We talked a bit about SQL Injection in the Injection OWASP. Here we will explore more into sql injection before diving into SQLMAP.
SQL Injection is an injection flaw where user input could alter the SQL query being constructed and executed by the application.
Below are few of the most useful SQL Injection types:
Error Based Injection technique forces the database to generate an error, giving the attacker or tester information upon which to refine their injection.
This method only works when the webapp doesn't handle errors properly and shows it on the screen to the user.
Example:
' || cast('-' || current_database() as numeric) || '
Here we try to cast string as numeric, which of course will throw an error but the evaluated string with current database name will part of the error message. Thus giving hacker info about database.
This method is a type of 'Blind Query'. Blind query is opposite of Error based injection, where user doesn't see the information/errors of the database to the front end.
This query is specially useful when knowing if the application is injectable or not.
In this injection type, we use database commands (e.g. sleep) to delay answers in conditional queries.
Example:
SELECT IF(version()=5.3, sleep(5), 'false');
As shown in the example above, an attacker can send a bunch of true-false statements with sleep function running on true or false case to gain information.
Attacker has to keep trying continuously with new values in this technique. This is why automation tools like SQLMAP are very useful in this case.
This is one of the easiest yet one of the most powerful injection technique.
Stacked queries (also known as batch queries) is an ability to to modify data and call stored procedures by terminating the original query and adding a new one.
Example:
'; select pg_sleep(3) --
This is very powerful since an attacker is not restricted by previous queries rows and conditions.
Boolean based injection is also a type of blind injection.
In this method, an attacker uses Boolean condition(s) to verify whether certain conditions are true or false.
Example:
-
' or (username='perl' and length(passwd)=N) --
-
' or (username='perl' and ASCII(substring(passwd,1,1))=112) --
In this example, we are trying to get password for the user 'perl'. First, we try to guess the length of the password for the user. We keep trying untill it's corrent, at which point, we will be able to get into the application.
Once we find out the password length, we again try to go through each substring of size 1 and try to match it with a character. Again, this is tedious procedure, which is why we use tools like SQLMAP.
Union based injection can be used when the SQL injection flaw happens in a SELECT statement, making it possible to combine two queries into a single result or result set.
Example:
select id, firstname, lastname from ...
union
(select id,
(select 'Current Schema: ' || current_schema() ||
' Current Database: ' || current_database()
' Current DB User: ' || current_user() ),
, lastname
from
account) --
Here, if we know that the select statement takes 3 queries (Easy to find out if errors are enabled) and it echoes the value of one of the field to the user, we can take advantage of that and use select statements to get more information out of database.
Modern day databases have a way for db users to define their own functions, which is called UDF (User Defined Functions). If the users have functions like sys_eval (which is commong amongst libraries) and if the app is injectable, attackers can gain access to the shell.
Example:
select id, firstname, lastname from ...
UNION (select '1', (select sys_eval('cat /etc/passwd')), '1' from account)--
This is an example of code injection leading to command injection.