Table of contents
Introduction:-
It involves inserting SQL Queries through user input to manipulate the database.
Successful exploitation can result in:
Reading sensitive data from the database.
Modifying database entries through insert, update, or delete operations.
Executing administrative tasks on the database, such as shutting down the DBMS.
SQL injection attacks are a subset of injection attacks where SQL commands are injected into data inputs to manipulate the execution of predefined SQL commands.
Threat Modeling
Allow attackers to spoof identity, manipulate data, Repudiation vulnerabilities, data exposure, data unavailability, Administrator privileges, etc.
- SQL Injection is common in PHP and ASP apps due to older interfaces. J2EE and ASP.NET apps are less susceptible due to stronger programmatic interfaces.
Description
These attacks occur when:-
Unintended data enters from an untrusted source
The data is used to dynamically construct a SQL query.
Confidentiality: Loss of sensitive data due to SQL Injection vulnerabilities.
Authentication: Risk of unauthorized system access via weak SQL commands for user authentication.
Authorization: Potential manipulation of authorization information stored in SQL databases.
Integrity: Risk of data alteration or deletion through SQL Injection attacks.
Example
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
echo "Welcome, $username!";
} else {
echo "Invalid username or password!";
}
Suppose the attacker enters the following in username field,
'' OR '1'='1'
The SQL query will then become,
SELECT * FROM users WHERE username='' OR '1'='1' AND password='$password'
Since '1'='1'
always evaluates to true, the WHERE clause will always return all rows from the user's table, effectively bypassing the password check. As a result, the attacker can log in without knowing a valid username or password.