SQL INJECTION (SQLI)

SQLi are attacks against relational database management systems (RDBMS) such as MySQL. NoSQLi attacks are those against non RDBMS such as MongoDB. SQLi attacks occurs when a malicious user attempts to pass input that changes the final SQL query sent by the web application to the database, enabling the user to perform other unintended SQL queries directly against the database.

SQLi process starts by injecting code outside the expected user input limits, so it does not get executed as simple user input. this is done through the injection of a single quote (') or a double quote (") to escape the limits or bounds of the user input and inject data directly into the SQL query. afterward, make up a working query that executes both the intended and the new SQL queries using stacked queries or using Union queries. lastly, interpret the new query's output or capture it on the web application's front end.

To make SQLi work, ensure that the newly modified SQL query is still valid and does not have any syntax errors after our injection. this is accomplished by using comments or passing in multiple single quotes.

SQLI TYPES

IN-BAND

this type of SQLi the output of both the intended and the new query may be printed directly on the front end, and can be directly read

• UNION-BASED SQLI: requires specifying the exact location, 'i.e., column', which we can read, so the query will direct the output to be printed there

• ERROR-BASED SQLI: this is used when we can get the PHP or SQL errors in the front-end, and so we may intentionally cause an SQL error that returns the output of our query.

BLIND

this type doesn't provide visual output, so threat actors utilize SQL logic to retrieve the output character by character

• BOOLEAN-BASED SQLI: uses SQL conditional statements to control whether the page returns any output, 'i.e., original query response,' if the conditional statement returns true

• TIME-BASED SQLI: uses SQL conditional statements that delay the page response if the conditional statement returns true using the sleep() function

OUT-OF-BAND

this type directs the output to a remote location, 'i.e., DNS record,' and then attempt to retrieve it from there as there is no direct access to the output

MITIGATION

INPUT SANITIZATION

• sanitizing any user input will render injections useless.

• use functions that escape characters sch as ' and ", so they don't hold any special meaning.

  • mysqli_real_escape_string() is for MySQL

  • pg_escape_string() is for PostgreSQL

• use parameterized queries. Parameterized queries contain placeholders for the input data, which is then escaped and passed on by the drivers. Instead of directly passing the data into the SQL query, we use placeholders and then fill them with PHP functions.

  • the mysqli_stmt_bind_param() function will safely escape any quotes and place the values in the query.

INPUT VALIDATION

• ensure user input data matches the expected form input

  • e.g., when taking an email as input, validate that the input is in the form of [email protected], etc.

  • the preg_match() function checks if the input matches the given pattern or not

LIMITED PERMISSIONS

• ensure users querying the database only has minimum permissions.

  • Superusers and users with administrative privileges should never be used with web applications. These accounts have access to functions and features, which could lead to server compromise.

UTILIZE SECURITY TOOLS

• Web Application Firewalls (WAF) are used to detect malicious input and reject any HTTP requests containing them. This helps in preventing SQL Injection even when the application logic is flawed. WAFs can be open-source (ModSecurity) or premium (Cloudflare). Most of them have default rules configured based on common web attacks

  • e.g., any request containing the string INFORMATION_SCHEMA would be rejected, as it's commonly used while exploiting SQL injection.