SQL Injection (SQLi) is one of the most dangerous web-based vulnerabilities.
OWASP, a non-profit organization, dedicated to improving security of web applications, conducts a research and lists down the top 10 vulnerabilities each year. This list identifies SQLi as the No 1 vulnerability, mostly used for malicious purposes.
What is SQLi?
SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the back end of a database
To understand how SQLi takes place, you need to understand how web applications work. So, let’s first understand how web applications work.
When a User inputs data the Cient sends a request to the application server.
The application server embeds the User input into the SQL Query and sends it to the DataBase. The DataBase however, executes the query and searches for data without any validation
How SQL injection occur?
If the user input is not validated properly then a malicious user can send a specially crafted payload and retrieve sensitive information.
Here is an example:
The below search page is built to search student details by entering his/her ID
The vulnerable code
id = request(“id”);
sql = “SELECT * FROM users WHERE id =‘ “ + id + “ ‘ “;
result = Db.Execute(sql)
This what the code without validating the user input embed to the SQL query looks like.
Now what if the user enters ‘ or 1=1 as the input?
The SQL query shows up this way
sql = “SELECT * FROM users WHERE id = ‘ ‘ or 1=1 “;
If it is a true statement no matter what the logic is, it will always return all the data in the user table. Data will always be available for extraction. 🙂
In the above example I have shown you a basic way of exploiting SQL injection vulnerability. But there are more advance methodologies of exploiting SQL injection vulnerabilities. These can be used to extract not only web application connected databases but also other database’s data.
My next blog will discuss advance exploitation methodologies of SQL injection vulnerability.