SQL Injection is a common type of Injection in which the attacker sends SQL commands to a software application or site interface to target a Database Server that may be serving the software or service being hacked.
SQL Injection attacks are particularly dangerous because they can allow attackers to gain unauthorized access to a database, retrieve, modify, or delete data, and even potentially compromise the entire server. This type of attack takes advantage of improper coding of web applications that do not adequately validate user inputs. Attackers exploit this vulnerability by inserting or “injecting” SQL commands into input fields, such as login forms, that are then executed by the database server.
The severity of SQL Injection attacks stems from the fact that they can be used to manipulate database commands, giving attackers the ability to bypass authentication, access sensitive data, and perform administrative operations on the database. In some cases, attackers can use SQL Injection to gain a persistent backdoor into an organization’s systems, posing a long-term threat to data security.
SQL Injection Causes & Demonstration
The main cause of SQL injection vulnerabilities is the lack of strict validation when data is passed from the frontend to the backend during data interactions. This allows the input data to be concatenated into the SQL statement and executed as part of the SQL query. As a result, the database can be compromised, leading to data leakage, deletion, or even total server access compromise.
The Pikachu training environment’s SQL-Inject module can demonstrate this vulnerability. When a username registered in the system is entered into the input field of the following application, the system will return the corresponding UID and email.
The PHP code for this service is as follows: The backend code does not perform any filtering on the name parameter passed from the front end. It directly concatenates it into the database query statement as follows:
"select id, email from member where username='$name'"
This results in an SQL injection vulnerability. Attackers can inject malicious SQL statements through the name parameter to retrieve data beyond what the service is intended to provide, thereby compromising the system’s confidentiality
if (isset($_GET['submit']) && $_GET['name'] != null) {
// No processing is done here, directly concatenated into the select statement
$name = $_GET['name'];
// This variable is of string type, so escaping needs to be considered.
$query = "select id, email from member where username='$name'";
$result = execute($link, $query);
if (mysqli_num_rows($result) >= 1) {
while ($data = mysqli_fetch_assoc($result)) {
$id = $data['id'];
$email = $data['email'];
$html .= "<p class='notice'>your uid: {$id} <br />your email is: {$email}</p>";
}
} else {
$html .= "<p class='notice'>The username you entered does not exist, please re-enter!</p>";
}
}
Using the aforementioned query service as an example, when we input a malicious SQL injection payload-test ‘ or 1=1#, the system returns the UID and email of all registered users. This is a straightforward example of data leakage. Once hackers are aware of an SQL injection vulnerability, they can freely perform operations such as adding, deleting, modifying, and querying the database. They may even inject a web shell to gain further control over the entire server.
How did all of this happen? As mentioned earlier, the backend code does not perform any filtering and directly concatenates the user input name parameter into the database query statement. So, when inputting the malicious payload-test ‘ or 1=1#, the backend code generates the query:
$query = "select id, email from member where username='test' or 1=1#'"
When this statement is executed in the database, the result is clear: the database evaluates the expression 1=1 as always true, thus returning all the data in the member table.
How to Prevent SQL Injection
To prevent SQL Injection, developers must ensure that web applications properly sanitize user input. This typically involves employing prepared statements and parameterized queries which separate SQL commands from data inputs, thereby preventing the execution of maliciously injected SQL code. Regular code reviews and security testing can also help in identifying and fixing vulnerabilities that could be exploited via SQL Injection.
Additionally, implementing a robust web application firewall (WAF) can provide an additional layer of defense against SQL Injection attacks. CDNetworks WAF can help detect and block malicious requests before they reach the database server. Educating developers about secure coding practices and raising awareness about the importance of input validation are also crucial in preventing SQL Injection attacks.