SQL Injections

Question 1

What is SQL Injection?

Answer 1

The purpose of the injection attack is to gain access to a web applications database server so that you can execute malicious queries on it.

Question 2

What is a database?

Answer 2

A database is a way of electronically storing collections of data in an organized manner. Databases are normally managed by DBMS or Data Base Management Systems.

Question 3

What are the two categories of DBMS?

Answer 3

Database Management Systems normally fall into two potential categories: Rational and Non-Rational.

Question 4

What is the structure of a DBMS?

Answer 4

A DBMS will actually be made up of smaller database that are focused on specific parts of a site, you should think Subnetting for this. These smaller databases will actually take information and refine it even more into specific tables.

Question 5

What is a DataBase Table?

Answer 5

Tables in a database are broken into columns and rows. Columns hold data of the tables while adding or taking away data will add a new row

Question 6

What is the primary difference between a Rational DBMS and a Non-Rational DBMS?

Answer 6

The use of Tables. A Rational DBMS will use Tables while a Non-Rational DBMS doesn’t use any tables.

Question 7

What is SQL?

Answer 7

SQL stands for Structured Query Language, it’s a feature rich language used for query databases. A SQL queries is referred to as a Statement.

Question 8

What’s the SELECT query type used for?

Answer 8

The SELECT query type is used for retrieving data from the database.

Question 9

What’re some SELECT statements in practice and what do they do?

Answer 9

1. select * from users; This will return all columns from a table.
2. select * from users LIMIT 1; This will force the query to skip and return the first result, you can also use LIMIT 2, 1; to skip the first two results and return the third.
3. select * from users where username = ‘admin’; This will only return rows where the username is equal to admin.
4. select * from users where username != ‘admin’; This will only return rows where the username isn’t equal to admin.
5. select * from users where username like ‘a%’; This returns rows from users where the username starts with a.
6. select * from users where username like ‘%n’; This returns rows from users where the username ends with n.
7. select. * from users where username like ‘%mi%’; This returns rows from users where the username contains the characters with ‘mi’ within them.

Question 10

What is the UNION query string and what does it do?

Answer 10

The UNION query string is used is used to combine SELECT statements and return data from multiple tables.

Question 11

What are the rules when using UNION statements?

Answer 11

Theres a couple of primary rules that yo have to follow when using UNION statements:

1. UNION statement must have the same number of columns for each select statement
2. The columns have to be a similar data type
3. The columns have to be in the same order

Question 12

Can you make a UNION Statement?

Answer 12

UNION SELECT company, address, city, zip code from suppliers; This is going to return data from multiple tables using UNION to combine select statements.

Question 13

How do SQL Injections happens?

Answer 13

An SQL injection happens when user-provided data gets included in the SQL query.

Question 14

What does this look like in practice?

Answer 14

Let’s have an example here: A blog site normally will hold data such as blog post in a database meaning that its kept into a table.

Say we have a URL that looks like this: https://website.thm/blog?id=1, we can see that the blog post is controlled by the id parameter that can take a user input, can also take a SQL injection.

Question 15

What is In-Band SQLi?

Answer 15

In-Band SQLi is the easiest type to detect and exploit; In-Band refers to discovering an SQL vulnerability on a website page and then being able to extract data from the database to the same page.

Question 16

What is Error-Based SQLi?

Answer 16

The type of SQL injection is themes useful for easily obtaining information about data base structure as an error message form the database are printed directly to the browser window.

Question 17

What is UNION-BASED SQLi?

Answer 17

This type of inception utilizes the SQL UNION operator alongside a select statement to return additional results to the page; this is the most common method for extracting a large amount of data.

Question 18

What is a character that we can use to test for SQL vulnerabilities?

Answer 18

The character that we use when we are trying to get an SQL error would be a single apostrophe (‘) or a single quotation mark (“). This mark is placed at the end of a URL query string parameter.

Question 19

What is the SQL error proof of?

Answer 19

Its proof in itself that a SQL Vulnerability is possible in the first place.

Question 20

What is our goal after getting the SQL error?

Answer 20

Our goal should be completing an SQL injection that can pass through without an error. We normally can accomplish this by simple using UNION SELECT statements to receive extra results of our choosing.

Question 21

What is group_concat()?

Answer 21

This will get the specified column from multiple returned rows and puts it into a string thats connected by commas.

Question 22

What is Information_schema?

Answer 22

Information_schema is a database all users have access to and it contains information about al the databases and tables the user has access to.

Question 23

Why do we not get feedback from Blind SQL Injections?

Answer 23

This is likely because error messages have been completely disabled by the developer.

Question 24

What is Authentication Bypassing?

Answer 24

One of the most standard techniques that you’ve got when working with Blind SQL Injections is when bypassing authentication on a login page.

In the instance of an SQLi we aren’t really concerned with any feedback from the database we simple are interested in getting past the login page.

Question 25

How are database login pages different?

Answer 25

Because these login pages are built off of a database they aren’t concerned the content of a users password/username, only that the a correct combo is stored somewhere in its database to verify on login attempt.

Basically, the web application ask the database: “do you have this combo?” and the database returns a boolean value (true/false) that will dictate if you login or not.

Question 26

Taking into account that database login pages simple need a true value to progress, what can we do to login?

Answer 26

Instead of focusing on the contents of the username/password pair, we should focus on giving the login page a value thats always going to be tru so that we can login in to someone else account.

Question 27

What is Blind SQLi - Boolean Based?

Answer 27

Boolean Based SQL injections refer to the response that we receive back from our injection attempt basically being yes/no, on/off, true/false, basically you’ll only ever have two outcomes.

Question 28

What is Blind SQLi - Time Based?

Answer 28

Like Boolean Based SQL Injections you’re not likely to receive any feedback from these attempt, you’ll have to determine whether or not the injection attempt was successful based off the time that the query takes to complete; basically the time delay is going to be the decider.

Question 29

Whats Sleep(x) and how do we use it for Time Based SQL injections?

Answer 29

Sleep(x) is a built in method for SQL Injections alongside UNION statements. Sleep(x) will cause a brief time delay in the web application if the injection is actually successful.