=

SQL injection (SQLi)

SQL injection is a security vulnerability in which an user/attacker somehow become able to inject their queries with existing sql queries.

When a web application communicates with a database using input from a user that hasn't been properly validated, there runs the potential of an attacker being able to steal, delete or alter private and customer data and also attack the web application authentication methods to private or customer areas. This is why SQLi is one of the oldest web application vulnerabilities, and it can also be the most damaging.

    Contents :

  1. Prerequisite
  2. Techniques of sqli
  3. Where to find sqli
  4. How to detect sqli
  5. Impact if successful sqli
  6. Filter Evasion Techniques
  7. Mitigation
  8. Best practices
  9. SQLi automation tools
  10. Plateforms to learn sqli

    Prerequisite :

  1. Structured Query Language (SQL)
  2. Basics of request/response and structured databases

    Techniques of sqli :

  1. In-band -
  2. Out-of-band
  3. Inferential -
    • Boolean
    • Time based
  4. Second order sqli

    Where to find sqli :

  1. Search functionality
  2. Insecure functions (in source codes)
  3. In url parameters
  4. Login functionality
  5. Filteration (Like: category)
  6. Request header

    How to detect sqli :

  1. Try to put a quote ‘ (check each type of quotes ) with all the possible places , where might the data got sent with the SQL query.If any kind of server error (5***) occurs then there should be a sqli possible.
  2. Inject an query that made a significance changes in response like - Response time,Error/log in response

    Impact if successful sqli :

    Filter Evasion Techniques -

  1. URL Encoding (%sign followed by their ASCII value in hexadecimal)
  2. Hexadecimal Encoding
  3. Unicode Encoding

    4. If quotes are not allowed -

    • Using Numerical Values (OR 1=1)
    • Using SQL Comments (--)
    • Using CONCAT() Function (CONCAT(0x61, 0x64, 0x6d, 0x69, 0x6e))

    5. If spaces are not allowed -

    • Comments to Replace Spaces (SELECT/**//*FROM/**/users)
    • Tab or Newline Characters (SELECT\t*\tFROM\tusers)
    • Alternate Characters (%09/%0A/%0C/%0D/%A0 in plave of %20)

    6. SELECT not allowed -

    • Change case (SElEcT)
    • Add comment (SE/**/LECT)

    7. AND, OR not allowd

    • Use && , ||

    8. Specific word not allowd

    • Use CHAR() function => (CHAR(0x61,0x64,0x6D,0x69,0x6E))
    • Use CONCAT() funciton => (CONCAT('a','d','m','i','n'))

Mitigation :

Prepared Statements (With Parameterized Queries) - In a prepared query, the first thing a developer writes is the SQL query, and then any user inputs are added as parameters afterwards. Writing prepared statements ensures the SQL code structure doesn't change and the database can distinguish between the query and the data. As a benefit, it also makes your code look much cleaner and easier to read.

Input Validation - Input validation can go a long way to protecting what gets put into an SQL query. Employing an allow list can restrict input to only certain strings, or a string replacement method in the programming language can filter the characters you wish to allow or disallow.

Escaping User Input - Allowing user input containing characters such as ' " $ \ can cause SQL Queries to break or, even worse, as we've learnt, open them up for injection attacks. Escaping user input is the method of prepending a backslash (\) to these characters, which then causes them to be parsed just as a regular string and not a special character.

Best practices -

    Tools :

  1. SQLMap
  2. SQLNinja
  3. JSQL Injection
  4. BBQSQL

    Plateforms to learn sqli :