SQL injection is an application hacking technique you’ll often see discussed in the cybersecurity community. Cyber attackers are particularly fond of exploiting online retailers and other web apps with financial data with this technique. And when you learn how to hack web applications with Hack The Box, SQL injection is a vital skill. So you may be wondering, what is SQL injection?
I remember what the web was like in the 1990s. The vast majority of webpages were static. That means someone develops an HTML webpage and when they want to alter its content, they have to deliberately edit its code. Everyone who loads the same version of the webpage gets the exact same content.
Dynamic webpages display different content according to data the user has inputted. Dynamic webpages require databases in order to operate. These days, the large majority of webpages are dynamic, whether they’re fully interactive web apps, or based on a CMS (content management system, such as WordPress or the custom CMS that drives everything at Hack The Box).
SQL is a database programming technology that web databases are built with. SQL can also be used to develop many other types of applications, even outside of the web. You can bet that your favorite online retailers and web services, and most of your favorite websites have some sort of SQL database underneath them.
SQL injection attacks target vulnerabilities in how SQL is implemented. This is most often done by entering malicious SQL code into a web form, as opposed to expected user input in web form fields, such as names and email addresses. By entering effective malicious SQL code through a web form or some other means, a cyber attacker can acquire sensitive data in the database they’re not entitled to have (such as credit card numbers!), or make malicious alterations to the application. Effective SQL injection can be absolutely lethal to SQL-driven applications of all kinds!
If a SQL application is programmed more securely, such as being designed to effectively filter string literal escape characters, then it’s a lot more difficult for attackers to successfully execute a SQL injection attack.
Strings are the parts of code in a SQL application (or any application) that contain data a user may have inputted. Think of something like NAME = “Kim Crawley” or PAST THREE YEARS= “2019, 2020, 2021”. The data within the quotes is a string. Imagine how many strings of credit card numbers an online retailer site’s SQL database could have! Here’s how strings may be returned to an attacker in an SQL injection attack:
SUBSTRING('creditcardnumbers', 5, 3)
Looking for just a few credit card numbers in certain positions of a string may be too tedious. Maybe they want all the credit card numbers and other sensitive identification data. Here’s how they may retrieve all of the columns in a table of their targeted database:
SELECT * FROM retail_financial_data.tables
SELECT * FROM retail_financial_data.columns WHERE table_name = 'CUSTOMER-PAYMENT-INFO'
An attacker may have a more complicated cyber attack in mind. They may want to target known vulnerabilities in a particular version of a SQL database. So first, they need to fingerprint the SQL database version of their target. They may try this:
And there are many, many other ways an attacker can inject malicious code into a SQL application.
SQL injection attacks are when cyber attackers inject malicious SQL code into a SQL database. It’s one of many different kinds of code injection attacks. You may hear the phrase “command injection” sometimes. That’s when malicious computer programming code of any applicable language is used to execute commands into a targeted application.
SQL injection is a type of code injection, and command injection is a very broad category of application cyber attacks.
HTB Academy has some great courses that will teach you these exploitation techniques so you can test application security in your pentesting career.
You can also check out my interview with 21y4d here on the blog!