SQLi

What is SQLi?

SQL Injection (SQLi) is a security vulnerability that allows attackers to inject malicious SQL code into queries sent to a database. This can lead to unauthorized access to data, data manipulation, or even full control over the database. SQL is a standard language for managing data held in relational database management systems (RDBMS), including MySQL, Oracle, SQL Server, and others.

Index

1. Basis to tackle SQLi (Below)

2. Authentication By-Pass
3. Union Based Attacks
4. Blind Injections
5. Time-Based Blind Injections
6. Error Based Injections
7. Second Order Injections

Basics of SQL

• An SQL query is a command used to get data out of a database.

• Basic SQL syntax:

  1. SELECT Extracts data from the given table.

  -- Example: Selects all columns from the "customers" table
  SELECT * FROM customers;

  1. -- Comments out the remainder of the line. The code after -- is ignored.

  -- This is a comment and will not be executed
  SELECT * FROM customers; -- This part is ignored

  1. ORDER BY Orders the results obtained from SELECT in a specific manner. For example, if one has a table of countries and their populations, one can select the countries starting with the letter R and then order them by their population.

  -- Example: Select countries starting with 'R' and order by population
  SELECT * FROM countries
  WHERE name LIKE 'R%'
  ORDER BY population;

  1. UNION clause allows you to group multiple queries together.

  -- Example: Combine results from two SELECT statements
  SELECT name FROM employees
  WHERE department = 'Sales'
  UNION
  SELECT name FROM contractors
  WHERE department = 'Sales';

  1. JOIN Joins data from two tables depending on a certain characteristic on the table. For example, if there's a table with customer IDs and their addresses and another table with customer IDs and their purchases, you can join both tables so that the customer addresses match their purchases.

  -- Example: Join customers and orders tables on customer_id
  SELECT customers.name, orders.product
  FROM customers
  JOIN orders ON customers.customer_id = orders.customer_id;

  1. DELETE, INSERT Allows you to delete data or add new data to a table.

  -- Example: Insert a new customer into the customers table
  INSERT INTO customers (name, address)
  VALUES ('John Doe', '123 Main St');
  
  -- Example: Delete a customer from the customers table
  DELETE FROM customers
  WHERE name = 'John Doe';

  1. AND, OR Allows you to modify queries so that they return information depending on multiple categories.

  -- Example: Select employees who are in the Sales department and have a salary greater than 50000
  SELECT * FROM employees
  WHERE department = 'Sales' AND salary > 50000;
  
  -- Example: Select employees who are in the Sales department or have a salary greater than 50000
  SELECT * FROM employees
  WHERE department = 'Sales' OR salary > 50000;

  1. MIN, MAX They return the smallest or largest value of a query.

  -- Example: Get the minimum and maximum salary from the employees table
  SELECT MIN(salary) AS min_salary, MAX(salary) AS max_salary
  FROM employees;

  1. More here and here...
• User input from textbox, URL parameters, etc may be used to construct a SQL query in the backend.

Code below directly adds in input as a part of the query, as a result, the attacker can 'inject' their own code here and execute it.

String query = "SELECT * FROM products WHERE category = '"+ input + "'";
Statement statement = connection.createStatement();
ResultSet result = statement.executeQuery(query);