We worked with SQL nowadays, and we used some SQL Injections in the web browser and in Burp Suit, but what is an SQL Injection by the way? Let’s make a step back and look at the databases and SQL a bit!
SQL stands for Structured Query Language. It is a language for working with information in databases.
SQL became a standard of the American National Standards Institute (ANSI) in 1986, and of the International Organization for Standardization (ISO) in 1987.
Tables
The data in relational databases is stored in database objects called tables. A table is a collection of related data entries, and it consists of columns and rows.
Let’s use a simple Users table as an example. Our table contains 4 columns (ID, email, password, permissions) and 3 rows (the three registered users).
| ID | password | permissions | |
| 1 | user1@email.com | 482c811da5d5b4bc6d497ffa98491e38 | admin |
| 2 | user2@email.com | 482c811da5d5b4bc6d497ffa98491e38 | user |
| 3 | user3@email.com | 21232f297a57a5a743894a0e4a801fc3 | user |
Fields
The smaller entities in a table, like the password of user3@email.com is called a field. Another field is the permission of user1@email.com.
Queries and statements
When we want to access data in our database we have to write a query in SQL syntax. Let’s see a basic SQL statement! The statement consists of SQL keywords.
SELECT * FROM Users;SELECT is the most basic SQL statement to query data from a database table. The returned data is stored in a result table, called the result-set.
The * in the query is a wild-card for the columns. In this example we selected all columns in the table. We could easily use the column names here separated by a colon, like:
SELECT ID, email, password, permissions FROM Users;The two queries are exactly the same considering their result-set.
The FROM keyword is followed by the table name. It commands the database engine to query the mentioned table.
Web forms
When we use different forms in a web application that communicates with databases, then similar queries will run in the background. It queries databases, look up database tables and fields in them. A search box, a guestbook or a login form have their similarities.
In reality there are more complex SQL queries of course! Adding the WHERE keyword followed by a condition we can easily filter our result-set. Staying with the user login example, if we want to challenge users for a valid email and password in a web application, then we have to create these two text fields for them. Users type their data in them, and an SQL query will run in the background where the database engine compares the provided data with the fields in the table.
SELECT email, password FROM Users WHERE email = 'user1@mail.me' AND password = 'passwd';The above SQL query is similar to those behind web application login forms.
SQL Injection?
SQL Injection (or SQLi) is when we can manipulate the original SQL query in some way, mostly to type malicious code in a web form. There are multiple types of SQLi.
SQL Injection is one of the most common web vulnerability, though it is relatively easy to defend against this attack.
You may ask how to trick a web form to accept and let us run our own SQL statements on a website? The answer is in the SQL syntax.
Injection… here comes!
With querying the the email and password the SQL statement will evaluate to true or false. If one of the provided information isn’t right then the statement will return false. If we provided the right password and email, then the SQL returns true, and we will be logged in the application.
Hacking the SQL statement means that we trick the database engine with an always true value. The OR operator in SQL will be in our help. The OR operator will return a true value if one side of the OR is true. Do you catch that?
| ‘A’ = ‘B’ OR 1 = 1 | TRUE |
| 1 = 1 OR ‘cat’ = ‘dog’ | TRUE |
| ‘A’ = ‘A’ AND 1 = 1 | TRUE |
| ‘A’ = ‘B’ AND 1 = 1 | FALSE |
A string in SQL looks like “user1@mail.me” or ‘user1@mail.me’ in single or double quotes. We can type text into the web application form and the app adds the quotes in the background.
What if we can type quotes in the text field?
At this point let’s go back to our Juice Shop application and analyze the queries from the login field. If we don’t know the username and password but we type fake data we just trigger a simple warning that is not too useful.
Invalid email or password.Well, we knew that already. How can we trigger a more informative warning? Let’s use a single quote in the email field!
We got an HTTP/1.1 500 Internal Server Error and the response shows us the SQL statement that was problematic.
"SELECT * FROM Users WHERE email = ''' AND password = '8fe4c11451281c094a6578e6ddbf5eed' AND deletedAt IS NULL"We broke out of the string at the email part! Our query is the following (without the additional, faulty part):
"SELECT * FROM Users WHERE email = '"Let’s try to edit the query adding the OR part of our query with and always true expression! Unfortunately at the first try we will run into a syntax error:
"SELECT * FROM Users WHERE email = 'abc' OR 1==1' AND password = '8fe4c11451281c094a6578e6ddbf5eed' AND deletedAt IS NULL"We can clearly see that problem is located after the 1==1′ part because the statement continues there.
Luckily we can use a double dash to comment the rest of the statement.
A comment is data that will not be processed by the database engine. Let’s extend our query in the email field!
abc' OR 1==1-- Voila! Our SQL query that was successful is the following:
"SELECT * FROM Users WHERE email = 'abc' OR 1==1-- ' AND password = '8fe4c11451281c094a6578e6ddbf5eed' AND deletedAt IS NULL"So, why does it work? The most fundamental problem was that the web application form accepted valid SQL statements without sanitizing the input.
Breaking out of a string allowed us some place to inject our own SQL statements.
In this example our statement was that either the email is abc or 1 equals to 1. Obviously one side of the OR was always true.
This is why the web application logged in us as the first user in the user database.
There are more types of SQL Injection attacks that can be performed on different inputs of a web application. In some cases we can dump data from the tables and change fields as well.
If you have anything to share then please visit my Tom’s IT Cafe Discord Server!
References
- SQL tutorial on the W3Schools.com
- PostgreSQL
- MariaDB
- SQLite
Tom's IT Cafe 
Good content! Keep it up!
LikeLiked by 1 person
Thank you! 😊
LikeLike