There are very many examples of SQL Injection vulnerabilities, techniques, and attacks that come up every time. We are going to discuss a few examples and go into details about them. Some of the SQL Injections that we will be discussing include:
- Retrieving hidden data
- UNION Attacks
- Blind SQL injection
- Subverting application logic
- Examining the database
Today we will look at the first example of attack.
A. Retrieving Hidden Data
This means that an attacker can easily retrieve hidden private data using an SQL query. An attacker can modify an SQL query which in return will return additional results.
For example, if you are using a shopping application to buy something and you click on one of the category called “Shoes”, your browser will display a link like this one below;
The above link will then cause an SQL query that will be used to retrieve information or data of the relevant query from the database, in this case the product category “Shoes”. The SQL query will look like this;
SELECT * FROM products WHERE category = 'Shoes' AND released = 1
The above SQL query means that the database will get to return all the details from the table named ‘products’ where the category is ‘Shoes’ and the released is 1.
NOTE: Normally, the restrictions released=1 and released=0 is used to respectively show or hide a product if it is not there.
In the above scenario, it shows that the application has not implemented any defense mechanism against SQLi attack. Therefore, an attacker can easily construct an SQL query to obtain display of the ‘Shoes’ products.
The above results will result in the SQL query below;
SELECT * FROM products WHERE category = 'Shoes'--' AND released = 1
Additionally, it is important to note that the use of the double dash sequence ‘–‘ is used as a comment indicator in SQL. this means that the rest of the SQL query gets to be interpreted as a comment. Subsequently, removing the rest of the query, which is the ‘AND released = 1’ in the query. When this happens, all the products gets to be displayed both the available and the not available ones (released = 1 and released = 0).
By doing this, the attacker gets to display all the products in any category whether listed or not listed in the shopping application. This can be achieved using a link like the one below;
The SQL query will look like something like this;
SELECT * FROM products WHERE category = 'Shoes' OR 1=1--' AND releases = 1
The above SQL query will display all the products in the category of ‘Shoes’ or 1 is equal to 1 also because 1=1 is known to always to be TRUE, then the SQL query will return all the products items in the shopping application.
Next, we will discuss the second example of SQL Injection attack called the UNION Attack.
You can also watch tutorial here on Examples of SQL Injection.
If you have any question or comments, do not hesitate to ask us.
Quote: The moon looks upon many night flowers; the night flowers see but one moon. – Jean Ingelow