Secure coding

SQL Injection Vulnerabilities: Types and Terms

November 16, 2020 by Srinivas

Introduction

In the previous article, we briefly discussed SQL Injection vulnerabilities and what type of features cause SQL Injection vulnerabilities. This article provides a detailed overview of SQL Injection vulnerabilities and their types. We will begin by discussing error based SQL Injection vulnerabilities followed by a brief discussion about Blind SQL Injection vulnerabilities. 

What is SQL Injection?

SQL injection is a type of web vulnerability that allows attackers to execute arbitrary SQL queries on the database used by the target web application. This happens by making use of a vulnerable parameter in the web application, which will take user input and appends it to SQL queries dynamically without sanitizing.

According to OWASP, “A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.”

Types of SQL Injection

SQL Injection can be broadly categorized into the following two types.

  • Error Based SQL Injection
  • Blind SQL Injection

Error Based SQL Injection

Error Based SQL Injection is an injection technique that exploits vulnerable web applications using the errors returned from the database. These database errors are used to extract the information from the database.

Let us consider the following code snippet from Xtreme Vulnerable Web Application (XVWA) SQL Injection challenge.

$sql = “select * from caffaine where itemid = “.$item;

$result = $conn->query($sql);

$isSearch = true;

 

The PHP code shown in the preceding excerpt dynamically constructs and executes a SQL query that searches for items matching a specified item. After the query is executed, the variable $isSearch is set to true. However, as the query is constructed dynamically by concatenating a constant base query string and a user input string, the code is vulnerable to SQL Injection. If an attacker enters the string “1′ OR ‘1’=’1” for item, then the query becomes the following:

select * from caffaine where itemid = ‘1’ OR ‘1’=’1’;

 

Executing this query returns all the records from the table as the addition of the OR ‘1’=’1′ condition causes the where clause to always evaluate to true. This will display all the items on the page as shown in the following figure.

Following is the code used to prepare the output content. 

if($isSearch){

echo “<table>”;

while($rows = $result->fetch_assoc()){

echo “<tr><td><b>Item Code : </b>”.$rows[‘itemcode’].”</td><td rowspan=5>&nbsp;&nbsp;</td><td rowspan=5 valign=\”top\” align=\”justify\”><b>Description : </b>”.$rows[‘itemdesc’].”</td></tr>”;

echo “<tr><td><b>Item Name : </b>”.$rows[‘itemname’].”</td></tr>”;

echo “<td><img src='”.$rows[‘itemdisplay’].”‘ height=130 weight=20/></td>”;

echo “<tr><td><b>Category : </b>”.$rows[‘categ’].”</td></tr>”;

echo “<tr><td><b>Price : </b>”.$rows[‘price’].”$</td></tr>”; 

echo “<tr><td colspan=3><hr></td></tr>”;

}

echo “</table>”;                            

}

 

As highlighted in the preceding excerpt, the output is set only if the $isSearch variable is set to true and regardless of the query results, this value is always set to true as we noticed earlier. This means, even if the query returns an error, it will be displayed on the web page. 

Inserting a single quote (‘) results in the following error on the web page.

This confirms that the application is vulnerable to Error Based SQL Injection. Using these errors returned, an attacker will be able to extract information from the database and display it on the webpage. 

Blind SQL Injection

Blind SQL Injection is an injection technique that exploits vulnerable web applications without using the errors returned from the database. When exploiting this type of SQL Injection, information cannot be extracted directly onto the web page and inference based techniques such as time delays are used to extract the information instead of verbose error messages.

Let us consider the following code snippet from Xtreme Vulnerable Web Application (XVWA) Blind SQL Injection challenge.

$sql = “select * from caffaine where itemid = “.$item;

$result = $conn->query($sql);

$rowcount = $result->num_rows;

if($rowcount>0){

$isSearch = true;

}

 

Just like the previous example. this PHP code shown in the preceding excerpt dynamically constructs and executes a SQL query that searches for items matching a specified item and this code is also vulnerable to SQL Injection as the item is taken from user supplied input. After the query is executed, the variable $isSearch is set to true but it happens only if there is at least one row returned from the database. This will prevent errors from being displayed on the screen leading to Blind SQL Injection.

Inserting a single quote shows the following on the web page.

As we can see, even though the page is vulnerable to SQL Injection, there are no errors being shown in the response. This type of SQL Injection requires a different approach of extracting data from the database. 

Conclusion

SQL Injection vulnerabilities are one of the most dangerous web vulnerabilities and developers must be aware of these command injection vulnerabilities due to the fact that these vulnerabilities are of high impact as they can give full access to the underlying database. In the next few articles of this series, we will discuss how SQL Injection vulnerabilities can be exploited and mitigated.

 

Sources

  1. https://owasp.org/www-community/attacks/SQL_Injection
  2. https://portswigger.net/web-security/sql-injection
  3. https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html
Posted: November 16, 2020
Articles Author
Srinivas
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *