SQL Injection

What SQL Injection is

  • Client supplied data passed to an application without appropriate validation.
  • Processed as commands by the database.

Intent

  • Adding or modifying data
  • Performing denial of service
  • Bypassing authentication
  • Executing remote commands
  • Access sensitive data in the database
  • Execute administrative operations within the database (for example shutdown the DBMS)
  • Recover the content of a given file present on the DBMS file system
  • And in some cases issue commands to the operating system

Sources of SQL Injection

  • Injection through user input: Malicious strings in web forms.
  • Injection through cookies: Modified cookie fields contain attack strings.
  • Injection through server variables: Headers are manipulated to contain attack strings.
  • Second-order injection: Trojan horse input seems fine until used in a certain situation.

Types of SQL Injection

  • Piggy-backed Queries: Insert additional queries to be executed by the database
  • Tautologies: Create a query that always evaluates to true for entries in the database
  • Alternate Encodings: Encode attacks in such a way as to avoid naive input filtering.
  • Inference
  • Illegal/Logically Incorrect Queries
  • Union Query
  • Stored Procedures

    A SQL injection attack consists of injection of malicious SQL commands via input data from the client to the application that are later passed to an instance of a database for execution for the purpose of affecting the execution of predefined SQL commands.
     
  • SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.

SQL Injection Attack Types

A. Tautologies

In a tautology-based attack an attack code is injected using the conditional operator such that the query always evaluates to TRUE.

D. Piggy-backed Queries

In this type of attack, the attacker binds another SQL statement by terminating the first using. The first query will execute as normal but the subsequent injected queries will also be executed.

  • Definition: Injecting SQL statements into the vulnerable spots with a malicious intention
  • It refers to one of the code injection attacks where in data provided by the user is included in a SQL query such that part of the user's input is treated as SQL code.
  • Most of the cyber crimes are pertaining stealing credit card numbers and stealing money using SQL Injection in the wake of this decade.

The Gartner Group estimates that over 70% of attacks against a company's web site or web application come at the application level, not the network or system layer.