Information Security

SQL INJECTION

Group Members: Ali Ayaz

Ali Akbar
Abdur Rehman
 Presentation Contents
• What is SQL Injection? • Problem Statement
• Types of SQLi • Solution / Mitigation
• In-Band: • Vulnerable Code
• Error Based • Secure Code
• Union Based
• Blind SQLi
• Boolean SQLi
• Time Based SQLi
• Out-of-Band
 What is SQL Injection?
• A SQL injection (SQLi) is a web security vulnerability consists of
insertion or “injection” of a SQL query via the input data from the client to
the application. A successful SQL injection exploit can read sensitive data
from the database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the DBMS)
• https://insecure-website.com/products?category=Gifts
• SELECT * FROM products WHERE category = 'Gifts' AND released = 1
• ‘ or ‘1’=‘1’; --
 SQL Injection
•
 Types of SQL Injection:
1. In-Band
• Error Based
• Union Based
1. Blind
• Boolean Based
• Time Based
1. Out-of-Band
Types of SQL Injection:
1. In-Band
• Error Based
• Union Based
1. Blind
• Boolean Based
• Time Based
1. Out-of-Band
 Error Based
Error-based SQL injection is a type of SQL injection attack where the attacker
exploits error messages generated by the database server to gather
information about the structure of the database or to extract data.
SQLi output example: Syntax error in SQL query near ''' at line 1
 Union Based
• When an application is vulnerable to SQL injection, and the results of the query
are returned within the application's responses, you can use the UNION keyword
to retrieve data from other tables within the database. This is commonly known as
a SQL injection UNION attack.
• The UNION keyword enables you to execute one or more
additional SELECT queries and append the results to the original query.
• Query: SELECT name, price FROM products WHERE id = '' UNION SELECT
username, password FROM users; -- ‘
• The UNION SELECT username, password FROM users part of the injected query
adds the results of another query to the original query's result set. In this case, it
attempts to retrieve usernames and passwords from the users table.
 Union Based
• https://insecure-website.com/products?category=Gifts
• SELECT * FROM products WHERE category = 'Gifts' AND released = 1
Union Based
 Blind SQLi
• In this kind of attack there is no actual transfer of data, but the tester is
able to reconstruct the information by sending particular requests and
observing the resulting behavior of the DB Server.
This attack is of two types:
• Boolean Based
• Time Based
 Boolean Based
• Boolean-based SQL injection is a technique where an attacker
manipulates the application’s behavior by sending SQL queries
that result in different outcomes based on whether the condition provided
is true or false. This type of injection relies on the application’s response to
infer information about the database.
• Query: SELECT * FROM users WHERE username = 'admin' AND
password = 'password' AND 1=1;
• If the application behaves differently (e.g., displays a different message or
redirects to a different page) when the condition 1=1 is true compared to
when it's false, the attacker can infer that the injected condition is
evaluated by the application.
Boolean Based
 Time Based
• Time-based SQL injection is a type of SQL injection attack that relies on
inducing a delay in the application’s response to infer information about
the database. Unlike error-based or boolean-based techniques, time-based
attacks exploit the delay caused by certain SQL queries, typically by using
functions that cause the database server to pause for a specified amount
of time.
 Time Based
• Payload: ‘”0”XOR(if(now()=sysdate()%2Csleep(6)%20C0))XOR”Z”
• Base64:4oCY4oCdMOKAnVhPUihpZihub3coKT1zeXNkYXRlKCklMkNzbGVlcCg2KSUyMEMwK
SlY4oCdT1LigJ1a4oCdIA==
 Time Based
•
 Problem Statement
• When a web application fails to properly validate or sanitize user inputs,
attackers can inject malicious SQL code. For instance, if a login form directly
integrates user input into an SQL query without validation, it can result in:
1. Access to sensitive data.
2. Unauthorized actions like account takeover.
3. Complete database corruption or destruction.
 Solution / Mitigation
To mitigate SQL Injection vulnerabilities, it’s essential to:
• Use Prepared Statements: Parameterized queries prevent malicious input
from altering SQL commands.
• Sanitize User Input: Validate and sanitize inputs to accept only expected
values.
• Implement Least Privilege: Database accounts should have minimal
permissions.
• Web Application Firewall (WAF): Use WAFs to detect and block SQLi
attempts.
I.e: https://www.aliayaz.com/profile?user=445
https://www.aliayaz.com/profile/user/445
If the attacker provides the following input:
•username: admin
•password: ' OR '1'='1

Vulnerable Code
• <?php
• // Database connection
• $conn = mysqli_connect("localhost", "root", "your_password", "example_db"); Vulnerability
• if (!$conn) {
If the attacker provides the
• die("Connection failed: " . mysqli_connect_error()); following input:
• }
username: admin
• // User input (from form or query parameters) password: ' OR '1'='1
• $username = $_GET['username'];
• $password = $_GET['password'];

• // Vulnerable query construction

• $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
• $result = mysqli_query($conn, $query);

• if (mysqli_num_rows($result) > 0) {
• echo "Login successful!";
• } else {
• echo "Invalid credentials.";
• }

• mysqli_close($conn);
• ?>

The resulting query will be:

SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';
If the attacker provides the following input:
•username: admin
•password: ' OR '1'='1

• <?php
Secure Code
• // Database connection
• $conn = mysqli_connect("localhost", "root", "your_password", "example_db");

• if (!$conn) {
• die("Connection failed: " . mysqli_connect_error());
• }

• // User input (from form or query parameters)

• $username = $_GET['username'];
• $password = $_GET['password'];

• // Secure query using prepared statements

• $stmt = mysqli_prepare($conn, "SELECT * FROM users WHERE username = ? AND password = ?");
• mysqli_stmt_bind_param($stmt, "ss", $username, $password);
• mysqli_stmt_execute($stmt);
• $result = mysqli_stmt_get_result($stmt);

• if (mysqli_num_rows($result) > 0) {
• echo "Login successful!";
• } else {
• echo "Invalid credentials.";
• }

• mysqli_stmt_close($stmt);
• mysqli_close($conn);
• ?>
If the attacker provides the following input:
•username: admin
•password: ' OR '1'='1

Secure Code
• Why It’s Secure
• Bound Parameters: The ? placeholders ensure that user inputs are treated as data, not executable
SQL code.
• Automatic Escaping: Special characters in user inputs are automatically escaped.
• Prevention of Query Manipulation: User inputs cannot alter the structure of the SQL query.
Any Question?
Thank You