Dashboard
Courses
Logout

NAME

Course Overview

/

SQLi

SQL Injection

A lot of web applications leverage databases to provide dynamic content that can be provided by different functionality.  To achieve this, a user will make a request for specific data and the application layer will translate that into an SQL query to pull the appropriate information from the database.  When this SQL query is not properly protected from manipulation, it is possible for an attacker to modify the parameter and thereby “inject” commands that will be executed by the database.

These vulnerabilities leverage the trusted communication between the application and the database to masquerade as legitimate queries.  Should an SQL injection vulnerability exist, attackers may be able to query the database for sensitive information or even query the underlying server itself.

When attempting to achieve SQL injection, it is important to provide a valid SQL query that can be understood and executed by the database.  This may be achieved by finding a feature that is parsing a user-defined parameter into a database query and making modifications.  These modifications are typically using characters such as ‘ and “ to “close” the parameter field, and then inject a malicious query.

Authentication Process

SQL can be used as part of the authentication process or as part of an application’s ability to provide data.  In the instance of authentication, an application will use Boolean logic (true or false) to accept or reject requests.

If an application used the below as the request to authenticate, an attacker could attempt SQL injection:

POST /login HTTP/1.1

Host: northgreensecurity-insecure.com

Content-Type: application/x-www-form-urlencoded

Content-Length: 30

username=charlie@iamvictim.com password=password’OR 1=1--

The application will query the database and identify whether the username and password match or not.  As you can see from the above, within the password parameter there is the SQL parameter password with the value password‘OR 1=1--.  By using the SQL understood operator of “OR” the statement will now make two queries: for the username charlie@iamvictim.com does the password = password? And if not for the username of charlie@iamvictim.com does 1=1?  Because 1=1 is a true statement, the Boolean logic works and an attacker would gain access to the charlie@iamvictim account.  It is important to note the -- characters.  These comment out the rest of the SQL query to make sure that “OR 1=1” is the end of the query.