SQL injection

SQL injection is technique of inserting nefarious SQL statement into the input field by attacker to a web application for execution (e.g. to dump the database contents to the attacker)

 SQL injection attacks allow attackers to spoof identity, tampering of data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrator of database server.

 It is considered as one the top 10 web application vulnerabilities by 2007 and 2010 by the OWASP and rated the number one attack on the OWASP top ten in 2013.
The sub-classes of SQL injections are:
1. In-band or Classic SQL Injection
2. Inferentital or Blind SQL Injection
3. Outband SQL Injection

(I). Classic SQL Injection: It is most common and easy to exploit Injection attacks. This occur when an attacker is able to use the same communication channel to both launch the attack and gather result.

There are two types of classic SQL injection techniques:

Error-Based SQL injection: This technique relies on the error message thrown by the database server to obtain information about the structure of the database.

Union-Based SQL injection: Union attack allow attacker to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, attacker craft a SELECT statement similar to original query.

(II). Blind SQL Injection: It may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In this no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band. Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application's response and the resulting behavior of the database server.

There are two types of Blind SQL injection techniques:

Boolean-based Blind SQL Injection: That relies in sending SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow since attacker would need to enumerate a database, character by character

Time-Based Blind SQL: It release on the SQL query to the database which forces database to wait for a specified amount of time before responding. The responding time will indicate to the attacker whether the result of query is true or false.

Depending on the result, an HTTP response will be returned with delay, or returned immediately. This allows an attacker to infer if the payload used returned TRUE of FALSE, even though no data from the database is returned. This attack is typically slow since an attacker would need to enumerate a database character by character.

(III). Out of Band SQL Injection:
Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Comments

Post a Comment

Popular posts from this blog

Network Models and Differences

Image
TCP/IP and OSI Model Open System Interconnect model is a standard of the International Organization for Standardization (ISO). It is a general-purpose paradigm for discussing or describing how computers communicate with one another over a network. Its seven-layered approach to data transmission divides the many operations up into specific related groups  of actions at each layer . Transmission Control Protocol/Internet Protocol  is Internet protocol suit created by US Defense Advance Research Project Agency to ensure that communication could survive in any condition and data integrity would not be compromised under malicious attacks. The Transmission Control Protocol provides a communication service at an intermediate level between an application program and the Internet Protocol. It provides host-to-host connectivity at the  Transport Layer  of the Internet model. An application does not need to know the particular mechanisms for sending data via a l...
Read more

Installing SQLMap in Windows

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. SQLMap is coded in  Python  programming language and runs natively in Linux operating system, for running it in Windows, first you have to download Python then Sqlmap. Steps are as follows:  Step 1 – Download & Install Python Python 2.7 installed on your Windows machine. Ensure that version 2.7.5 is installed which can be downloaded from here -  http://www.python.org/download/ Choose either the normal Windows installer, or the Windows x86-64 installer. Run through the install accepting the defaults.  If all went well, then all of the Python files should be installed to C:\Python27\ Step 2 – Download SQLMap SQLMap downloaded on your Windows machine The latest and greatest version is available on the SQLMap home page – click here -  https://github.com/sqlmapproject/sqlmap.g...
Read more