- read

SQL Injection

Arth Detroja 28

Interested in cybersecurity then you definitely wanna read this.

Injection attacks are one of the most common and dangerous web attacks. Injection vulnerability is ranked at #1 in the OWASP Top Ten Web Application Security Risks.

So what it is? Why it is so dangerous?

Let us first understand what an injection is.
Injection: During an injection attack, an attacker can provide malicious input to a web application (inject it) and change the operation of the application by forcing it to execute certain commands.

Hence in simple words we can figure out that SQL injection may be injecting something malicious using SQL which would affect the database and give out information which is not intended to be given.

Let us go in detail by doing a sample SQL injection on a demo website.
Site: http://testphp.vulnweb.com/login.php

Here we will try to simply bypass the login using SQL injection technique using burp suite.

How it works: In a login system, a request is made and entered credential is checked if they are true or not by matching them in the database.

Here is a sample code for checking username and password in database.

SELECT * FROM Users WHERE Username =”userName” AND Password =”password”

The condition 1=1 is always true so to bypass the login one can cleverly craft a request that injects true condition and allows user to log in.

In this can one can make request that looks like this:
In username field: user” OR “1=1

In password field: pass” OR “1=1

The request will look something like this:
SELECT * FROM Users WHERE Username =”user” OR “1=1” AND Password =”pass” OR “1=1”

The condition requirement is met hence user will be logged in.

Now there are different types of SQL injection, these are as follows:

  1. In-band SQLi
  2. Union-based SQLi
  3. Error-based SQLi
  4. Inferential SQLi
  5. Boolean based blind SQLi
  6. Out-of-band SQLi
  7. Time-based blind SQLi

Details of these will be there in separate article.

Lets dive into a simple SQL injection demo.

First start your burp and set your intercept on:

In your browser turn on the foxy proxy and set it to burp.

Go to the login page and type in some random user name and password and click login so burp will capture the request.

Burp will show the request with your entered user name and password.

Now from action click on send to intruder.

Here you need to add payload to username field.
Payload is a wordlist which consist of queries which can maliciously interfere and fetch some data out of it.

I have a payload ready lets test it out. Go to payload and load the available payload. Then we are ready to go click attack and see the magic.

Coming further you will notice something interesting:

Two requests has been approved i.e. status code 200 trying those may let us in.

And boom!!!! we are in

More on prevention of SQL injection and it types is coming in upcoming article till then =>

Please comment if there are any questions else please consider following :)