Overview

SQL Injection is a web security vulnerability that allows attackers to execute custom SQL queries by taking advantage of unvalidated inputs.

SQL injections can have a high impact and are easy to carry out, making them one of the most common exploited vulnerabilities.

Notes

Types of SQL injection attacks

There are several types of SQL injection attacks:

• Retrieving hidden data
• Subverting application logic
• UNION attacks
• Examining the database
• Blind SQL injection

Basic SQL injection attack

Start with a hypothetical web application. When you browse to this URL:

https://insecure-website.com/products?category=Gifts

it runs this SQL query:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

(Here, the "released" field indicates products that have been made public.)

If the category name specified by the user is not sanitized, then this web app is vulnerable to SQL injection.

We start with a single quote to end the category string, then write our own SQL for the server to run.

Here, we add the SQL symbol -- (which makes everything that follows a comment, ignoring the "AND" portion and bypassing the "released=1" condition check.)

https://insecure-website.com/products?category=Gifts'--

This will show all products, including unreleased products.

Or the attacker can and an "OR" and a condition that is always true:

https://insecure-website.com/products?category=Gifts'+OR+1=1--