Hello friends, I am Balaji Gopal. This is my first tutorial on SQL injection. Thanks a lot to Ashish Mistry for giving me opportunity to write this tutorial. Also love and greets to Ghost rider hacker, Nilesh Aherrao, Sanket Jagtap, Vinit Patil, Abhishek Koserwal, Saurabh Nemade and all other friends who have always supported me to become what I am now. Lets start with the tutorial.
SQL Injection is one of the more popular application layer hacking techniques that is used in the wild today. It is a type of input validation attack i.e it occurs when the programmer/developer fails to properly validate the input given by the user. SQL injection is one of the top 10 vulnerabilities specified by OWASP (Open Web Application Security Project). The threat due to SQL injection is very high. According to a report by Barclays "97 percent of data breaches due to SQL injection." Penalties for doing SQL injection under IT act are severe, including heavy fines or imprisonment. Now let’s see what it is exactly in detail.
Basically SQL stands for Structured Query Language, and it is the language used by most website databases.
RDBMS is the basis for SQL, and for all modern database systems like MSSQL Server, Oracle, MySQL etc. Data is stored in the database in the form of tables. A database most often contains one or more tables. Tables contains one or more columns and data is stored in these columns. Data in the database is retrieved using queries. Generally in a website the front end and back end connectivity is done so that end user can retrieve data or enter data from the front end into the backend. Consider front end is PHP and back end is MySQL then the connectivity is done using
mysql_connect("servername, username, password ")
Here is a sample code.
<?php
$phpmysql=mysql_connect("localhost","admin","passwd");
if(!$phpmysql)
{
die(‘Connection failure’ . mysql_error());
}
?>
Once the connectivity is done the front end and back end starts interacting. Whatever request is done by the end user from the front end is requested to the back-end in the form of SQL queries and end user gets the required result. But it is possible for an attacker to send malicious request (generally SQL queries) from the front end and forcing the back-end to execute those queries and give the result. This is called SQL injections.
SQL injection is a technique that is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a back-end database. A successful SQL injection exploit can enable the attacker to read sensitive data from the database, do insert/update/delete operations, execute administration operations on the database (such as shutdown the DBMS). It clearly means SQL injection attack is possible only on those websites/web applications which have a back-end. SQL injection is possible on almost all databases (MySQL, MsSQL, Oracle, MS ACCESS etc). This attack is done by injecting malicious SQL queries from forms or from the URL.
The possible types of SQL injection that can be exploited by the attacker are:
1. Poorly Filtered Strings
SQL injections based on poorly filtered strings are caused by user input that is not filtered for escape characters. If the validation for the user input is not done properly then the attacker can send SQL strings from the form to execute in the database and hence compromising the security.
Example:
Attacker puts 'or''=' in the form and sends it to the back-end.
Inserting the above string will generate a query like this:
SELECT password FROM users WHERE password = '' OR 1'='1
This query will return true and thus giving the attacker illegal access.
2. Incorrect Type Handling
Incorrect type handling based SQL injections occur when an input is not checked for type constraints. In simple language the data type of the input is not validated properly which is then manipulated by attackers to do execute SQL queries.
Example:
Suppose the input data type is not properly validated. Consider the following query:
SELECT * FROM table WHERE id = "pid";
An attacker will put input something like this
1;SHOW TABLES
and the query will be interpreted as
SELECT * FROM userinfo WHERE id=1;SHOW TABLES;
3. Signature Evasion
Many SQL injections will be somewhat blocked by intrusion detection and intrusion prevention systems using signature detection rules. Common programs that detect SQL injections are mod_security or WAF (web application firewall). These techniques are not 100% secure and can be bypassed.
Example:
If the firewall is blocking keywords like "union", "all", "select" etc. then the attacker can bypass it by commenting SQL keywords like this /*!union*/ /*!all*/ /*!select*/. Also there are many other ways which will be discussed in further tutorials.
4. Filter Bypassing
Generally while doing sql injection, some sql keywords are used like union, select, from etc...the administrator filters these keywords so as to block such requests but it still becomes possible for an attacker to bypass these kind of filters
Example:
the attacker attacks like this,
index.php?id=1 union all select 1,2,3--n site gives response 406 not acceptable so by using tricks like this
index.php?id=1 /*!union*/ /*!all*/ *!select*/ 1,2,3-- the attacker bypasses the security there are many ways to bypass this
it depends on how strongly the administrator has created the filter.
5. Blind SQL injection
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. Blind SQL injection takes a lot of time and patience.
Example:
site.com/index.php?id=1 and 1=1 will load normal page but site.com/index.php?id=1 and 1=2 will give a different result if the page is vulnerable to a SQL injection.
There are many more varieties of SQL injection attacks which will be discussed in the next tutorials.
