Injection Flaws
What is SQL?
Stands for Structured Query Language, is a way to interact with the database.
Extension
Data Manipulation Language (DML)
Select, insert, update, delete
Data Definition Language (DDL)
Create, Alter, Drop, Truncate
Data Control Language (DCL)
Grant, Revoke
What is SQL Injection?
It is a vulnerability that gives the attacker the ability to inject malicious data from the Client to the application by using SQL. By being able to influence what is passed to the database an attacker can have access to the database and operation system functions. SQL injection does not affect Web applications solely, but any code that accepts input from an untrusted source and then users that input to perform SQL statements could be vulnerable as well.
What can a successive attacker get by using SQL injection?
Read and Modify sensitive data, execute admin operations, issue commands to the operation system. Spoof identity, tamper with existing data, destroy data, become admin
What are the most common injection types?
- Structured query language (SQL) queries
- Lightweight directory access protocol (LDAP) queries
- XML path language (XPATH) queries
- Operating system commands
SQLMap flags
■ — current-db to retrieve the Database Management System’s (DBMS) current database.
■ — current-user to retrieve DBMS current user.
■ — string to provide a string value that is always present to help identify false positives.
■ — users to retrieve the database management system users.
■ — password to retrieve the database management password hashes for system users.
■ -U to specify which database management user to include in the attack.
■ — privileges to retrieve the selected user’s privileges.
■ — dbs to retrieve the names of all databases on the database server.
■ -D to specify which database to target.
■ — tables to retrieve all tables in the targeted database.
■ -T to specify which table to target.
■ — columns to retrieve all columns in the targeted table.
■ -C to specify which columns to be retrieved.
How to Get the Current Database Name?
How to retrieve all tables from the Database?
How to retrieve all columns from the the users table?
How to retrieve all of the database users and cracked passwords?
Three-tier
A database-driven application commonly has three tiers: NOT SCALABLE
- Presentation Tier — Web Browser
- Logic Tier — Programming Language
- Storage Tier — DB
Four-Tier
- Presentation — Web Browser
- Logic — Programming Language
- Application Tier — Web Service
- Storage — DB
Difference from three-tier, database returns the data to the database connector and the application server then implements any application or business logic rules before returning the data to the Web server.
The purpose of the tier structure is to break down the application into logical chunks each of which is assigned general or specific roles. Makes components more readable and reusable
Overview
If I have a login screen with two text-box's one labeled username and the other labeled password, I could assume a simple SQL statement might look like this
The trick is to choose the correct SQL statement to find the username and password.
That is why use ‘ OR ‘’=’ or for the juice shop ‘ —
Tried this after reading
The %27 is the URL-encoded version of the single quote and the %3D is the equal sign. The plus signs are one way that the browser encodes a literal space; you will often see a space URL encoded as %20. All of these measures are in place so that the user’s input can be used in the URL of the application to be passed to the server for processing. A literal space is not allowed anywhere in the URL (including any parameter values in the query string) as it would break the acceptable request format supported by the HTTP protocol.
Resources
Webgoat, SQL Injection Attacks and Defense, 2nd Edition
Please checkout the below links
Resume website — https://tommarler.org
Linkedin — https://www.linkedin.com/in/tom-m-bb4857112/
