SQLi

What is SQLi?

SQL Injection (SQLi) is a security vulnerability that allows attackers to inject malicious SQL code into queries sent to a database. This can lead to unauthorized access to data, data manipulation, or even full control over the database. SQL is a standard language for managing data held in relational database management systems (RDBMS), including MySQL, Oracle, SQL Server, and others.

Index

  1. Basis to tackle SQLi (Below)

  2. Authentication By-Pass

  3. Union Based Attacks

  4. Blind Injections

  5. Time-Based Blind Injections

  6. Error Based Injections

  7. Second Order Injections

Basics of SQL

  • An SQL query is a command used to get data out of a database.

  • Basic SQL syntax:

    1. SELECT Extracts data from the given table.

    -- Example: Selects all columns from the "customers" table
SELECT * FROM customers;

    1. -- Comments out the remainder of the line. The code after -- is ignored.

    -- This is a comment and will not be executed
SELECT * FROM customers; -- This part is ignored

    1. ORDER BY Orders the results obtained from SELECT in a specific manner. For example, if one has a table of countries and their populations, one can select the countries starting with the letter R and then order them by their population.

    -- Example: Select countries starting with 'R' and order by population
SELECT * FROM countries
WHERE name LIKE 'R%'
ORDER BY population;

    1. UNION clause allows you to group multiple queries together.

    -- Example: Combine results from two SELECT statements
SELECT name FROM employees
WHERE department = 'Sales'
UNION
SELECT name FROM contractors
WHERE department = 'Sales';

    1. JOIN Joins data from two tables depending on a certain characteristic on the table. For example, if there's a table with customer IDs and their addresses and another table with customer IDs and their purchases, you can join both tables so that the customer addresses match their purchases.

    -- Example: Join customers and orders tables on customer_id
SELECT customers.name, orders.product
FROM customers
JOIN orders ON customers.customer_id = orders.customer_id;

    1. DELETE, INSERT Allows you to delete data or add new data to a table.

    -- Example: Insert a new customer into the customers table
INSERT INTO customers (name, address)
VALUES ('John Doe', '123 Main St');

-- Example: Delete a customer from the customers table
DELETE FROM customers
WHERE name = 'John Doe';

    1. AND, OR Allows you to modify queries so that they return information depending on multiple categories.

    -- Example: Select employees who are in the Sales department and have a salary greater than 50000
SELECT * FROM employees
WHERE department = 'Sales' AND salary > 50000;

-- Example: Select employees who are in the Sales department or have a salary greater than 50000
SELECT * FROM employees
WHERE department = 'Sales' OR salary > 50000;

    1. MIN, MAX They return the smallest or largest value of a query.

    -- Example: Get the minimum and maximum salary from the employees table
SELECT MIN(salary) AS min_salary, MAX(salary) AS max_salary
FROM employees;

    1. More here and here...

  • User input from textbox, URL parameters, etc may be used to construct a SQL query in the backend.

Code below directly adds in input as a part of the query, as a result, the attacker can 'inject' their own code here and execute it.

String query = "SELECT * FROM products WHERE category = '"+ input + "'";
Statement statement = connection.createStatement();
ResultSet result = statement.executeQuery(query);

Last updated