Thanks a lot for reading my first tutorial. If you have any questions than please ask in comments, Further in this tutorial series all above mentioned attacks will be explained in detail. I will give my best to make this tutorial as easy and informative as possible. Suggestions happily accepted for future tutorials.
Article author: Balaji Gopal
Article license: SQL injection tutorial series by Balaji Gopal is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Basically SQL stands for Structured Query Language, and it is the language used by most website databases.
RDBMS is the basis for SQL, and for all modern database systems like MSSQL Server, Oracle, MySQL etc. Data is stored in the database in the form of tables. A database most often contains one or more tables. Tables contains one or more columns and data is stored in these columns. Data in the database is retrieved using queries. Generally in a website the front end and back end connectivity is done so that end user can retrieve data or enter data from the front end into the backend. Consider front end is PHP and back end is MySQL then the connectivity is done using
mysql_connect("servername, username, password ")
Here is a sample code.
<?php
$phpmysql=mysql_connect("localhost","admin","passwd");
if(!$phpmysql)
{
die(‘Connection failure’ . mysql_error());
}
?>
Once the connectivity is done the front end and back end starts interacting. Whatever request is done by the end user from the front end is requested to the back-end in the form of SQL queries and end user gets the required result. But it is possible for an attacker to send malicious request (generally SQL queries) from the front end and forcing the back-end to execute those queries and give the result. This is called SQL injections.
SQL injection is a technique that is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a back-end database. A successful SQL injection exploit can enable the attacker to read sensitive data from the database, do insert/update/delete operations, execute administration operations on the database (such as shutdown the DBMS). It clearly means SQL injection attack is possible only on those websites/web applications which have a back-end. SQL injection is possible on almost all databases (MySQL, MsSQL, Oracle, MS ACCESS etc). This attack is done by injecting malicious SQL queries from forms or from the URL.
The possible types of SQL injection that can be exploited by the attacker are:
- Poorly Filtered Strings
- Incorrect Type Handling
- Signature Evasion
- Filter Bypassing
- Blind SQL Injection
1. Poorly Filtered Strings
SQL injections based on poorly filtered strings are caused by user input that is not filtered for escape characters. If the validation for the user input is not done properly then the attacker can send SQL strings from the form to execute in the database and hence compromising the security.
Example:
Attacker puts 'or''=' in the form and sends it to the back-end.
Inserting the above string will generate a query like this:
SELECT password FROM users WHERE password = '' OR 1'='1
This query will return true and thus giving the attacker illegal access.
2. Incorrect Type Handling
Incorrect type handling based SQL injections occur when an input is not checked for type constraints. In simple language the data type of the input is not validated properly which is then manipulated by attackers to do execute SQL queries.
Example:
Suppose the input data type is not properly validated. Consider the following query:
SELECT * FROM table WHERE id = "pid";
An attacker will put input something like this
1;SHOW TABLES
and the query will be interpreted as
SELECT * FROM userinfo WHERE id=1;SHOW TABLES;
3. Signature Evasion
Many SQL injections will be somewhat blocked by intrusion detection and intrusion prevention systems using signature detection rules. Common programs that detect SQL injections are mod_security or WAF (web application firewall). These techniques are not 100% secure and can be bypassed.
Example:
If the firewall is blocking keywords like "union", "all", "select" etc. then the attacker can bypass it by commenting SQL keywords like this /*!union*/ /*!all*/ /*!select*/. Also there are many other ways which will be discussed in further tutorials.
4. Filter Bypassing
Generally while doing sql injection, some sql keywords are used like union, select, from etc...the administrator filters these keywords so as to block such requests but it still becomes possible for an attacker to bypass these kind of filters
Example:
the attacker attacks like this,
index.php?id=1 union all select 1,2,3--n site gives response 406 not acceptable so by using tricks like this
index.php?id=1 /*!union*/ /*!all*/ *!select*/ 1,2,3-- the attacker bypasses the security there are many ways to bypass this
it depends on how strongly the administrator has created the filter.
5. Blind SQL injection
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. Blind SQL injection takes a lot of time and patience.
Example:
site.com/index.php?id=1 and 1=1 will load normal page but site.com/index.php?id=1 and 1=2 will give a different result if the page is vulnerable to a SQL injection.
There are many more varieties of SQL injection attacks which will be discussed in the next tutorials.
Thanks a lot for reading my first tutorial. If you have any questions than please ask in comments, Further in this tutorial series all above mentioned attacks will be explained in detail. I will give my best to make this tutorial as easy and informative as possible. Suggestions happily accepted for future tutorials.
Article author: Balaji Gopal
Article license: SQL injection tutorial series by Balaji Gopal is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
RSS Feed
