Introduction
In this article, we will learn about SQL Injection and how we use SQL Injection with its different types.
SQL Injection
SQL Injection is nothing but a combination of a SQL Query that can be through user input from your website and execution of the query in your back-end database. I will give an example of SQL injection. SQL Injection is just like an injection. In real life, we use injections to take blood from our bodies or to insert a liquid into our bodies. SQL Injection is like a real-life injection. Using SQL Injection you can get important information or you can insert some information into the database.
Here, the user tries to login into a web application using their credentials. Only authenticated users can log in to the application. But a hacker can input malicious data and log in to the web application even though they are not authenticated; that is called SQL injection.
How do SQL Injection?
SQL injection is a blind attack. You do not have any idea about the application. There are so many ways to do SQL Injection.
Identify the back-end database
The first thing you need to find out is which database is being used by the web application. There are two ways to determine the back-end database of the web application.
Extension name of the web page.
The following table may or may not be correct.
No. |
Script Language |
Database used by folks |
1 |
ASP.NET |
MS-SQL |
2 |
JSP |
Oracle |
3 |
PHP |
MYSQL |
Nowadays many applications are using web routing so you cannot see the web page extension.
Query to identify the database.
As we already know, all databases have different syntaxes to execute a query. Such as,
- MS-SQL- Select * from tablename where id=10 AND age=20
- Oracle- Select * from tablename where id=10 || age=20
I will give you an example. I developed an application with ASP.NET and my database is MS SQL 2008.
Here I entered [email protected]' || word like "%"'-- string and click on the Login button. I was getting the following exception; it means the web application isn't using the Oracle database. So likewise you can execute a different database query and you can get the back-end database that is used by the web application.
Field Mapping
Field mapping is a very important role in SQL Injection. Field mapping is nothing but getting the field name from the tables. The first step is to guess a field name. We construct a SQL Query to find a field name.
SELECT fieldlist FROM table WHERE field = 'x'
Now
SELECT fieldlistFROM tableWHERE email = 'x' OR mail IS NULL; --';
Enter a malicious string in the input box. You don't care whether the email address is correct or not, you just check whether the query above returns a SQL exception or not. If you are getting a SQL Exception then that means the field we are checking is not in the table. You can guess many fields using that query.
- Finding the table name
The application's built-in query already has the table name built into it. But you don't know the name of the table. There are several ways to determine the table name, such as:
A standalone query
SELECT COUNT(*) FROM tabname
Return the total number of records in the table and the query fails if the table name is invalid. So we can use the above query to find the correct table name.
SELECT * FROM tableWHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';
Enter a malicious string in the input box and click on the login button. If you get a SQL exception then that means the table name you tried to find is not in the database.
- The database is not read-only
A Database is not read-only so you can easily delete data from a database. Execute the following query:
SELECT * FROM UserInfo WHERE email = 'x'; DROP TABLE UserInfo; --';
- Get word In your mailbox
You can easily get another user's email ID. Once you have the other user's email id you can update your email id to his email id. Execute the following query:
SELECT * FROM UserInfo WHERE email = 'x'; UPDATE UserInfoSET email = '[email protected]' WHERE email = '[email protected]';
Once you update your email successfully try to get the word by entering the updated email address.
How we can protect our website from SQL Injection?
Filter out the character like a single quote, double quote, slash, backslash, semi-colon, an extended character like NULL, carriage return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
- Primary Defenses
- Use Parameterized Query
- Use a stored procedure with a parameter
- Escaping input
- Avoid disclosing error information
- Additional Defenses
- Input Validation
White List Input Validation or Black list Input validation
Primary Defenses
Use parameterized query
The most important reason to use parameterized queries is to avoid SQL injection attacks. Let me give an example:
Text Box 1 = Naren
Text Box 2 = [email protected]'); DROP TABLE Customer;--
After entering all input values, the data query becomes,
Insert into Customer(name,email) values('Naren','[email protected]');DROP TABLE Customer;--
The above query is valid for the database. When this query is executed it will delete the Customer table from the database. So you need to use a Parameter Query to protect this kind of input value.
Parameter Query
Insert into Customer(name,email) values(@name,@email)
In this case, the @name and @email parameter is treated as a literal value and not as executable code. When you execute this query, it will execute an INSERT query only. The server accepts the user input as one value of a variable and inserts that entire value into the Email field.
Use stored procedure with parameter
The use of a stored procedure does not protect against SQL injection. The important thing to do is to use a stored procedure with parameters.
The following code shows how to use a SQL Parameter Collection when calling a stored procedure.
In this case, the @name parameter is treated as a literal value and not as executable code. Also, the parameter checks the type and length.
Escaping input
In SQL Server, some characters have a special meaning, such as the single quote ( ' ) and the braces ( [, ] ), but sometimes it is necessary to accept such characters.
Additional Defenses
White List Input Validation
In this white list, we allow the user to only enter valid data for our application. White list input validation is better than black list input. I will give an example.
Username and word data are perfect candidates of data that we should white list. For instance, let's constrain the allowed characters for the username to "A-Z", "a-z", "0-9",".", "@" and use the same for the word field but perhaps add "!", "?", "#".
Conclusion
In this article, we learned about SQL Injection and how we use SQL Injection with its different types.
Reference Link