SQL Injection
Learn SQL injection through interactive security exercises.
Introduction to SQL Injection
theoryLearn the basics of SQL injection vulnerabilities and how they occur.
What is SQL Injection?
SQL injection is a code injection technique that exploits a security vulnerability in an application’s software. The vulnerability occurs when user input is not safely validated, escaped, typed, or parameterized before it becomes part of a SQL query.
How SQL Injection Works
SQL injection attacks work by inserting malicious SQL code into application queries. When the application executes these modified queries, it can result in:
- Unauthorized access to data
- Data theft or modification
- Authentication bypass
- Complete system compromise
Example Vulnerable Code
String query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";
Knowledge Check
What makes an application vulnerable to SQL injection?
Identifying SQL Injection Points
theoryLearn how to identify potential SQL injection vulnerabilities in web applications.
Finding SQL Injection Vulnerabilities
SQL injection vulnerabilities can appear anywhere untrusted data is used to build database queries.
Common Injection Points
- Login forms: Username and password fields
- Search boxes: Query parameters
- URL parameters: GET request parameters
- Form inputs: POST request data
- Cookies: Session data
- HTTP headers: User-Agent, Referer, and similar values
Testing Techniques
Use these payloads to test for SQL injection:
- Single quote (
') to look for database errors - Double quote (
") as an alternate string delimiter - SQL comments (
--or/*) to comment out the rest of a query - Boolean conditions (
1=1,1=2) to test logic manipulation
Knowledge Check
Which of the following is NOT a common SQL injection testing payload?
Basic SQL Injection - Login Bypass
simulationPractice bypassing login authentication using SQL injection.
Simulation Objective
Practice bypassing login authentication using SQL injection.
Target
/vulnerable-login
Scenario
Vulnerable login
Union-Based SQL Injection
theoryLearn about Union-based SQL injection attacks to extract data.
Union-Based SQL Injection
Union-based SQL injection leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result.
Requirements for UNION Attacks
- The same number of columns in both
SELECTstatements - Compatible data types in corresponding columns
- Application output that displays query results
Finding Column Count
Use ORDER BY to determine the number of columns:
' ORDER BY 1-- -
' ORDER BY 2-- -
' ORDER BY 3-- -
Union Attack Example
' UNION SELECT username, password FROM users-- -
Knowledge Check
What is required for a successful UNION-based SQL injection?
Union Attack - Data Extraction
simulationPractice extracting sensitive data using Union-based SQL injection.
Simulation Objective
Practice extracting sensitive data using Union-based SQL injection.
Target
/vulnerable-search
Scenario
Data extraction
Boolean-Based Blind SQL Injection
theoryLearn about blind SQL injection when no data is returned directly.
Boolean-Based Blind SQL Injection
Blind SQL injection occurs when an application is vulnerable to SQL injection, but HTTP responses do not contain query results or database errors.
Characteristics
- No direct database output in the response
- Application behavior changes based on query truth
- Requires inference techniques
- Time-consuming but effective
Testing Technique
Use conditional statements to infer information:
' AND 1=1-- - -- Should return normal response
' AND 1=2-- - -- Should return different response
Data Extraction Example
' AND (SELECT SUBSTRING(username,1,1) FROM users WHERE id=1)='a'-- -
Knowledge Check
In Boolean-based blind SQL injection, how do you extract data?
Blind SQL Injection - Character Extraction
simulationPractice extracting data character by character using blind techniques.
Simulation Objective
Practice extracting data character by character using blind techniques.
Target
/vulnerable-profile
Scenario
Character extraction
Time-Based Blind SQL Injection
theoryLearn about time-based blind SQL injection techniques.
Time-Based Blind SQL Injection
Time-based blind SQL injection is used when Boolean-based techniques do not work. It relies on injecting SQL queries that cause the database to wait for a specified amount of time.
Common Time Functions
- MySQL:
SLEEP(5) - PostgreSQL:
pg_sleep(5) - SQL Server:
WAITFOR DELAY '00:00:05' - Oracle:
dbms_pipe.receive_message(('a'),5)
Testing Example
' AND IF(1=1, SLEEP(5), 0)-- -
' AND IF((SELECT COUNT(*) FROM users)>5, SLEEP(5), 0)-- -
Data Extraction
' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='p', SLEEP(5), 0)-- -
Knowledge Check
What is the main indicator of successful time-based SQL injection?
Time-Based Attack Simulation
simulationPractice time-based blind SQL injection to extract sensitive information.
Simulation Objective
Practice time-based blind SQL injection to extract sensitive information.
Target
/vulnerable-news
Scenario
Password extraction
Advanced SQL Injection Prevention
theoryLearn comprehensive strategies to prevent SQL injection attacks.
SQL Injection Prevention
Preventing SQL injection requires a multi-layered approach combining secure coding practices and proper application architecture.
Primary Defense: Prepared Statements
String query = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, username);
stmt.setString(2, password);
Additional Defenses
- Input validation: Whitelist allowed characters
- Stored procedures: When properly implemented
- Escaping: As a secondary defense
- Least privilege: Minimal database permissions
- WAF: Web Application Firewall
Best Practices
- Never trust user input
- Use parameterized queries exclusively
- Implement proper error handling
- Run regular security testing
- Keep software updated
Knowledge Check
What is the most effective primary defense against SQL injection?