SQL is a domain-specific language used for managing and manipulating relational databases. It's the standard language for interacting with databases, allowing users to query, insert, update, and delete data.

SQL injection is a type of cyber attack where malicious SQL statements are inserted into an entry field for execution. This can happen when user input is not properly validated or sanitized, and the injected SQL code is then run by the database.

Testing for SQL injection involves attempting to input malicious SQL code into user input fields and observing how the application handles it. A secure application should properly validate and sanitize user input, preventing the execution of injected SQL code. Below you will find the steps how to do a SQLi.

Indentifying a Vulnerable System

  • Input Field Exmination

    Look for input fields in web forms or URL parameters where user data is accepted, such as search boxes, login forms, or any input that is sent to a SQL database.For example, if a website URL looks something like:

    https://example.com/login?username=testuser&password=testpass

    This site is most likely using some form of SQL. When this URL is being resolved, this causes SQL to make the following query:

    SELECT * FROM login WHERE username = 'testuser' AND password = 'testpass';
    


    This SQL query asks the database to return:

    • all details ( * )
    • from the login table
    • where the username column is storing testuser
    • and the password column is storing testpass
  • Testing The Database

    Since we have found a site that is running SQL we need to try injecting data into the query without breaking it. Here is a list you can use to check:

    '
    "
    `
    ')
    ")
    `)
    '))
    "))
    `))
    

    Start by going down the list and adding the data into the URL or form. If you're adding it into the URL it should look like:

    http://www.example.com/username=testuser'

    Pay attention to error messages returned by the system. If an error message reveals SQL syntax or database-related errors, it could be an indicator of insufficient input validation and might be vulnerable to an injection!

  • Confirming Injection

    You will need to confirm by using a boolean-based SQL injection. This is a type of injection attack that relies on the application's response to boolean (true/false) conditions. The goal is to manipulate the logic of the SQL query to extract information or manipulate the behavior of the application. In this example we will use the following URL:

    https://example.com/login?username=testuser&password=testpass

    Now, if the application is vulnerable to a boolean-based SQL injection, an attacker might manipulate the URL to inject malicious code. We can change the request to:


    https://example.com/login?username=' OR '1'='1' --&password=testpass

    In this example:

    • username=' OR '1'='1' -- is the injected payload.
    • ' OR '1'='1' is a condition that is always true, effectively bypassing the login check.
    • -- is a comment in SQL, ensuring that the rest of the original query is ignored.


    So, the modified URL would be sent to the server, and the server might construct a SQL query using the injected data. If the server is vulnerable, it might construct a query like:

    SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = 'testpass';
    


    This manipulated query always evaluates to true, allowing the attacker to bypass authentication.

    Sometimes you won't notice any changes on the page that you are testing and you may have to do a blind sql injection (also known as time based). Because you cannot verify the injection by seeing data on the website, you will have to inject it with a delay which will cause the page to delay loading for a certain amount of time.

    Using the same example URL from above, we can use the injection payload to delay the loading of the website by 10 seconds:
     

    testuser' OR IF(1=1, SLEEP(10), 0) --
    


    The modified URL will should look like:

    https://example.com/login?username=testuser' OR IF(1=1, SLEEP(10), 0) --&password=testpass

    Explanation of injected payload:

    • ' OR IF(1=1, SLEEP(10), 0) -- is the injected payload.
    • IF(1=1, SLEEP(10), 0) is a condition that always evaluates to true, causing a 10-second delay using the SLEEP function.
    • -- is a comment in SQL, ensuring that the rest of the original query is ignored.


    When the server process this injected URL, it will construct a query like:

    SELECT * FROM users WHERE username = 'testuser' OR IF(1=1, SLEEP(10), 0) --' AND password = 'testpass';
    


    If the injection is successful, the application's response will be delayed by approximately 10 seconds. This delay indicates that the injected code is being executed.

Notes

Delving into the world of SQL injection opens a realm of both challenege and intrigue. This was just a basic tutorial, however you may have to change some of the payloads in order to get the appropriate responses. If you are looking for more payloads and take a visit to https://github.com/payloadbox/sql-injection-payload-list to get a more comprehensive list.

In Part 2 we will explore the art of exploiting SQL databases manually and by using various tools.