SQL Injection Attacks

Before saying what is SQL injection, let’s look at what is SQL

What is SQL?

SQL is a query language. It has been developed to interact with relational databases. We can do many interactions such as changing, deleting and adding data in the database with SQL commands. Database types such as MSSQL, MYSQL are used in SQL query language.

An Example SQL Query

SELECT * FROM Users where Username='Berkay' and Password='123456'

This SQL query returns all the information of users with username “Berkay” and password “123456” from the Users table in the database.

While we are logging into a system, similar commands are running in the background. We can interfere with the query running in the background in the form we log in or via the URL. Of course, if such an open is not closed/prevented by the programmer.

Now let’s talk about SQL injection.

SQL injection attacks are security vulnerabilities that allow us to interfere with normal sql queries and inject and run the SQL codes we want into the system.

In a normal scenario, we have a username and password in the system we log in. The data we enter into the inputs here comes to the parts we give between the quotes below.

SELECT * FROM Users where Username='USERNAME' and Password='PASSWD'

As you can see, I wrote brktrl in the username part. I wrote 123456789deneme in the password part. Let’s see what kind of query this creates in the background.

SELECT * FROM Users where Username='brktrl' and Password='123456789deneme'

So far, everything is normal. But what do you think would happen if I wrote the following code instead of the username input and left the password input blank?

'--

Let’s see what would happen if I wrote this in the password section.

SELECT * FROM Users where Username='brktrl'--' and Password='123456789deneme'

When we use double dashes, this means a comment line in SQL. That is, the part after the single quote we wrote is the comment line. Therefore, it will be as if the following code was run in the background.

SELECT * FROM Users where Username='brktrl'

The rest will not be executed because it is a comment line. That’s why I didn’t write it. As you can see, the command running in the background allows us to log in to this account by simply typing the user name. That’s what SQL Injection and similar operations are called.

We can change our strategy according to some measures that the programmer can take. If what I have explained above does not work, you can use different trial payloads.

You can also infiltrate the database by giving the link of the site you think is vuln to the “sqlmap” tool.