SQL Injection: A Guide for Beginner WordPress Users
SQL Injection: A Guide for Beginner WordPress Users
SQL (Structured Query Language) is a language that allows us to interact with databases. Modern web applications use databases to manage data and display dynamic content to readers.
SQL injection, or SQLi, is an attack on a web application that compromises its database using malicious SQL statements.
Since this is a common attack, let’s try to learn more about what it is, how it happens, and how to defend against it.
Clever? Let’s dive in!
What is SQL Injection?
SQL injection, or SQLi, is a type of web application attack that allows an attacker to insert malicious SQL statements into the web application, potentially gaining access to or destroying sensitive data in the database. First discovered by Jeff Forristal in 1998.
In the two decades since its discovery, SQL injection has consistently been the top priority for web developers when designing applications.
Barclaycard estimated in 2012 that 97% of data breaches start with a SQL injection attack. SQL injection is common even today and the seriousness of injection attacks on a web application is widely recognized. It is one of OWASP’s top ten most critical web application security risks.
How does the SQL injection vulnerability work?
A SQL injection vulnerability gives an attacker complete access to your application’s database through the use of malicious SQL statements.
In this section, we share an example of what a vulnerable application looks like.
Imagine the workflow of a typical web application involving database requests through user input. User input is done via a form, for example, a login form. The database is then queried for the fields submitted by the user to authenticate them. The structure of your database query is something like this:
For simplicity, let’s assume you’re storing your passwords as clear text. However, it is good practice to encrypt your passwords and then hash them. Next, if you have received the username and password from the form, you can define the query in PHP as follows:
What does this query do?
A comment in SQL begins with a double hyphen (–). The resulting query filters only on username without regard to password. If there was no security to prevent it, you would simply be granted administrative access to the web application just by using this trick.
Alternatively, a boolean attack can also be used in this example to gain access. If an attacker enters ‘password’ or 1=1;-‘ in the password field, the resulting query would look like this:
Exploits of a Mom, a popular XKCD comic strip, shows a mother’s conversation with her son’s school, where she is asked if she really called her son ‘Robert’); DROP TABLE Students; –«.
Types of SQL Injection
Now that you know the basics of a SQL injection vulnerability, let’s explore the different types of SQL injection attacks and the reason for each.
In-band SQL injection
In-band SQL injection is the simplest form of SQL injection. In this process, the attacker is able to use the same channel to insert the malicious SQL code into the application, as well as to collect the results. We will discuss two forms of in-band SQL injection attacks:
An attacker uses a bug-based SQL injection technique during the initial phases of their attack. The idea behind an error-based SQL injection is to get more information about the database structure and table names that the web application follows. For example, an error message might contain the name of the table included in the query and the names of the columns in the table. This data can be used to create new attacks.
In this method, an attacker uses SQL join joins to display the results of a different table. For example, if an attacker is on a search page, they can add the results from another table.
Inferential SQL Injection (Blind SQL Injection)
Even if an attacker generates an error in the SQL query, the query response may not be transmitted directly to the web page. In such a case, the attacker needs to investigate further.
In this form of SQL injection, the attacker sends multiple queries to the database to test how the application parses these responses. An inferential SQL injection is sometimes also known as blind SQL injection . We will now look at two types of inferential SQL injections: Boolean SQL injection and time-based SQL injection.
If an SQL query results in an error that has not been handled internally in the application, the resulting web page may throw an error, load a blank page, or load partially. In a boolean SQL injection, an attacker assesses which parts of a user’s input are vulnerable to SQL injection by trying two different versions of a boolean clause across the input:
- “…and 1=1”
- “…and 1=2”
If the application works normally in the first case but fails in the second, it indicates that the application is vulnerable to a SQL injection attack.
time based attack
A time-based SQL injection attack can also help an attacker determine if a vulnerability is present in a web application. An attacker uses a predefined time-based function of the database management system that is used by the application. For example, in MySQL, the sleep() function tells the database to wait a certain number of seconds.
select * from comments WHERE post_id=1-SLEEP(15);
If such a query results in a delay, the attacker will know that he is vulnerable.
Out-of-band SQL injection
If an attacker cannot get the results of a SQL injection through the same channel. Out-of-band SQL injection techniques can be used as an alternative to inferential SQL injection techniques.
Typically, these techniques involve sending database data to a malicious location of the attacker’s choosing. This process is also highly dependent on the capabilities of the database management system.
An out-of-band SQL injection attack uses an external file processing capability of your DBMS. In MySQL, the LOAD_FILE() and INTO OUTFILE functions can be used to request MySQL to stream data to an external source. The following shows how an attacker can use OUTFILE to send the results of a query to an external source: