Introduction
Advanced SQL queries can be utilized in SQL injections where there is no response from the web server. Part 1 of the SQL injection attack is available. You should read this article to learn the principles of SQL injection.
This article discusses advanced SQL injection techniques and tools for enumerating websites and evading security barriers.
What is Advanced SQL injection?
Over the years, awareness of SQL injection attacks has been raised. Such attacks are avoided by implementing specific preventive measures.
Advanced queries can be time-consuming, but they are just as hazardous as regular injection attacks. Advanced SQL injection techniques, on the other hand, can be used to overcome the measures.
Types of SQL injection
In-band SQLi: This primary SQL injection is the simplest to attack and the most popular of the three types. This injection employs the same channel to launch the attack and collect the results.
Out-of-band SQLi: Out-of-band SQLi is the least common of the three types of injection. This attack occurs when an attacker cannot launch the attack and gather results over the channel.
Inferential SQLi: The data is not transferred over the web application in this injection, and the attacker cannot see the results. The attacker delivers payloads and waits for a response from the server. This allows the attacker to recreate the database and collect information.
Blind-SQL injection
What is Blind SQL injection?
Blind SQLi (inferential SQLi) is an attack in which the web application does not respond with results.
It sends True or False questions to the database with SQL queries. Techniques such as the UNION attack are ineffective against blind SQL injection vulnerabilities, and There are two types: Boolean-based and Time-based.
Types of Blind-SQL Injection
Boolean-Based: The attacker sends SQL queries to the database and causes it to deliver a result based on True or False results in Boolean-based injections.
Time-based: In this form of SQL injection, the attacker sends SQL queries to the database and then waits for the database to provide the results.
When there are no other means to retrieve a response from the database, a time-based SQL injection attack will be utilized. Because the query will generate a time delay for the time supplied by the attacker. Using the browser’s inspection feature, you can see how long the response took.
Intruder Enumeration
A brute-force attack on HTTP requests can be done using the Burp Suite intruder. It is possible to automatically enumerate the database names and tables using an intruder. It is also possible to dump all the table content into a file.
SQLMap
What is SQLMap?
SQLMap is a Python-based automated tool for detecting and exploiting SQL injection problems.
It supports many SQL database systems, including MySQL, Oracle, PostgreSQL, Microsoft Access, and others. SQLMap offers the ability to list users, password hashes, privileged roles, databases, tables, and columns.
Because it supports six injection techniques: Boolean, Time-based, Error-based, Union Query, Stacked Query, and Out-of-Band.
Advantages & Disadvantages
Advantages:
- Supports a large number of database management systems.
- Six different injection procedures are supported.
- Allows for direct database access.
- Enumeration of users, password hashes, rights, and more are supported.
- It can recognize password hashes automatically.
- Dumping whole database tables.
Disadvantages
- If a complicated context escape is permitted, the test will be ineffective.
- The relevant injection is not always updated.
- Make a lot of commotion on the network.
Capture Request
Some online apps require special headers or cookies for requests to be sent to them.
The Burp Suite may intercept “POST” requests and alter specified parameters using SQLMap.
Database Enumeration
Enumeration is a crucial SQLMap functionality. A simple command can be used to enumerate databases.
SQLMap can list several database types and save the results to a file. The command is sqlmap -u “TARGET-URL” -D bWAPP –dbs
Table Enumeration
SQLMap can also enumerate tables, and it can be utilized in combination with captured requests.
The attacker must know what to look for to uncover sensitive database information. The command is sqlmap -u “TARGET-URL” -D bWAPP –tables.
Bypassing Security Measures
Web Application Firewall
WAF (Web Application Fire) is a network traffic filtering application that filters incoming and outgoing network traffic based on predefined settings and rules.
A WAF can detect and prevent attacks that exploit website vulnerabilities by monitoring HTTP traffic. Since the awareness of SQLi attacks has risen, web applications have begun implementing WAF.
WAF Detection
WAFs can be detected both manually and automatically with dedicated tools. And can be a widely used tool to identify a WAF is wafw00f, which sends a legitimate HTTP request and analyses the response.
It is also possible to use the nmap http-waf-detect script, which can detect the presence of many security measures.
Obfuscated Queries
WAFs use blacklists to filter functions and words that contain familiar keywords such as AND, OR, ORDER BY, etc. And to bypass this protection, an attacker can use obfuscation so that the WAF will not be able to detect the words.
Obfuscations
When it comes to avoiding regex rules or detection mechanisms, it is the same as in other areas of command execution. But it is advised to utilize obfuscation. SQL has restricted variations, but they can still be used.
Method | Explanation |
1’OR’1’=’1 | Some queries can be written without the use of spaces. |
1’%20OR%20’1’=’1 | URL encoding is another technique for escaping spaces. |
1’%09OR%09’1’=’1 | This should be used instead of spaces in SQL tabs. |
1’/**/9OR/**/1’=’1 | In some cases, comments can be used to conceal information. |
COUNT | The number of data rows returned by the query. |
ALTER | Columns are renamed, deleted, or added to or from a table. |
Tamper Scripts
Guidelines must be followed when using tamper scripts. Because the tamper function must exist to receive the SQL query in an argument called “payload.” At the end of the function, it returns a statement that should return the tampered query.
solutions for security
Input Filtration: From a coding standpoint, SQL injection is protected by filtering input and using predefined queries, which is considered a secure technique to filter input, and using a prepared statement prevents harmful queries from being executed.
SQL protection is essential because SQL stores sensitive information. Another method for preventing SQL injections is to use a prepared statement. The goal is to detect strings that contain requests such as “to ban,” “to quote,” and so on.
Order By Clause
The information rows are returned in no particular sequence by the SELECT operation. The ORDER BY clause performs data sorting in ascending or decreasing order. ORDER BY allows you to rearrange the rows as needed.
It can enumerate data and ORDER BY injections are performed differently than other injection procedures.
An ORDER BY clause can be effective when a database rejects WHERE, OR, AND, and UNION. The query will enable a user to understand if the first character in the first name is A, according to the ASCII number.
If A is the first character, the list will be sorted by the first name. It will be arranged by userid if it is not A. With this query, a brute-force assault can be performed to extract the complete string.
It is easy to optimize this method using a script or SQLMap.
Website Enumeration
Enumerating a website’s directories, pages, and files is important in Web Application Penetration Testing. This can be accomplished by conducting a brute force attack on the site’s path.
Programs like Drib and GoBuster transmit requests for pages, directories, and files that are either listed in a wordlist or produced by rules. And we can tell if the request element exists by inspecting the answer.
Although a web spider also enumerates a website. It only finds content that contains hyperlinks.
Dirb
Dirb is a website application scanner that uses brute force to enumerate directories based on wordlists. It sends an HTTP request to a web application and observes the response code.
Dirb includes a wordlist with more than 4000 words and is used for a brute-force attack. And it can also work with customized wordlists.
DirBuster
DirBuster is a brute-force GUI attack tool that finds directories and files in web applications.
OWASP created DirBuster, regarded as one of the most powerful web application inspection tools. It is extremely simple, requiring only a URL and a wordlist.
GoBuster
GoBuster is a brute-force program for searching directories and files for URLs and DNS sub-domains. It is capable of locating usernames, passwords, and even specific extensions. The command for GoBuster is gobuster dir -u “URL” -w /usr/share/wordlists/common.txt (directory path).