# SQLi

## What is SQLi?

SQL Injection (SQLi) is a security vulnerability that allows attackers to inject malicious SQL code into queries sent to a database. This can lead to unauthorized access to data, data manipulation, or even full control over the database. SQL is a standard language for managing data held in relational database management systems (RDBMS), including MySQL, Oracle, SQL Server, and others.

![](https://3595976759-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FT9IrnLPUCRfTZ1FquoLF%2Fuploads%2Fgit-blob-16355b1fcc9dc61feb565f5c92dcc9da03ae655f%2FSQL-injection-attack-example.png?alt=media)

## Index

1. Basis to tackle SQLi (Below)
2. [Authentication By-Pass](https://csyclub-iiitk.gitbook.io/ctf-guide/web-exploitation/intro-to-sqli/authentication-by-pass)
3. [Union Based Attacks](https://csyclub-iiitk.gitbook.io/ctf-guide/web-exploitation/intro-to-sqli/union-based-attacks)
4. [Blind Injections](https://csyclub-iiitk.gitbook.io/ctf-guide/web-exploitation/intro-to-sqli/blind-injections)
5. [Time-Based Blind Injections](https://csyclub-iiitk.gitbook.io/ctf-guide/web-exploitation/intro-to-sqli/time-based-blind-injections)
6. [Error Based Injections](https://csyclub-iiitk.gitbook.io/ctf-guide/web-exploitation/intro-to-sqli/error-based-injections)
7. [Second Order Injections](https://csyclub-iiitk.gitbook.io/ctf-guide/web-exploitation/intro-to-sqli/second-order-injections)

## Basics of SQL

* An SQL query is a command used to get data out of a database.
* Basic SQL syntax:

  1. **`SELECT`** Extracts data from the given table.

  ```sql
  -- Example: Selects all columns from the "customers" table
  SELECT * FROM customers;
  ```

  2. **`--`** Comments out the remainder of the line. The code after `--` is ignored.

  ```sql
  -- This is a comment and will not be executed
  SELECT * FROM customers; -- This part is ignored
  ```

  3. **`ORDER BY`** Orders the results obtained from SELECT in a specific manner. For example, if one has a table of countries and their populations, one can select the countries starting with the letter R and then order them by their population.

  ```sql
  -- Example: Select countries starting with 'R' and order by population
  SELECT * FROM countries
  WHERE name LIKE 'R%'
  ORDER BY population;
  ```

  4. **`UNION`** clause allows you to group multiple queries together.

  ```sql
  -- Example: Combine results from two SELECT statements
  SELECT name FROM employees
  WHERE department = 'Sales'
  UNION
  SELECT name FROM contractors
  WHERE department = 'Sales';
  ```

  5. **`JOIN`** Joins data from two tables depending on a certain characteristic on the table. For example, if there's a table with customer IDs and their addresses and another table with customer IDs and their purchases, you can join both tables so that the customer addresses match their purchases.

  ```sql
  -- Example: Join customers and orders tables on customer_id
  SELECT customers.name, orders.product
  FROM customers
  JOIN orders ON customers.customer_id = orders.customer_id;
  ```

  6. **`DELETE, INSERT`** Allows you to delete data or add new data to a table.

  ```sql
  -- Example: Insert a new customer into the customers table
  INSERT INTO customers (name, address)
  VALUES ('John Doe', '123 Main St');

  -- Example: Delete a customer from the customers table
  DELETE FROM customers
  WHERE name = 'John Doe';
  ```

  7. **`AND, OR`** Allows you to modify queries so that they return information depending on multiple categories.

  ```sql
  -- Example: Select employees who are in the Sales department and have a salary greater than 50000
  SELECT * FROM employees
  WHERE department = 'Sales' AND salary > 50000;

  -- Example: Select employees who are in the Sales department or have a salary greater than 50000
  SELECT * FROM employees
  WHERE department = 'Sales' OR salary > 50000;
  ```

  8. **`MIN, MAX`** They return the smallest or largest value of a query.

  ```sql
  -- Example: Get the minimum and maximum salary from the employees table
  SELECT MIN(salary) AS min_salary, MAX(salary) AS max_salary
  FROM employees;
  ```

  9. [**More here**](https://www.datacamp.com/cheat-sheet/sql-basics-cheat-sheet) and [here](https://portswigger.net/web-security/sql-injection/cheat-sheet)...
* User input from textbox, URL parameters, etc may be used to construct a SQL query in the backend.

> Code below directly adds in input as a part of the query, as a result, the attacker can 'inject' their own code here and execute it.

```Java
String query = "SELECT * FROM products WHERE category = '"+ input + "'";
Statement statement = connection.createStatement();
ResultSet result = statement.executeQuery(query);
```