Classs 11 ‐ SQL Injection - Justin-Boyd/Ethical-Hacking-Class GitHub Wiki

Introduction to Databases

Database Types

  • Relational databases
    • Composed of multiple tables with predefined columns and rows
  • Non-relational databases
    • Sometimes referred to as NoSQL databases; represent a newer method of storing data
  • Relational databases are still the most common in use.

Relational Databases

  • MySQL
  • Oracle
  • PostgreSQL
  • MariaDB

Non-Relational Databases

  • MongoDB
  • Redis
  • Elasticsearch
  • Cassandra

Database Access

Database Access

  • Accessing a database requires running the MySQL service.
  • To start the service: service mysql start
  • To connect to the database: mysql -u [user] -p
  • Then, enter your password.

Creating Databases

Creating Databases

  • To create a DB:CREATE DATABASE [name];
  • To interact with a DB: USE [name]; or [database].[table];
  • To view existing databases: SHOW DATABASES;

Creating Tables

Creating Tables

  • The base query is: CREATE TABLE [name] ([column definitions]);
  • Each column is defined by: [name] [type] [parameters];
  • Display table structure: DESCRIBE [table];

Common Dara Types

  • MySQL allows multiple data types to be stored in tables.
  • The following are some common types:
    • BOOLEAN - Represents a true/false-type value
    • INT - Integer (number) data type
    • FLOAT - Floating-point data type
    • DATETIME - Date-time combination data type
    • VARCHAR - String data type
    • BLOB - Data type for large binary data (file)

Inserting Data in a Table

Inserting Data in a Table

  • To add new data: INSERT INTO [table] (column1, column2, …) VALUES (value1, value 2, …);
  • To display all information in a table: SELECT * FROM [table];

SELECT Statement

SELECT id, product_name FROM products WHERE id = 1 OR product_name LIKE “%ead”
  1. SELECT: From which columns should data be returned?
  2. FROM: From which table should columns be returned?
  3. WHERE: Condition
  4. OR/LIKE: Additional logic filters
  • The SELECT statement can be used to obtain data from a table.

Ordering Data

Ordering Data

  • ORDER BY orders the data according to a parameter.
  • To reorder all the information in the table: SELECT * FROM [table] ORDER BY [column];

UNION SELECT

UNION SELECT

  • SQL allows combinations of multiple queries.
  • SELECT commands can be aggregated.
  • Several SELECT statements can be combined: [table] UNION SELECT [values];

Information Functions

  • SQL can include functions that provide additional details about the database.
  • VERSION() - Returns the SQL version
  • DATABASE() - Returns the database name
  • USER() - Returns the current user
  • CONNECTION_ID() - Returns the connection ID

Information Schema

Information Schema

  • SQL includes a special database called information_schema.
  • The database contains a summary of all the data in a database.
  • A hacker can enumerate any SQL data using that database.

SQL Injection

SQL Injection Attack

  • Injects SQL code
  • Manipulates SQL queries
  • Allows database enumeration
  • Bypasses authentication

SQLi Types

  • In-Band (Classic)
    • Based on errors and union access to data in the DB, which an attacker injects with crafted SQL queries
  • Inferential SQLi (Blind)
    • More challenging to perform than in-band; it can be error-, Boolean-, or time-based injection with no visible output
  • Out-of-Band
    • Due to lack of security parameters; uses a similar attack vector to inferential attacks

Login Bypass

SELECT * FROM credentials WHERE user=‘admin’ or 1=1 -- and password=‘pass’;
  1. A query from a login page
  2. User has control over the injected colored text.
  3. ‘--’ means commented, causing SQL to ignore what follows.
  4. Allows login bypass
  • 1=1 evaluates to true as both an equation and a code statement.

Enumeration Vectors

  • Version: Obtained by using the version() function
  • Users: Enumerates user information
  • Structure: Database structure is enumerated using information_schema.

SQLi Attack Flow

  1. Cause an error by using '
  2. Study the error
  3. Modify the query using -- -
  4. Inject the customized query
  5. Enumeration is achieved

SQLi Automation

  • SQLMAP is an SQLi automation tool for database enumeration.
  • Detects and evades WAFs
  • Can be configured to work through proxies
  • SQLMAP can be used with flags for specific injections: --dbs, --tables, -T [table] --columns, --dump