What is a SQL injection?
The structured query language (SQL) injections family includes a large number of vulnerabilities, which interact with an SQL database.
This vulnerability first appeared in 1998, with an article in Phrack Magazine.
In the OWASP Top 10 (2007, 2010, 2013, 2017), SQL injection was in first position, with the other injections (OWASP Top Ten Web Application Security Risks | OWASP).
Since SQL injections attack databases, they are vulnerabilities affecting the server side of web applications.
SQL vulnerabilities are present when the server uses the user input without sanitizing it to launch one or more SQL queries.
What are the different types of SQL injections?
Different SQL vulnerabilities exist depending on what the server allows.
The most widely used ones are:
- « Classic » SQL injection (with ‘OR 1=1 –): It is the most famous SQL flaw used on authentication forms. It allows a malicious user to bypass authentication form and access a restricted account.
- « Union-based » SQL injection: In SQL language, the UNION operator is used to merge the result of two queries. This allows a hacker to leak sensitive data as a replacement to the data present in the first SQL query.
- “Blind” SQL injection: When the data is not displayed on the screen, the attacker uses a condition allowing them to pause and relies on the response time of the system to know if their injection was successful. This technique is used in particular to ” brute force ” the data that you want to recover.
Many other SQL injection methods exist, from the ” Error Based ” vulnerability allowing values to be displayed in an error message to the “Stacked Query” which allows you to perform all queries you want.
Consequences of SQL injections
SQL injections cause three huge complications:
- Data exposure: It is probably the most famous problem linked to SQL injections. With the possibility of adding custom queries, an attacker can recover any data present in an SQL database. It is very common for databases to be leaked including the personal information of users (name, email, address).This calls for paying close attention to sensitive data that might be stored online.
- Account theft: When an SQL injection is possible on a authentication form, it is very easy for an attacker to authenticate with an account that does not belong to them. In addition to identity theft or data theft, the proper functioning of a web application can be wrecked if an administrator account is exploited.
- Data corruption: It is the most dangerous case, exploited with Stacked Query. An attacker who can perform any queries on a SQL database can very easily modify or delete data. In addition to the corruption that can be problematic for sensitive information, it can lead to the same problems mentioned above: A hacker who can modify the password is a hacker who knows the password. Most of the website has their data stored in database so if you can overwrite them you can deface the website, or publish some fake news.
How to perform an SQL injection?
1. Normal use of a search bar (PHP & MYSQL)
Let’s take the example of a site which sells tools. On one of the pages of the web application there is a search bar to find an item along with its price.
Loris, the hacker will first do a simple search to see the different models of mower.
When he clicks on the button the server will retrieve its entry and insert it in a SQL query.
The server will then send this SQL command to the database, which will execute it as code.
The database will then look in the ” items ” table for all the names and prices of the items containing ” mower ” in their name and with a stock greater than zero.
The server will retrieve this information and then display it on Loris’s screen.
2. Test an SQL injection
Loris sees that his research has been added to the URL in the form ” ?name = mower “.
He then decides to test if this parameter allows entering SQL code.
He adds a ” ‘ ” which opens and closes a string in SQL.
The database will then receive the following SQL command:
This request is not valid. The second ” % ” found outside the string is considered as a forbidden character.
An error is then returned: ” MySQL error: Invalid Syntax»
Loris now knows that a database MySQL is used.
In order to avoid this error Loris adds a MySQL comment to his query, which will allow him to remove the rest of the command with the syntax “ — “.
The database accepts the request and returns all items. The percentage serves as wildcard, including those no longer in stock and the condition being deleted.
Loris just has to add his own queries to exploit the vulnerability.
3. SQL Injection example
Now that Loris has a valid query, he will be able to perform the SQL Injection.
His objective will be to retrieve the stored user passwords in the database.
Then it is necessary to invalidate the current request not to retrieve item information, for this, a simple AND 1 = 2 — will suffice.
The query will therefore seek to retrieve the articles if the condition 1= 2 is validated. Consequently, there will no longer be any result.
Loris will then use the UNION operator which allows to merge queries and add a SELECT allowing him to retrieve the name of the different tables.
With some other SQL requests, Loris discovers that Paul is the administrator of the website so he will get his password.
The password is cb28e00ef51374b841fb5c189b2b91c9.
Obviously, passwords are never stored in clear text and this format seems to be an MD5 hash.
The MD5 is an algorithm used to encrypt plain text, you cannot reverse it but some web sites (https://md5decrypt.net/ for example) store a lot of association between simple clear text and MD5 hash.
Loris is lucky, the website gives him a result for the hash: password123456
Loris just has to authenticate with the Paul / password123456 pair to have access to an administrator account.
In our example, the attack by SQL injection was performed manually but today there are tools such as SQLMap, which automate the detection of SQL injections.
The Open Web Application Security Project (OWASP) provides a guide to prevent SQL injections. There are various options a developer can use.
- Prepared statements which consist of writing SQL queries and adding parameters to them later. This method allows you to insert parameters and avoid the injection of escape characters.
- Using a « whitelist » (an authorized list of values) allows you to restrict the user’s field of action and only accept selected values.
- Escaping user input is still an effective way to avoid escape characters.
R&S®Cloud protector vs SQL injections
To avoid SQL injections, R&S®Cloud Protector provides several tools:
- « Blacklisting » used on all levels of protection:
If R&S®Cloud Protector detects a pattern usually used to exploit an SQL flaw, the request will be immediately blocked and redirected.
- The « Scoring List » used on the Advanced and High levels of protection: R&S®Cloud Protector will analyze the request and increment a score when a malicious pattern is detected. At the end of the analysis, if the score is greater than the authorized limit, the request is blocked and redirected. This is a smart method that avoids false positives.
Request your 14 days free trial
What are you waiting for?