Follow Along: https://app.letsdefend.io/training/lesson_detail/detecting-sql-injection-attacks-web-attacks-101
We have been provided web server access logs and we need to answer the following questions using it.
Question 1: What date did the exploitation phase of SQL Injection Attack start?
Scrolling down, we see SQL related code in the following logs. We now need to figure out the starting phase or the first attempt made by the attacker.
Looking closely, we see “%27” which is the URL encoding of “‘“ (apostrophe). “‘“ is used in SQL to denote the beginning and end of a string (for example, ‘John’). This log entry does not contain any SQL injection payload, but it does include an attempt using the apostrophe.
We can see this attempt was made on 01/Mar/2022 at 08:35:14. See log entry 147:
Answer: 01/Mar/2022:08:35:14
Question 2: What is the IP address of the attacker who performed the SQL Injection attack?
The IP seen at the beginning of the log entry is the IP of the client making the request. So the IP is “192.168.”
Answer: 192.168.31.167
Question 3: Was the SQL Injection attack successful? (Answer Format: Y/N)
Looking at the logs, we can see that the server responds with a status code of 200, indicating the request was successful. We can also see the URL returned by the server which includes the payload sent by the attacker. So yes, the attack was successful.
Answer: Y
Question 4: What is the type of SQL Injection attack? (Classic, Blind, Out-of-band)
SQL Injection Types:
In-band SQLi (Classical SQLi): If a SQL query is sent and replied to over the same channel, we call these In-band SQLi. It is easier for attackers to exploit these compared to other SQLi categories.
Inferential SQLi (Blind SQLi): SQL queries that receive a reply that cannot be seen are called Inferential SQLi. They are called Blind SQLi because the reply cannot be seen.
Out-of-band SQLi: If the reply to a SQL query is communicated over a different channel then this type of SQLi is called Out-of-band SQLi. For example, if the attacker is receiving replies to his SQL queries over the DNS this is called an out-of-band SQLi.
This is a Classic SQL Injection Attack. We can see the request and the response is over the same channel. The “channel” here is the URL thorugh which the client communicates with the server.
Answer: Classic
Done! 🎉
Thanks for reading! 🙌
