SQL injection

  • What is it?
  • SQL stands for Structured Query Language, and it is a language used for querying(requesting information from or inserting information in) databases. SQL Injection is a vulnerability that allows an attacker to make malicious queries to the back end database of a web application. Attackers can view and even alter data they otherwise would not have access to — such as another user’s data — which can lead to changes in the applications behavior or content.
  • HowDoes It Work?
  • A SQL injection vulnerability is exploited when user provided data is included within the SQL query. Say for example there is a database containing a table called “users” that holds three sections or “columns” of data containing an id, username, and password.
        When a user attempts to log into a website with a username and password, the application will check the credentials entered by making a query similar to the following:
        • SELECT * FROM users WHERE username= `jon` AND password= `pass123`;
        Let`s break down the above statement. The first word in this query, select, lets the database know that it will be returning some type of information. The asterisk * tells the database that we want all details(columns) from the table users where both the username and password are equal to the user supplied data - which in this case is ‘jon’ and ‘pass123’. If the query returns the details of the user, then the login will be successful!
          Because user input is used in the database query, an attacker can use this to their advantage in order to circumvent application logic and bypass the login page to access another user`s account.
            Say instead of logging in with the username and password of the account they are authorized to access, an attacker enters in admin’— — for the username and leaves the password blank. Upon doing this, the application will send the following query to the database:
            • SELECT * FROM users WHERE username = `admin` — — ` AND password = ` `
            ` — — ` is a SQL comment sequence, meaning anything coming after will be considered a comment and therefore nonexecutable. The placement of the comment sequence in the above query essentially causes the password parameter to be removed allowing an attacker to bypass the password requirement and simply login to any account with only the username!
              If you`re confused here, don`t worry! I`ll try my best to explain a little more in depth below.

                  Escaping Single Quotations

                    You might have noticed that parts of the previous query looked a bit strange :
                    • `admin` — —` for example
                    Where did the additional quotation mark came from? Well, in SQL queries, user supplied data is encased in single quotations like so:
                    • ` example of user supplied data `
                      When we enter in a username such as admin, on the back end, our input is automatically being interpreted as a string(words) and will thus be encased within single quotation marks in the SQL query. As you may have noticed in previous query examples, SQL statements — what is actually executed — are not within quotation marks(such as SELECT, FROM, WHERE). In order for our comment sequence( — — ) to execute and remove the password check, the user supplied data needed to be outside of the quotations ` `.
                        If we enter in admin — — as our username and leave the password blank, the query below would be sent to the database:
                        • SELECT * FROM users WHERE username = `admin — — ` AND password = ` `
                          In this example, you can see that our comment sequence is encased within an opened and closed single quotation ` ` ! It`s not being interpreted as a SQL statement, but as a string!
                            To circumvent this, we add a single quotation to our input like so: admin` — — . Our added single quotation will now serve as the closing quotation in the SQL query.
                            • SELECT * FROM users WHERE username = `admin` — — ` AND password = ` `
                            And whala! The only thing enclosed within an opened and closed quotation mark is our username admin! Our comment sequence can now execute, essentially erasing everything that comes after it. Which is this case is the portion in bold below:
                            • ` AND password = ` `
                            Remember, multiple types of SQL databases exist and the syntax of their statements can vary. So out there in the real world, depending on the database, these examples may need slight changes.
                              Keep in mind that SQL Injection is not always an easy vulnerability to take advantage of. The example exploitation I gave above isn`t the most likely scenario. Most web applications do in fact have defenses in place to protect against SQL Injection, and its a hacker`s challenge to circumvent them.

                                What`s the impact?

                                  I’ve given an example of how SQL injection can be used to gain access to another user’s account, but there are more things attackers can achieve by taking advantage of SQL vulnerabilities:
                                • Retrieve Hidden Data
                                • Launch DDoS Attacks
                                • Subvert Application Logic/Login Bypass
                                • RCE(remote command execution)
                                  • Thank you so much for reading! I hope you learned something new!