I have given an overview of SQL INJECTION (SQLI) in my previous post. As I mentioned you that the SQLI can be done in two ways
Here we are going to discuss the Manual method of injection.
Manual SQL Injection is done by Manually pen-testing the application where the pen-tester or the attacker exploits the SQLI by injecting the malicious/vulnerable string into the application directly by interacting with it and digs juicy information from the application like usernames, passwords, SSN, etc… without using any tool.
Things Required for doing manual Injection is:
- SQLI vulnerable site
- Burp Suite(to observe request and responses)
- Bit knowledge in SQL or the database that the application uses.
- And Brain :D
(we can use cheat-sheet present in Pentest Monkey for database help)
After going through this post you will be able to
- Various types of SQL Injection attacks
- Causes for SQLI
- Design strategies for avoid SQLI
- Exploiting the SQLI
In-general they are broadly categorised into three
3) Blind SQLI
In-band: Also know as Error-Based SQLI. Here the application responds with an error. Uses single channel for communication. It is straight forward method.
Out-of-band: Communication happens using two way channel. Attacker enters data directly but the application responds by sending e-mails etc….
Blind SQL Injection: Here the applications doesn’t pops any error. Instead the attacker need to extract the data by giving true/false questions and observing the responses of the application.
Causes for SQL Injection:
There might be many causes for any kind of vulnerability in the application. They might be because of
- Improper coding
- Developer might not be aware of the vulnerabilities
- Improper validation
- Improper filtering or escaping of the special characters
- Directly inserting the values got from the web-form into the SQL query.
- Using prepared statements is the best solution for avoiding SQLI as the interpreter doesn’t come into the picture each and every time the query is framed.
- Doing proper validation
- Escaping the suspicious strings or characters
- Using Filters or white lists (Allowing only required characters)
Exploiting the Vulnerability:
In-order the exploit the vulnerability, first we need to confirm that the application is vulnerable to SQL Injection. We can test it in many ways by inserting various logical strings to the application like ‘, ‘or’=’, ‘ or 1=1, ‘ or ‘a’=’a’ etc….
I have written an article for exploiting and extracting complete data from the database using all the three types (In-band, Out-of-band, Blind). You can find the article here: Dumping database using SQL Injection.
Also have a look at Web application Security Course offered by InfosecInstitute.