what is an sql injection attack?

SQL (structured query language) Injection attacks occur when malicious code is inserted into an SQL query to manipulate the database. SQL attacks occur on web applications when the web application is vulnerable and hasn’t properly sanitized or validated user input before constructing SQL queries.

The server side handles client requests, if the code is vulnerable, an attacker can exploit it. Even if web traffic is running on port 443 and is encrypted. So it’s important to implement input validation, and parametize queries to protect against these attacks.

types of SQL injection attacks

Union Based SQL Injection- This uses the Union-based operator to perform an attack combining the results of multiple queries. When the application has a vulnerable SQL query that includes user supplied input. The attacker creates a malicious query using that contains the UNION operator, which is executed alongside the original query. Consider a vulnerable login page where the username and password are linked directly to the SQL query.

SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password’ ;

an attacker could inject the following input

‘ OR 1=1 UNION SELECT * FROM users; —

which would result in the modified query

SELECT * FROM users WHERE username = ‘ ‘ OR 1=1 UNION SELECT * FROM users; —

the 1=1 condition is always true to the UNION clause will be executed causing all the users data to be returned.

Error-based SQL injection- This is where the attacker exploits ERRORS returned by the application to extract information from the database. This attack can only be run from MS-SQL servers, the application returns an ERROR message showing the information the attack has asked for. Essentially, the syntax is being created that will intentionally return an error message containing information the attacker is after.
Blind SQL injection- In this attack, the attacker cannot observe the direct output of an SQL query and has to find out information based on the application’s response to different inputs. In this scenario the application will have a vulnerable SQL query that requires user-supplied input. The attacker’s query will modify the original query in a way that can be detected through the application’s response, and observe how the responses change based on the injection.

SQL injections based on method used to inject

SQL injection based on user input- Web applications process queries through forms which are input into the database for processing. If these arent sanitized before being accepted, it leaves room for attackers to inject malicious statements.
SQL injection based on cookies- Cookies are small text files stored on a users device to store session information and preferences. This is where the attacker exploits vulnerabilities int he applications cookie handling in order to inject malicious code.
SQL injection based on HTTP headers- HTTP headers are metadata sent between a web server and a client, containing information about request and response. In this casde the attacker modies the value of a vulnerable HTTP header to include malicious SQL code.
Second order SQL injection- A more complex SQL attack, in this case malicious code is injected into a web application indirectly and can lay dormant for a while. The data can be malicious in one context and normal in another context.

conducting an SQL injection attack

We are going to be using Burpe Suite to test out our own SQL injection attack. Burpe Suite is a platform used for penetration testing applications. It has tools for intercepting and scanning web traffic, it enables the scanning of traffic between a client and an HTTP/HTTPS web server.

In this example we will be using Burpe Suite community which has limited features compared to Burpe Suite professional but still has everything we need.

The key features are:

Repeater- The repeater allows us to manually modify and repeat HTTP requests. It works by capturing the request from the proxy tab or manually entering it in the repeater. Then you can modify the request by changing the URL, modifying the HTTP method (GET, POST, PUT, DELETE), adding or removing headers, and modifying the request body.
Proxy- The proxy is the man-in-the-middle intercepting web traffic and modifying requests. All traffic can be routed through Burpe Suite
Intruder- Allows for spraying endpoints with requests as well as custom payload injection, fuzzing. It works by specifying the target URL or parameters you want to attack, then you choose the attack type. Either Sniper, Battering ram, Pitchfork, or Clusterbomb, then you can create a list of payloads or payloads to send during the attack. Then launch the attack
Decoder- The decoder tool in Burpe Suite works to decode data that is not in a human readable format eg. base64, URL-encoded, HTML-encoded.
Sequencer- This is used to analyze the randomness of HTTP requests that have been captured using the Burpe Suite proxy. It determines entropy which is the measure of randomness.

To begin, we are going to download Burpe Suite, which is actually pre downloaded in Kali Linux. So we can just search for it.

We can then launch Burpe Suite Community Edition and accept the times and conditions before continuing.

We can click ‘next’ then ‘start’ to open burpe suite

configuring proxy

We are going to begin by configuring proxy settings in burpe suite so we can start intercepting traffic.

Under the proxy tab, click proxy settings. You should be able to see under interface what port its listening on. We can see interface 127.0.0.1:8080 we can modify the port the interface is listening on by pressing edit on the side columm

then we can go back and click on intercept is of to turn on intercept is on. This will allow us to intercept and modify requests.

Now we can open up firefox, then open up settings. We are going to search proxy settings

Once we open up our proxy settings, choose manual configuration and configure to the burpe IP

Now navigate to 127.0.0.1:8080 and download burpe certificate. The certificate needs to be installed as a trusted root so the browser can trust SSL connections made to burpe suite.