SQL INJECTION
A DOCTOR’S VISIT FOR AN INJECTION? NOT REALLY
Structured
Query Language. When Trump visits countries abroad, he has an interpreter who
communicates with the others in their native language and the others in their
native language and converts it into English for Trump. SQL plays a similar
role and converts our commands into queries for a database.
And SQL
injection allows a hacker to place a bug in the SQL that would give him access
into the database. The following lessons gives us an overview on how it works.
SQL
INJECTION
Now it’s
time to create a tool of our own, similar to the kali Linux tool.
SQL
injections are a type of security exploits perform by adding malicious SQL code
to a web form input box to gather information from the database of the website.
Ready to
learn the art of gathering information from the database of the website without
the knowledge of the owner?
Watch this
video to know more about SQL injection, the procedure which you can use to hack
a website as well as learn to draft an SQL injection script and more.
ANATOMY OF
AN SQL ATTACK
A developer
defines a SQL query to perform some database action necessary for their
application to function. This query has an argument so that only desired
records are returned, and the value for that argument can be provided by a user
(for example, through a form field, URL parameter, web cookie, etc.).
A SQL
injection attack plays out in two stages:
1. Research: Attacker tries submitting
various unexpected values for the argument, observes values for the argument,
observation how the application responds, and determines an attack to attempt.
2. Attack: Attacker provides a
carefully-crafted input value that, when used as an argument to a SQL query,
will be interpreted as part of a SQL command rather than merely data; the
database then executes the SQL command as modified by the attacker.
The research and attack stages can be easily automated by
readily-available tools.
TYPES OF
SQL AATTACK
There are a
wide variety of SQL injection vulnerabilities, attacks, and techniques, which
arise in different situations. Some common SQL injection examples include:
·
Retrieving
hidden data- where you can modify an SQL query to return additional results.
·
Subverting
application logic- where you can change a query to interfere with the
application’s logic.
·
UNION
attacks- where you can retrieve data from different database tables.
·
Examining
the database- where you can extract information about the version and structure
of the database.
·
Blind
SQL injection- where the results of a query you control are not returned in the
application’s responses.
1. If you had to modify an SQL query to
return additional results, what would you have to do?
a. Subvert application logic
b. Retrieve hidden data
c. Examine the database
d. Perform blind SQL Injection
Ans- b. Retrieve hidden data
KEY
TAKEAWAYS!
We use SQL
command to communicate, edit or delete our database. The database is one of the
most important and fundamental parts of a project. Hence it acts as a hotspot
to all the hackers. Here are some key points to reflect upon.
·
An
SQL injection is the process of unknowingly running a malicious SQL code that
gives the hacker access to your database.
·
SQL
injection usually occurs when you ask a user for input, like username/userid,
and instead of a name/id.
·
In
some cases. The hacker can escalate an SQL injection attack to gain complete
access to the back-end of the system and launch a DDoS attack.
Posts
0 Comments