SQL injection is a web vulnerability that is targeted towards SQL databases which stores sensitive data corresponding to the web server such as login information like, usernames, password and credit card details or any unauthorized information. The motive of an attacker who is performing an SQL injection attack is to manipulate the data in SQL databases according to his own needs using SQL queries. In some cases SQL injection can also lead up to remote code execution vulnerabilities, which can cause exponential damage to the respective company. Also when an attacker gets access to the sensitive information in the database and leaks it, the customers of that company will lose trust in them which can cause huge losses.
A successful SQL injection attack can result in,
- Denial of service
- Leakage of login information
- Leakage of credit card information
- Leakage of private information
- Gaining unauthorized administrative privileges to a database
- Remote Code Execution etc.
Types of SQL injection attacks
- In-Band SQL injection
In-band SQL injection is the most popular and the easiest method for SQL Injection attacks. In-band SQL injection occurs when a bad actor is able to use the same input field or input page to both attack and gather information.
Two of the most commonly seen attacks in in-band SQL Injections are error based SQL injection and union based SQL injection.
Error based SQL injection is a type of in-band SQL injection method that counts on the error messages given as the results of the provided malicious queries by the database server to gain information about the composition of the database. In some cases, error-based SQL injection is enough for a bad actor to enumerate an entire database.
Union based SQL injection is a type of in-band SQL injection method that uses the UNION SQL operator to bring back the collated results of two or more SELECT statements into a singular output which is then returned by the HTTP response.
2. Inferential SQL injection
Inferential SQL injection is a rather complicated process and can take some time for an attacker to exploit. But, it is just as malicious as any other SQL injection types. In an inferential SQL injection attack, no data is actually carried through via the web application and the attacker won’t be able to see the outcome of an attack. Which is why attacks like this are commonly known as blind SQL injection attacks. Alternatively, an attacker is able to restructure the database for his needs by sending payloads, observing the responses by the web app and the behavior of the database server.
Two of the most commonly seen attacks in inferential SQL injection are, Boolean-based Blind SQL injection and Time-based Blind SQL injection.
Boolean-based Blind SQL injection is a type of inferential SQL Injection method that counts on sending an SQL query to the database which makes the web application to give back a different outcome depending on whether the query is TRUE or FALSE. The content within the HTTP response will change according to the outcome, or remain the same. This allows a bad actor to work out whether the payload applied returned true or false, still no data from the database is resulted. This kind of attack is mostly slow since an attacker is needed to gather information from a database, character by character.
Time-based SQL injection is a type of inferential SQL Injection method that counts on sending an SQL query into a database which makes the database waits for a specific amount of time before giving the result. The time it takes to point out to the attacker whether the outcome of the query is TRUE or FALSE. An HTTP response will be resulted with a delay, or returned as soon as possible. This allows a bad actor to work out whether the payload used returned true or false, still no data from the database is resulted. This type of attack is typically a slow process because a bad actor is needed to gather information from a database, character by character.
Made by retrymp3 ig: @retrymp3
References :-
https://portswigger.net/web-security/sql-injection#retrieving-hidden-data
https://www.imperva.com/learn/application-security/sql-injection-sqli/
