SQL Injection

Introduction

In this article, we will learn about SQL Injection and how we use SQL Injection with its different types.

SQL Injection 

SQL Injection is nothing but a combination of a SQL Query that can be through user input from your website and execution of the query in your back-end database. I will give an example of SQL injection. SQL Injection is just like an injection. In real life, we use injections to take blood from our bodies or to insert a liquid into our bodies. SQL Injection is like a real-life injection. Using SQL Injection you can get important information or you can insert some information into the database.

SQL Injection

Here, the user tries to login into a web application using their credentials. Only authenticated users can log in to the application. But a hacker can input malicious data and log in to the web application even though they are not authenticated; that is called SQL injection.

How do SQL Injection?

SQL injection is a blind attack. You do not have any idea about the application. There are so many ways to do SQL Injection.

Identify the back-end database

The first thing you need to find out is which database is being used by the web application. There are two ways to determine the back-end database of the web application.

Extension name of the web page.

The following table may or may not be correct.

No. Script Language Database used by folks
1 ASP.NET MS-SQL
2 JSP Oracle
3 PHP MYSQL

Nowadays many applications are using web routing so you cannot see the web page extension.

Query to identify the database.

As we already know, all databases have different syntaxes to execute a query. Such as,

  • MS-SQL- Select * from tablename where id=10 AND age=20
  • Oracle- Select * from tablename where id=10 || age=20

I will give you an example. I developed an application with ASP.NET and my database is MS SQL 2008.

SQL Injection

Here I entered [email protected]' || word like "%"'-- string and click on the Login button. I was getting the following exception; it means the web application isn't using the Oracle database. So likewise you can execute a different database query and you can get the back-end database that is used by the web application.

SQL Injection

Field Mapping

Field mapping is a very important role in SQL Injection. Field mapping is nothing but getting the field name from the tables. The first step is to guess a field name. We construct a SQL Query to find a field name.

SELECT fieldlist FROM table WHERE field = 'x'

Now

SELECT fieldlistFROM tableWHERE email = 'x' OR mail IS NULL; --';

SQL Injection

Enter a malicious string in the input box. You don't care whether the email address is correct or not, you just check whether the query above returns a SQL exception or not. If you are getting a SQL Exception then that means the field we are checking is not in the table. You can guess many fields using that query.

SQL Injection

  1. Finding the table name

    The application's built-in query already has the table name built into it. But you don't know the name of the table. There are several ways to determine the table name, such as:

    A standalone query
    SELECT COUNT(*) FROM tabname
    Return the total number of records in the table and the query fails if the table name is invalid. So we can use the above query to find the correct table name.
    SELECT * FROM tableWHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';

    Enter a malicious string in the input box and click on the login button. If you get a SQL exception then that means the table name you tried to find is not in the database.

    SQL Injection

  2. The database is not read-only

    A Database is not read-only so you can easily delete data from a database. Execute the following query:
    SELECT * FROM UserInfo WHERE email = 'x'; DROP TABLE UserInfo; --';
  3. Get word In your mailbox

    You can easily get another user's email ID. Once you have the other user's email id you can update your email id to his email id. Execute the following query:
    SELECT * FROM UserInfo WHERE email = 'x'; UPDATE UserInfoSET email = '[email protected]' WHERE email = '[email protected]';

    Once you update your email successfully try to get the word by entering the updated email address.

How we can protect our website from SQL Injection?

Filter out the character like a single quote, double quote, slash, backslash, semi-colon, an extended character like NULL, carriage return, new line, etc, in all strings from:

  • Input from users
  • Parameters from URL
  • Values from cookie
  1. Primary Defenses
    1. Use Parameterized Query
    2. Use a stored procedure with a parameter
    3. Escaping input
    4. Avoid disclosing error information
  2. Additional Defenses
    1. Input Validation
      White List Input Validation or Black list Input validation

Primary Defenses

Use parameterized query

The most important reason to use parameterized queries is to avoid SQL injection attacks. Let me give an example:

Text Box 1 = Naren
Text Box 2 = [email protected]'); DROP TABLE Customer;--

After entering all input values, the data query becomes,

Insert into Customer(name,email) values('Naren','[email protected]');DROP TABLE Customer;--

The above query is valid for the database. When this query is executed it will delete the Customer table from the database. So you need to use a Parameter Query to protect this kind of input value.

Parameter Query

Insert into Customer(name,email) values(@name,@email)

In this case, the @name and @email parameter is treated as a literal value and not as executable code. When you execute this query, it will execute an INSERT query only. The server accepts the user input as one value of a variable and inserts that entire value into the Email field.

Use stored procedure with parameter

The use of a stored procedure does not protect against SQL injection. The important thing to do is to use a stored procedure with parameters.

The following code shows how to use a SQL Parameter Collection when calling a stored procedure.

In this case, the @name parameter is treated as a literal value and not as executable code. Also, the parameter checks the type and length.

Escaping input

In SQL Server, some characters have a special meaning, such as the single quote ( ' ) and the braces ( [, ] ), but sometimes it is necessary to accept such characters.

Additional Defenses

White List Input Validation

In this white list, we allow the user to only enter valid data for our application. White list input validation is better than black list input. I will give an example.

Username and word data are perfect candidates of data that we should white list. For instance, let's constrain the allowed characters for the username to "A-Z", "a-z", "0-9",".", "@" and use the same for the word field but perhaps add "!", "?", "#".

Conclusion

In this article, we learned about SQL Injection and how we use SQL Injection with its different types.

Reference Link


Similar Articles