SQL Injection

The most common and successful injection attack technique
Happens when the attacker injects SQL queries directly into the input form bypassing the front end and executing directly on the SQL Database on the backend
Can also try this in the URL itself, passing authentication credentials by changing the URL

# INSERT a new record in the user and password table 
anything' ; INSERT INTO cust ('cust_Email', 'cust_Password', 'cust_Userid', 'cust_FirstName', 'cust_LastName') VALUES ('attacker_emailAddress@badplace.com', 'P@ssw0rd', 'Matt', 'Matthew', 'Walker') ;--

# Bypass authentication altogether 
admin '-- 
admin' /*

' or 1=1--

') 
('1'='1- -

Three Main Categories

In-band SQL Injection
- Attacker uses the same communication channel to perform and retrieve the results of the attack
- Most commonly used type
- Examples
  - Union Query attack
  - Error-based - enter poorly constructed statements in an effort to get the database to respond with table names and other information in error messages
  - Tautology - trick the database by providing something that is already true to try to sneak by
  - Piggybacking - add malicious request on the back of a legitimate one
Out-of-band SQL injection
- Uses different communication channels for the attack and results
- More difficult to pull off
Blind/Inferential
- Attacker knows the database is vulnerable to injection
- Error messages and screen returns don't come back to the attacker
- A lot more guesswork and trial and error
- Takes a long time to pull off

Remediation

Prepared Statements (With Parameterized Queries):
- Developers write the SQL query and then any user inputs are added as a parameter afterwards
- This ensures that the SQL code structure doesn't change and the database can distinguish between the query and the data
Input Validation
- Uses an allow list to restrict input to only certain strings, can filter the characters you want to allow or disallow
Escaping User Input
- Prepends a backlash to character such as ' " $ \ to make them be parsed as regular strings and not a special character

Tools

Sqlmap
sqlninja
Havij
SQLBrute
Pangolin
SQLExec
Absinthe
BobCat

PreviousLDAP Injection NextMalware Analysis Primer

Last updated 1 year ago

# INSERT a new record in the user and password table anything' ; INSERT INTO cust ('cust_Email', 'cust_Password', 'cust_Userid', 'cust_FirstName', 'cust_LastName') VALUES ('attacker_emailAddress@badplace.com', 'P@ssw0rd', 'Matt', 'Matthew', 'Walker') ;-- # Bypass authentication altogether admin '-- admin' /* ' or 1=1-- ') ('1'='1- -

Three Main Categories

In-band SQL Injection

Attacker uses the same communication channel to perform and retrieve the results of the attack
Most commonly used type
Examples
- Union Query attack
- Error-based - enter poorly constructed statements in an effort to get the database to respond with table names and other information in error messages
- Tautology - trick the database by providing something that is already true to try to sneak by
- Piggybacking - add malicious request on the back of a legitimate one

Out-of-band SQL injection

Uses different communication channels for the attack and results
More difficult to pull off

Blind/Inferential

Attacker knows the database is vulnerable to injection
Error messages and screen returns don't come back to the attacker
A lot more guesswork and trial and error
Takes a long time to pull off

Remediation

Prepared Statements (With Parameterized Queries):

Developers write the SQL query and then any user inputs are added as a parameter afterwards
This ensures that the SQL code structure doesn't change and the database can distinguish between the query and the data

Input Validation

Uses an allow list to restrict input to only certain strings, can filter the characters you want to allow or disallow

Escaping User Input

Prepends a backlash to character such as ' " $ \ to make them be parsed as regular strings and not a special character

Tools

Sqlmap

sqlninja

Havij

SQLBrute

Pangolin

SQLExec

Absinthe

BobCat