A really common and basic vulnerability in Injection Security Flaws
In order to get the best experience learning this Vulnerability, you should have basic knowledge in
Database Manage System (DBMS) and SQL syntax. In this module, you should get used to MySQL Database and Syntax
For more information: MySQL Documentation
If you have learned this vulnerability before, why not going to solve my challenges here?
The reason why I choose SQL Injection as the first module you would learn is because this bug is really common out there - in the real world, and very well known for every cyber security engineers.
A successful SQL Injection attack could lead to thousands of users' information leakage, more serious, could lead to Remote Code Execution.
As you known, Injection is to input something into an object.
For example, in the Covid-19 pandemic, we all have to injected vaccine in order to prevent / mitigate the
consequence of the Corona Virus. That is injection, a way to provide some instruction for an object to do
something. For the above example, the instruction is the vaccine, that is to tell the body how to deal with the
Corona Virus.
Back to our module, let's review the DBMS and SQL Syntax, in order to bring out everything records / data from a table called "users",
we will use a query:
SELECT * FROM users;
This is just a normal query, right? Let's get to something more complicated, to select out the username "conmeo", this query will turn out:
SELECT * FROM users WHERE username="conmeo";
Here, some explanation for the syntax:
As I said before, Injection is to input something into an object.
In this case, the object is MySQL syntax, so if an attacker try to input some instruction into the MySQL query?
Let's make an example, if a website allows users to search for the username of other users, then the value of useranme column
would be controlled by users
As you know, when there is a field that is controlled by out users, then that field would be called Untrusted Data
Come to this, I will show you how a really basic syntax of a PHP beginner-level programmers would code to query to a database:
$query = 'SELECT * FROM users WHERE username="' . $user_input . '"';
$db_result = $database->query($query);
The Developer uses a technique called "String Concatenation" to add the $user_input variable to the query string. Then, he uses that strings to query to database. Let's together
see if this style of code would bring any threats which causes damage to our system.
Let's take a look again at our query if a user want to get information of the "conmeo" username:
SELECT * FROM users WHERE username="conmeo";
In this query, the double quotes are the instruction, which tell the database that the value between the double quotes would be a string.
Now, if the attacker input the value: " or 1=1 #
The query now becomes:
SELECT * FROM users WHERE username="" or 1=1; #";
The database which handles the query has no clue to distinguish between attacker's input and query syntax / instruction.
In the view of database, it will consider to select the username " " (empty value), and then return all the data from the "users" table
thanks to the condition OR 1=1, and then all the syntax behind would be comment out by the "#".
By this way, the attacker could steal all the data that should not be approach by him
Another example, now this time, if the attacker input into the username field: not_exist" or username="admin
The query will now become:
SELECT * FROM users WHERE username="not_exist" or username="admin";
Assume that in the "users" table, there are so many columns such as "password", "username", "email", etc.
By this way, the attacker can get all the above information, which is really sensitive.
Which the password retrieved from the above query, the attacker can now login and fake as an admin.
From now on, the attacker can gain access to every speacial features of the website.