What is SQL Injection: How it Works, Examples, and Types

 Data is one of the most important components of information systems. Database powered web applications are used by organizations to get data from customers. SQL stands for Structured Query Language. It is used to retrieve and manipulate data in the database. But because of that hackers also find new types of attacks and one type of attack is SQL Injection.

You may not know what SQL Injection (SQLI) is or how it works, but you certainly know about its victims. Target, Yahoo, Zappos, Equifax, Epic Games, TalkTalk, LinkedIn, and Sony Pictures. All these companies are hacked by cyber criminals using SQL Injection.

As OWASP said, SQL Injection has become a common problem with database driven websites. This flaw is easy to detect, and easy to exploit.

What is SQL Injection

SQL Injection (SQLI) is a type of attack that cybercriminals use to exploit software vulnerabilities in web applications. This allows attackers to see data they would normally not be able to retrieve. This includes data belonging to other users, or other data that the application itself has access to. In many cases, an attacker can modify or delete this data, causing persistent changes to the content or behavior of the application.

In some situations, an attacker may elevate a SQL Injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

How SQL Injection Works?

SQL Injection is a major concern when developing Web applications. This occurs when an application receives malicious user input and then uses it as part of an SQL statement to query the backend database.

An attacker can enter SQL control characters and command keywords (for example, single quotes ('), double quotes ("), equals (=), comments (- -), etc.) to change the query structure. Using these control characters with common SQL commands (eg, SELECT, FROM, DELETE, etc.) allows access to or retrieval of data elements from a backend database server.

A successful attack requires the Web application to include the attacker's malicious code in SQL statements. Malicious code usually comes from untrusted sources. In some cases, internal system databases can also be sources of malicious data. When a malicious SQL statement is executed against a backend database, an attacker can modify or access the database. It depends on how the attacker creates the malicious data.

SQL injection example

An attacker looking to execute SQL Injection manipulates standard SQL queries to exploit invalid input vulnerabilities in databases. There are many ways that this attack can be executed.

For example, the input mentioned above, which pulls information for a particular product, could be changed to http://www.eniaga.com/items/items.asp?itemid=999 or 1 = 1 .

As a result, the associated SQL query looks like this:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemNumber = 999 OR 1=1

And because the 1 = 1 statement is always true, the query returns all product names and descriptions in the database, even those you may not qualify for access.

Attackers can also take advantage of improperly filtered characters to modify SQL statements, including using a semicolon to separate two fields.

For example, input this http://www.eniaga.com/items/iteams.asp?itemid=999; DROP TABLE USERS will create the following SQL query:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemNumber = 999; DROP TABLE USERS

As a result, the entire user database can be deleted.

Another way SQL queries can be manipulated is with a UNION SELECT statement. It combines two unrelated SELECT queries to retrieve data from different database tables.

For example, input http://www.eniaga.com/items/items.asp?itemid=999 UNION SELECT user-name, password FROM USERS, resulting in the following SQL query:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemID = '999' UNION SELECT Username, Password FROM Users;

Using a UNION SELECT statement, this query combines the query for item name 999 and description with another that retrieves the name and password for each user in the database.

Types of SQL Injection Types

SQL Injection can be classified into three main categories

* In-band SQL Injection

* Inferential SQL Injection

* Out-of-band SQL Injection

1. In-band SQLI (Classic SQLI)

In-band SQL Injection is the most common and easily exploited SQL Injection attack. In-band SQL Injection occurs when attackers can use the same communication channel to launch attacks and gather results. For example an attacker can use HTTP communication to propagate the attack to the backend and get results on the same channel.

There are two main types of In-band SQL Injection

1. Error-based SQLI: Error-based SQLI is an In-band SQL Injection technique that relies on error messages thrown by the database server to get information about the database structure. In some cases, error-based SQL injection alone is enough for an attacker to enumerate the entire database.

2. Union-based SQLI: Union-based SQLI is an In-band SQL Injection technique that utilizes the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

2. Inferential SQLI (Blind SQLI):

Inferential SQL Injection, unlike in-band SQLI, may take an attacker longer to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLI attack, no data is actually transferred through the web application and the attacker will not be able to see the results of an in-band attack (which is why such attacks are usually referred to as “blind SQL Injection attacks”).

Instead, an attacker can reconstruct the database structure by sending the payload, observing the response of the web application and the resulting behavior from the database server. There are two types of inferential SQL Injection, namely Blind-boolean based SQLI and Blind-time based SQLI.

1. Boolean-based (content-based) Blind SQLI: Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending SQL queries to a database that forces the application to return different results depending on whether the query returns TRUE or FALSE results. Depending on the result, the content in the HTTP response will change, or stay the same. This allows an attacker to infer whether the payload used returned true or false, even though no data from the database was returned.

2. Time-based Blind SQLI: Time-based SQL Injection is an inferential SQL Injection technique that relies on sending SQL queries to a database which forces the database to wait for a certain amount of time (in seconds) before responding. The response time will show the attacker whether the query result is TRUE or FALSE. depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows the attacker to infer whether the payload used returned true or false, even though no data from the database was returned.

3. Out-of-band SQLI

Out-of-band SQL Injection is not very common, mostly because it relies on features enabled on the database server used by web applications. Out-of-band SQL Injection occurs when attackers are unable to use the same channel to launch attacks and collect results. Out-of-band techniques, offer the attacker an alternative to time-based inferential techniques, especially if the server response is not very stable (making time-based inferential attacks unreliable).

How to Prevent SQL Injection Attacks?

Use the following tips below, to help prevent SQL Injection attacks on your web applications.

* Limit App Privileges: Limit user credentials so that only the rights the app needs to function are exercised. Any successful SQL Injection attack will run in the context of the user's credentials. While limiting privileges won't prevent SQL Injection attacks outright, it will make them much more difficult to implement.

* Strong SA Password Policy: Often, attackers need administrator account functionality to use certain SQL commands. It is much easier to “force” a SA (System Administrator) password if it is weak, and will increase the chances of a successful SQL Injection attack. Another option is to not use an SA account at all, and instead create a dedicated account for a specific purpose.

* Consistent Error Message Schema: Make sure you provide as little information as possible to the user when a database error occurs. Don't disclose the entire error message. Error messages need to be handled on the web and app servers. When the web server encounters a processing error, it is supposed to respond with a generic web page, or redirect the user to a standard location. Debug information, or other details that could be useful to a potential attacker, should not be disclosed. Application servers, such as WebSphere, are often installed with error messages or debug settings enabled by default. See your app server's documentation for information on hiding the error message.

Conclusion

So what is SQL Injection? Simply put SQL Injection is an attack against a web application, not the web server or the operating system itself. As the name implies, SQL Injection is the act of adding unexpected SQL statements to a query, thereby manipulating the database in a way that database administrators or developers don't want. If successful, data can be extracted, modified, inserted or deleted from database servers used by vulnerable web applications. Under certain circumstances, SQL Injection can be used to take full control of a system.

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ________

So many articles What is SQL Injection: How it Works, Examples, and Types. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…

Resa Risyan

Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.