Posted on

SQL Injection for beginners

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about SQL injection. This vulnerability can result in unauthorized access to sensitive data, modification or deletion of data, and even complete control over the web application and underlying server. (Where is this data stored? In a database. Read what is a database). In this article, you will learn what SQL injection is, how it works, types of attacks, how to prevent and detect this vulnerability.

What is SQL Injection?

SQL (Structured Query Language) Injection is a type of security vulnerability that allows an attacker to manipulate a web application’s database through malicious SQL statements.

How does it work?

These attacks typically occur when a web application does not properly validate user input, such as form data or user-generated content. An attacker can exploit this vulnerability by injecting malicious SQL statements into the input field, which are then executed by the web application’s database.

Sql Injection for beginners

For example, suppose a web application has a login form that accepts a username and password. If the application does not properly validate the input, an attacker could enter a malicious SQL statement into the username field, such as:

Vbnet ‘ OR 1=1–

This statement would trick the web application into believing that the attacker has a valid username, bypassing the need for a password. The double dash at the end of the statement serves as a comment delimiter which ignores any subsequent characters in the query. As a result, the attacker gains unauthorized access to the application and potentially sensitive data.

SQL Injection attacks can also occur through other input fields, such as search boxes, comment forms and URLs. An attacker can use a variety of techniques to inject malicious SQL statements, such as union queries, stacked queries, and blind injection.

Types Of SQL Injection

There are several types of Injection attacks that an attacker can use to compromise a web application. These include:

1. Classic Injection:

This injection type is the most common type, where an attacker injects a malicious SQL statement into an input field to gain unauthorized access to the application and database.

SQL injection

2. Error Based Injection:

This type of Injection attack uses error messages returned by the database to extract sensitive information, such as usernames and passwords.

sql injection

3. Blind Injection:

In a blind Injection attack, an attacker injects a malicious SQL statement into an input field, but does not receive any error messages or output. This makes it difficult to detect the attack and extract sensitive information.

SQL injection
SQl Injection 5
SQL injection

3. Out-Of-Band Injection:

This type of injection attack uses a separate channel, such as DNS or HTTP requests, to extract sensitive information from the database.

SQl Injection 7
SQl Injection 8 1024x353
SQl Injection 9 1024x332

5. Time-Based Injection:

In a time-based injection attack, an attacker injects a malicious SQL statement into an input field that causes a delay in the database response time. This delay can be used to extract sensitive information from the database.

SQl Injection 10 1024x545

Methods Of SQL Injection

SQL Injection attackers use a variety of methods to exploit vulnerabilities in web applications. Some common methods include:

1. Union-Based Injection:

This method involves adding a UNION statement to a SQL query to combine data from multiple tables or queries. This can be used to extract sensitive information from the database.

2. Error-Based Injection:

This method involves triggering a SQL error and using the resulting error message to gain access to sensitive information.

3. Boolean-Based Injection:

This method involves using true or false statements to determine whether certain conditions are met, such as whether a username and password combination is valid.

4. Time-Based Injection:

This method involves using time delays in SQL queries to determine whether certain conditions are met, such as whether a username and password combination is valid.

Real World Examples Of SQL Injection

Here are some of the SQL injection vulnerabilities and their exploitation cases in Real World.

1. Freepik Data Breach:

In year 2022, hackers stole over 8.3million Freepik & Flaticon users by exploiting a SQL injection vulnerability in company Flaticon website.

2. Tesla Motors:

In 2014, a security researcher found a blind injection vulnerability in the Tesla Motors Design studio tool. This vulnerability if exploited could have given anyone access to Tesla backend database including call customer record.

3. Heartland Hack:

A team of hackers exploited an injection vulnerability in Heartland and other company’s website to gain access to their network and plant packet sniffing tools and other malware on their network.

Mitigation and Prevention

To detect and prevent SQL Injection attacks, web application developers and administrators can implement a variety of measures, including:

1. Input Validation:

This involves validating user input to ensure that it conforms to expected patterns or formats. Input validation can be implemented through client-side and server-side validation techniques.

2. Parameterized Queries:

This involves using parameterized queries instead of dynamically generated SQL queries. Parameterized queries use placeholders for user input, rather than incorporating user input directly into the SQL query.

3. Stored Procedures:

Stored procedures are a type of database object that can be called by an application to perform a specific task or set of tasks. They can also be used to prevent this injection attacks by creating parameterized queries that are executed by the stored procedure.

4. Database Hardening:

This involves configuring the database server to restrict user access and ensure that each user has only the necessary access to perform their job functions. It also involves implementing strong passwords and two-factor authentication.

5. Configuring Error Messages:

When a SQL error occurs, the database server may return an error message that includes sensitive information, such as the SQL query that caused the error or details about the database structure. An attacker can use this information to refine their attack and gain further access to the database. To prevent this, it’s important to configure error messages so that they do not reveal sensitive information.

6. Regular Updates:

This involves keeping web applications and database servers up-to-date with the latest security patches and updates.

7. Education and Training:

Regular education and training for developers, administrators, and users is critical to preventing SQL Injection attacks. This includes training on secure coding practices, data security, and password management.

Tools for Detecting SQL Injection

There are several tools available to help detect SQL Injection attacks. Some popular tools include:

1. SQLmap:

This is an open-source tool that automates the process of detecting and exploiting SQL Injection vulnerabilities.

2. Netsparker:

This is a web application security scanner that includes this injection detection and prevention features.

3. Acunetix:

This is another web application security scanner that includes this Injection detection and prevention features.

4. Burp Suite:

This is a web application security testing tool that includes a SQL injection Scanner.

5. OpenVAS:

This is an open-source vulnerability scanner that includes this injection detection and prevention features.

SQL Injection attacks continue to be a major threat to web application security, and the consequences of a successful attack can be devastating. By understanding the methods used by the attackers, and implementing best practices for prevention and detection, web application developers and administrators can effectively protect their applications against this type of attack.

Posted on 20 Comments

Havij SQL injection tool: Complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what SQL injection is and different types of SQL injection attacks. In this blogpost, you will learn about Havij, an automated SQL injection tool. Havij is a SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can be used to perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands.

Let me give you a complete guide on Havij in this article. First download Havij and install it.

1. Specifying the target:

Then open it and enter the vulnerable URL in the target field (for this tutorial I am using my own vulnerable webpage).

Havij1

2. List the current database:

Set the database option to ‘auto detect‘ and hit analyze. This should show you the current database name as shown below.

Havij2

3. Get Host information:

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

Havij3

4. List all tables of the current database:

Click on the “Tables” tab.

Havij4

5. List all databases from the target:

Click on “Get DBs” option. This will list all the databases as shown below.

sql injection with havij

7. List tables in a certain database:

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya”here.

Havij6

8. List all columns from a particular table:

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

Havij7

This will list all the columns in the table. We can see that we have five columns in the table ‘users’. It’s time to dump the values of columns.

9. Dump data from the columns:

Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

Havij8

10. Crack password hashes:

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

Havij9

11. Find admin page:

Having passwords is not enough. You also need to know where to login with these passwords. Havij can do that too. Click on “Find admin”. This option finds the admin page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

Havij10