Injection is one of the more popular application layer hacking
techniques that is used in the wild today. It is a type of input
validation attack i.e it occurs when the programmer/developer fails to
properly validate the input given by the user.
Basically SQL stands for Structured Query Language, and it
is the language used by most website databases.RDBMS is the basis for
SQL, and for all modern database systems like MSSQL Server, Oracle,
MySQL etc. Data is stored in the database in the form of tables. A
database most often contains one or more tables. Tables contains one or
more columns and data is stored in these columns. Data in the database
is retrieved using queries. Generally in a website the front end and
back end connectivity is done so that end user can retrieve data or
enter data from the front end into the backend. Consider front end is
PHP and back end is MySQL then the connectivity is done using
mysql_connect(“servername, username, password “)
Once the connectivity is done the front end and back end
starts interacting. Whatever request is done by the end user from the
front end is requested to the back-end in the form of SQL queries and
end user gets the required result. But it is possible for an attacker to
send malicious request (generally SQL queries) from the front end and
forcing the back-end to execute those queries and give the result. This
is called SQL injections.
SQL injection is a technique that is used to take advantage of
non-validated input vulnerabilities to pass SQL commands through a Web
application for execution by a back-end database. A successful SQL
injection exploit can enable the attacker to read sensitive data from
the database, do insert/update/delete operations, execute administration
operations on the database (such as shutdown the DBMS). It clearly
means SQL injection attack is possible only on those websites/web
applications which have a back-end. SQL injection is possible on almost
all databases (MySQL, MsSQL, Oracle, MS ACCESS etc). This attack is done by injecting malicious SQL queries from forms or from the URL.
The possible types of SQL injection that can be exploited by the attacker are:
Lets have some explanation on it
1. Poorly Filtered Strings
SQL injections based on poorly filtered strings are caused by
user input that is not filtered for escape characters. If the validation
for the user input is not done properly then the attacker can send SQL
strings from the form to execute in the database and hence compromising
Attacker puts ‘or”=’ in the form and sends it to the back-end.
Inserting the above string will generate a query like this:
SELECT password FROM users WHERE password = ” OR 1’=’1
This query will return true and thus giving the attacker illegal access.
2. Incorrect Type Handling
Incorrect type handling based SQL injections occur when an input
is not checked for type constraints. In simple language the data type
of the input is not validated properly which is then manipulated by
attackers to do execute SQL queries.
Suppose the input data type is not properly validated. Consider the following query:
SELECT * FROM table WHERE id = “pid”;
An attacker will put input something like this
and the query will be interpreted as
SELECT * FROM userinfo WHERE id=1;SHOW TABLES;
3. Signature Evasion
Many SQL injections will be somewhat blocked by intrusion
detection and intrusion prevention systems using signature detection
rules. Common programs that detect SQL injections are mod_security or
WAF (web application firewall). These techniques are not 100% secure and
can be bypassed.
If the firewall is blocking keywords like “union”, “all”, “select” etc. then the attacker can bypass it by commenting SQL keywords like this /*!union*/ /*!all*/ /*!select*/. Also there are many other ways which will be discussed in further tutorials.
4. Filter Bypassing
Generally while doing sql injection, some sql keywords are used
like union, select, from etc…the administrator filters these keywords
so as to block such requests but it still becomes possible for an
attacker to bypass these kind of filters
the attacker attacks like this,
index.php?id=1 union all select 1,2,3–n site gives response 406 not acceptable so by using tricks like this
index.php?id=1 /*!union*/ /*!all*/ *!select*/ 1,2,3– the attacker bypasses the security there are many ways to bypass this
it depends on how strongly the administrator has created the filter.
5. Blind SQL injection
Blind SQL Injection is used when a web application is vulnerable
to an SQL injection but the results of the injection are not visible to
the attacker. The page with the vulnerability may not be one that
displays data but will display differently depending on the results of a
logical statement injected into the legitimate SQL statement called for
that page. Blind SQL injection takes a lot of time and patience.
site.com/index.php?id=1 and 1=1 will load normal page but site.com/index.php?id=1 and 1=2 will give a different result if the page is vulnerable to a SQL injection.
There are many more varieties of SQL injection attacks which will be
discussed in the next tutorials.Suggestions happily accepted for future