SQL Injection

What is SQL injection?

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

In other words it is a technique by which an unauthorized user tries to take advantage of the vulnerability or loop hole of a website or application to insert arbitrary SQL commands to login, or to get data from it.

For Example: Suppose you do not know the username and password of a website and you want to login without user name and password, this is an example of SQL injection.

Types of SQL injection

There are mainly three types of SQL injection.

1.  In-band SQLi (Classic)

There is two types of sql injection under In- band SQLi

                        A) Error-based SQL Injection

                        B) UNION-based SQL Injection

2. Inferential SQLi (Blind)

3. Out-of-band SQLi.

We will understand SQL injection with an example:

This is Inferential SQLi (Blind) Example:

When we login in a website we need to enter user name and password, when we enter user name or password it compare that from the user name and password stored in the database if entered user name and password is correct it return true value and allow us to login otherwise it does not allow to login with false value, it simply block us.

If a website is vulnerable how can we perform SQL injection.

Ex. Suppose a website has a table user with below details of 2 users:

User Name	Password
Rahul	Password123
Swati	Password456

  

Now when user enter user name rahul  and password “Password123” a query run

SETECT * FROM user WHERE User Name =”rahul”  AND Password = “Password123”

Now here user name and password both are correct so query will return the vale 1 and user will login in the page.

Now if we do not know the user name and password how we can login, if website is vulnerable  then it is possible to login without user name and password, let try and enter the user name “" OR ""="

Then the new query will be

SELECT * FROM user where User name= "OR ""=" AND Password= “" OR ""="

This query will return true value and user will pass the login page successfully without any issue.

Let understand In-band SQLi (Classic):

In this I will explain Error-based SQL Injection

Suppose there is a login page where we suppose to enter user ID to get data of student,

Let’s take an example: URL: localhost:80/toppercollage/sql/?id=10%111Submit

Suppose this is the URL of the that page where we enter ID and get student details, Here we can see that id=10 is the submit value in the sql query

Note: We suppose to hide database information from the user who is trying to get data from the database so that user only gets data for which he is allowed and should not connect directly with database to check this other details like database structure.

We can use the hackbar tool to connect with database from the website

We will enter a command from the hackbar tool and we will check are we able to connect directly with database or not, to do that, install hackbar tool in your computer first.

Then in the URL page you will be able to see the the hackbar tool icon.

Click on it, you will see an input box will open where you suppose to enter url

Just enter url and at the place of id=10 use id=’10’

The command will be like localhost:80/toppercollage/sql/?id=’10’%111

Note: here 10 is in inverted comma

If it gives an error like “ You have error in sql syntax; check the manual that corresponds to your database……

It means site is not secure and unauthorized people can login and modify the data in the database. The error supposed to show like “404 error” which is an administrator error.

UNION-based SQL Injection

Above we checked the site is vulnerable or not by using the hackbar tool now we can use UNION command in sql to get data from the database even if we do not know the user ID or password.

We can get table name by using below queary.

SELECT table_name FROM user_tables;

And use union operator, to get list of tables

UNION SELECT 1,concat(user,':',password) FROM users;

It will show the list of user name with password. The password may be in hash form so hash for may be in MD5 form so hacker need to convert that into plain text.