Introduction to SQL Injection
- SQL Injection (SQLi) is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
- The vulnerability is present when user inputs are not correctly sanitized, allowing attackers to manipulate SQL queries executed by the backend database.
- It is often used by attackers to gain unauthorized access to data, such as customer information, personal details, trade secrets, etc.
Prerequisites for SQL Injection Testing
- Understanding of SQL: Profound knowledge of SQL is necessary to craft effective injection attacks.
- Knowledge of Database Structures: Awareness of common database systems like MySQL, PostgreSQL, Microsoft SQL Server, etc.
- Legal Permission: Written authorization from the owner of the target system to perform the assessment.
- Security Assessment Tools: Familiarity with tools like SQLMap, Havij, or manual tools such as Burp Suite, OWASP ZAP.
- Safe Testing Environment: A non-production environment should be used, mirroring the live system to avoid any data loss or service disruption.
Identifying Injection Points
- Discover All User Inputs:
- Identify all forms, query strings, cookies, and HTTP headers where user input is accepted.
- Simple Tests for Vulnerability:
- Input a single quote (
') to test for errors. - Look for server error messages that indicate a syntax error.
- Input a single quote (
- Use Automated Tools:
- Run tools like SQLMap to automatically test inputs.
- Analyzing Responses:
- Examine the responses from the server for any SQL error messages or anomalies.
Types of SQL Injection Attacks
- In-band SQLi (Classic):
- Error-based SQLi: Exploit the database errors.
- Union-based SQLi: Use the UNION SQL operator to retrieve data.
- Inferential SQLi (Blind):
- Boolean-based blind: True or false questions infer data.
- Time-based blind: Time delays indicate true or false conditions.
- Out-of-band SQLi:
- Rely on the server’s ability to make DNS or HTTP requests.
Crafting the Attack
- Information Gathering:
- Use
information_schemato get details about the database.
- Use
- Data Extraction:
- Craft statements to select data from the database.
- Techniques may include using
UNION SELECT, batched queries, etc.
- Exploiting Database Vulnerabilities:
- Attempt to read/write files on the database server.
- Explore possibilities for escalating into the operating system.
Automated SQL Injection Tools
- SQLMap: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.
- Havij: A user-friendly tool with a Graphical User Interface (GUI) for automated SQL injections.
Preventing False Positives
- Verify every potential vulnerability by manually confirming the SQL injection.
- Crosscheck the results obtained from automated tools.
Post-Exploitation
- Pivot to Internal Systems: Use the compromised database as a foothold to further penetrate internal networks.
- Maintain Access: Check if the vulnerability can be used to maintain persistent access.
- Data Exfiltration: Safely copy the data without affecting the system’s integrity, following the assessment rules.
Ethical and Legal Considerations
- Always have explicit, written permission before performing any security testing.
- Be aware of laws and regulations pertaining to cyber security in your jurisdiction.
- Ethically, one should report all findings to the organization and not disclose any data without consent.
Reporting
- Document each vulnerability discovered with proof of concept.
- Rate the severity of each vulnerability.
- Propose remediation measures and best practices to prevent such vulnerabilities.
Conclusion
SQL Injection attacks for security assessments must be performed methodically and ethically. A tester must ensure they are authorized to perform these attacks and should aim to improve the security posture of the application by responsibly disclosing vulnerabilities. Remember, SQL injection is a serious threat, and performing it without permission is illegal and unethical. Always conduct security assessments in a controlled and secure environment.
