Structured Query Language or SQL, is the command-and-control language used by relational databases, including Microsoft SQL Server, Oracle, IBM DB2, and MySQL. Relational databases are a significant resource on the back end of online applications and content management systems (CMS) developed in PHP, .NET, Java EE, Hibernate, SQLite, or other scripting languages in current web development.
SQL injection is among the most dangerous web application vulnerabilities. It happens when a user inserts untrusted data into a database query. For example, while completing an online form. Smart attackers can construct user input to steal vital data, circumvent authentication, or damage the entries in your database when SQL injection is possible.
SQL injection attacks come in many types, but they always originate from the same source. The query string is combined with the user's untrusted data. As a result, the user's input might change the query's original intent.
Types of SQL Injection Attacks
SQLi attacks can be roughly classified into three categories when it comes to SQL injection types:
-
In-Band SQLi
In-band SQLi is one of the most prevalent types of SQL injection, in which the data appears on the same channel as the malicious code. Two of the most common in-band SQL injection attack approaches are error-based and union-based SQL injection attacks. A verbose error (retrieved data) appears on the web page in response to a faulty or unexpected query in error-based SQLi attacks (the malicious user input).
Union-based SQLi combines the results of two or more SELECT statements into a single query. It could be used to get information from several tables in a database.
-
Out-of-Band SQLi
Out-of-Band SQLi is a sort of SQL injection that is less prevalent. This occurs when the attacker is unable to retrieve the data utilizing the same channel through which the attack was conducted. The attacker's answer is provided through other channels, such as email, or it is dependent on the capabilities of the application's database server to perform DNS or HTTP connections to a server controlled by the attacker.
There is no actual data transmission with this sort of SQL injection, often known as blind SQLi. Attackers, on the other hand, can watch how the application responds to payloads, giving them information on whether the query is run or how the database processes the requests. Although it is considerably simpler to recreate the logic of the original question with verbose errors, an attacker who is successful in executing a blind SQL injection attack on the application can reverse engineer the logic to get at the original query.
Another often used approach is a time-based blind SQLi attack, which includes evaluating the latency in response to determine whether or not the query is run. There is no delay in page loading after submitting the given request. If the comment is changed, as seen below, and there is a delayed response, the query was run. The attacker presently understands how to leverage the application's syntax for commenting out sections of a query. Once they get this information, they can use it to continue targeting the application in subsequent ways.
Tips to prevent SQL infection will be disclosed in our next article: Combating the Risk of SQL Injection Attacks—Part 2