SQL Injection is one of the oldest and one of the most frequently used techniques to infiltrate a web application’s database and tamper with it. It involves using such queries that would bypass the defensive mechanisms of the web application and allow access to the back-end database.
What does Injection mean?
Injection or Code Injection means to use such commands on the interface of the web application that the interpreter that is used for development of the web application recognizes that command as an original programming language code and executes that command as if the developer himself is giving out that command, instead of dealing with it like some ordinary user input.
What is SQL & What is it used for?
SQL (or the Structured Query Language) is an interpreted language which forms the basis of many web applications, as most of the web applications use databases to store user information. For example, an online shopping store might use database to keep an inventory of its items, and to keep a check on the sales of the products, how many users daily log onto that online to shop, the users’ personal information and credentials, payment options and details etc.
The means of accessing this information within the database is SQL. It can be used to view, add, delete and edit any information related to a specific user or multiple users.
Web applications use databases to keep records of user details and information and the language that is used to access those records is SQL. Now, it is important that all the SQL commands are written in a safe environment otherwise they could be prone to attacks and the web application might have vulnerabilities. SQL Injection has been the most common flaw in the development of a web application that uses databases to keep private and sensitive data and information.
In most serious cases, an attacker might be able to bypass all the defense mechanisms that are employed by the web application (by means of SQL Injection) and modify and/or delete some or all information that is stored in the back-end database.
To check for a vulnerable database, the attacker can create a syntax error in the SQL query and check if the database returns an error, then that database or web application is vulnerable to SQL Injection.
Warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1.
Bypassing Login using SQL Injection:
To bypass the authentication phase, the user has to enter a special instruction that has a special meaning in the database language, in our case, in SQL. Many applications use simple HTML forms to get user-id and password combinations from the user as input, validate the combination and then allow access to the user to view or modify the data that he is authorized to do so. Using special commands in the fields of user-id and password that have a special meaning in SQL can easily bypass this authentication phase.
For example, a user named Rashford is to use an application. He will log into the application using his credentials, let’s say for example that his user-id is rashford and his password is marcus. He enters the combination into the login form of the web application.
The SQL query that is generated at the back-end when he enter his username and password would be:
SELECT * FROM users WHERE username = 'rashford' and password = 'marcus'
This query cause the database to check every element of the tables user, where the column username has the value ‘rashford’ and the column password where the value stored is ‘marcus’. If such a combination exists the database will return the go-ahead signal by returning the true value and the user will be logged in, and an authentic session will be created for the user.
Now the attacker can bypass this authentication phase by entering a special command in the login form that will check either username or password instead of trying to find a matching combination. For example, if the attacker has come to know that a specific web application has an administrative account and the username of that account is ‘admin’ he can simply bypass the login phase by entering the following in the username field:
Now what does this mean? This special username will generate a query on the back-end database as:
SELECT * FROM users WHERE username = 'admin'
The double dashes (–) used in the username have a special meaning in SQL. They mean that any instruction given after those double dashes (hyphens) will be treated as comments, so SQL only checks the table users for ‘admin´ in the column of username, and does not search for a matching password because the rest of the SQL query has been turned into a comment.
Alternatively, the attacker can also bypass the login phase by logging in as the first user ever by entering:
' or 1=1 --
The equivalent query generated at the back-end is:
SELECT * FROM users WHERE username =' OR '1' = '1 --
In the above command the double hyphens used are used to comment out the rest of the query which includes the password check, and this in turn returns the details of all users, and since 1 is always equal to 1, therefore this query will always be true, and the attacker can log in to the web application’s administrative account.
Another version of the above query is ‘or’ ‘=’ query, which has the same meaning as the above query and generates the same query at the back-end database too.
What type of web applications are vulnerable to SQL Injection?
All web applications that use SQL Queries to manage their databases are vulnerable to SQL Injection. No matter what language the web application is written in, as long it uses MySQL, MS SQL, MardiaDB or SQL Server etc. to manage databases, it is vulnerable to SQL Injection.
Is it only used to bypass login?
SQL Injection can be used to retrieve records from a database, whether they be usernames, passwords, and email addresses etc, bypass WAFs or login pages and can even be used to run system commands on the vulnerable target. Any field that requires input from the user is vulnerable to SQL Injection.
How to prevent SQL Injection?
SQL Injection can be prevented by using parametrized queries or stored procedures when designing the database. Stored procedures do not allow the user to write such a query that works dynamically to fetch the data from the database. Instead, they restrict the user from entering specific characters that are well known to SQL Injection attacks, and/or limiting the user to enter a specific number of characters. For example in the email address field, the developer can restrict the user to input an email address with ‘@’ in it, and restrict him from entering any spaces or special characters like ‘=’ or quotation marks etc.