If you are looking for the lab of Cyber Security and Web Development Labs. Then you arrived at the correct place. We do have the Cyber Security and Web development labs and more knowingly they are free.
Today, in this article we are gonna learn about what is SQL injection and what damage it can create if an SQL injection had found on a website. So let’s jump into the topic without wasting time.
What is SQL injection?
SQL is one of the most common web hacking techniques that might destroy your database. It is a code injection technique that takes a user input and produces output for that input. If the user inputs any SQL injection payloads and if it is vulnerable then it might show information that shouldn’t be seen by a normal user.
And we do have different types of SQL injections and in most known SQL injections are:
- Time-Based SQL injection
- Blind SQL injection
- SQL injection
- Error-based SQL injection
and many more.
Why does SQL injection arises?
- When the user-given input isn’t validated then SQL injection arises.
- Code reviews should be done occasionally to avoid these attacks.
Where we can write find those SQL injections:
- Username, passwords fields
- Email fields
- Forum posts
- Contact form
- Feedback pages. And etc.
How to identify SQL injection on a live website
- First, select the target domain which you wanna test.
- Then do little research about parameters, which will store the data in the database,
- Then try to insert some primary SQL injection payloads like
- Single quotation (‘), double quotation (“), and many more.
- There are some other payloads that can be used to find SQL injection vulnerability
- And if you see any error, and from that using some SQL statements we can gather the information about the system using manually,
- Otherwise, you can get that using a tool called, “SQLMAP” which is available in the Kali Linux Operating system by default.
- This is a basic way to find a SQL injection on a website.
And there is a video which is already been uploaded in our YouTube Channel and the video link is:
And by watching that video you can get some more detailed information about how to find SQL injection.
SQL injection to Account Takeover:
First, we usually visit websites everyday and login to some pages to view some content.
Now, here comes the special part:
There are different ways to escalate SQL
- Go to any login page which is having input fields like username, and password.
- Then try to just log in with username: admin and password: admin
- These are basic credentials used for login purposes.
- If it logged in, Boom! You logged in as an admin into that website.
- If not there are some SQL injection payloads that will help to bypass the restrictions and still somehow manage to login.
- Basic SQL injection payloads used at the time of login:
- The above steps which are mentioned are some basic types of SQL injection to Account takeover techniques.
- And we did upload a YouTube video about the same topic ( SQL injection to Account takeover ) by Faiyaz Ahmad bro.
Here is the Youtube video link:
Mitigation’s to protect from SQL injection:
- Use a WAF ( Web application Firewall )
- Try to validate the user-given input everywhere.
- Try to put filters to avoid entering some dangerous characters
I think to know, you have some information about what is SQL injection and how can we find SQL injection vulnerabilities right. And soon we are going to add more labs and I think SQL injection would be one of that.
Thanks for your time and thanks for reading.
Have a good day!