaluate to true, potentially leading to unauthorized access.
Cheat Sheets
Tools
sqlmap
"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections."
Target URL and Cookies: First, specify the target URL where the injection will occur. You can also provide the necessary cookies for authentication.
-uspecifies the target URL.--cookieis used to set the HTTP cookie header.--dbsinstructs sqlmap to enumerate the available databases in the DBMS.
Select a Database: After identifying the databases, you can select a specific one for further exploration. In this example, we'll use a database named "exampledb."
-Dspecifies the database to enumerate.--tablesinstructs sqlmap to list the tables in the chosen database.
Retrieve Table Content: Now, let's say we want to retrieve the content of a table called "user_data." You can use sqlmap to dump the table content.
-Tspecifies the table to extract data from.--dumpis used to retrieve and display the table content.
Interactive OS Shell: sqlmap can also provide an interactive OS shell for advanced operations.
--os-shellinitiates an interactive OS shell.Optimize Delay Responses: If prompted with a message asking if you want sqlmap to optimize delay responses, you can respond with "Y" to improve the injection efficiency.
View Available Commands: To explore the available commands within the interactive OS shell, simply type "help."
Mole
Mole is a graphical, cross-platform SQL injection testing tool. It provides a user-friendly interface for analyzing and manipulating SQL injection attacks, making it easier for testers to perform various SQL injection techniques and assess the security of a web application.
Blisqy
Blisqy is a lightweight and open-source SQL Injection tool that is designed to automate the process of discovering and exploiting SQL injection vulnerabilities in web applications. It's a command-line tool that provides a simple and efficient way to identify and exploit SQL injection flaws.
For mobile devices
sqlmapchik
"sqlmapchik is a cross-platform sqlmap GUI for popular sqlmap tool. It is primarily aimed to be used on mobile devices (currently Android is supported)."
Last updated