Home SQLi
Post
Cancel

SQLi

SQLi comic

Yay its a post about SQLi.
As per the OWASP Top 10 2017 it is a positioned as 1 and Rank 6 according to SANS TOP 25 of 2019.

SQLi attack makes it possible to execute malicious SQL statements. These statements control a database server behind a web application.
An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others.

It is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.

Types of SQL Injections
SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi.

sqli types

In-band SQLi
The attacker uses the same channel of communication to launch their attacks and to gather their results.

  1. Error-based SQLi - Attacker analyse the error on web application and then perform attack
  2. Union-based SQLi - Utilise the Union operator and find the columns present in the database.

Inferential (Blind) SQLi
The attacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to execute but may be just as harmful. Blind SQL injections can be classified as follows:

  1. Boolean - Sends the SQL query and the result will vary depend on result(true or false)
  2. Time based - When the attackers payload is successful then application will take some time to respond.

Out of band SQLi
When same channel cant be used to SQLi then outofband used.
Only possible when certain contains are met on the DB.

Mitigation

  1. Input validation
  2. Parametrized queries including prepared statements.

DEMO

Injection Point for SQL Injection

  1. SQL Injection can be GET Based - Attack through URL parameter ( http://x.com/page.php?id=12 )
  2. SQL Injection can be POST Based - Attack through Html Form ( signup, login )
  3. SQL Injection can be Header Based - Attack through Header (Referrer,User-Agent, Location)
  4. SQL Injection can be Cookie Based - Attack through Cookie parameter ( Cookie : some=x; )
This post is licensed under CC BY 4.0 by the author.