Certified Ethical Hacker - Part 13 - SQL Injection

by Riazul H. Rozen
March 6, 2018 0 comments 3 minute read Certifications CEH
Download PDF

SQL Injection

SQL injections are carried out by attackers to gather valuable information directly from the database by infiltration or to gain unauthorised access to the system. Attackers are able to manipulate the flaws in the web application to pass SQL commands through the web applications through a backend database. Utilizing these flaws are made possible by websites that do not have secure coding practices.

A successful SQL infiltration is very detrimental to the victim machine, as attackers can gain administrative priviledges, without a username or password, compromise the target's operating system, insert harmful content on the target's website page, delete information from the database for instance, audit information and many more.

SQL server, Oracle, IBM DB2 and MySQL are some of the databases that are vulnerable to SQL injection attacks


There are two major types of SQL injections -


They vary from one database management system to the other, but these attacks force the database to perform certain functions to which the results are always an error. The steps to carry out this procedure is -

Take advantage of the target's stored procedure to lay an attack.


Use end of line commands to cancel out any legitimate code that is sent after the malicious code has been inputed. A line of command such as SELECT from user WHERE name - 'x' AND userID IS NULL; --' ; is usually used to perform this operation.

Injectable parameters, names of tables and other valuable information can be gleaned from the target's database by sending illegitimate queries or requests.

The union SQL injection, performed by implementing the "UNIONSELECT" switches the union of a selected database with the target database. For instance, SELECT Name, Address, Phone FROM Users-Id=1 UNION ALL SELECT creditCardNumber, 1, 1, FROM CreditCardTable. This task is done by combining a forged query with an original one, ensuring that the results from the forged query come out with the original, allowing the user gain information.


These types of injections are implemented without the attacker having any knowledge of the results of said attack. For normal SQL injections, the attacker is privy to a pop-up useful error message, but with the blind SQL, the attacker receives a generic custom message. This method is a bit delicate and takes a lot of time, as different statements have to be developed for each bit that has been recovered.


Blind SQL injections operate on waitfordelay mechanisms as proof of successful attempts. For instance, an attacker sends a query requesting the existence for a particular credit card, the wait for delay option allows the database to wait for a pre-determined amount of seconds, before the generic custom message comes up. This means if the error message comes on immediately, the credit card does not exist.



SQL injections work by corrupting susceptible website applications, to get to information from the database. Hence the first detail to iron out, is to ensure the web application to be exploited is connected to a database.

Get all the information needed for generating an SQL query. For instance input fields and hidden tables. This can be done through Determining the data entry paths, by using GET and POST requests to gain input fields and so on.

Experiment by injecting codes into the input fields to get an error

Insert a string values into a region where a number is to be placed in the input value. Use the "SELECTUNION" command to combine two or more statements.

It is important to note that a rich error message provides the attacker with enough information to carry out the attack. Information such as operating system of the target, database type, version, level of privilege and so on, can be gotten from error messages.


This steps include a host of SQL injection attacks, ranging from union attacks to blind SQL attacks and error based SQL attacks. There are various things to note when carrying out these attacks: For dynamic stored procedure injection attacks, it is pertinent that the user input is sanitized, to allow for the implement of a corrupt free SQL in the stored procedure.


For blind SQL attacks, information such as database user, column name, can be extracted. In extracting database user, it is necessary to check for things like username length, if the first character in the username contains letters like A, B, C as well as the same procedure for the second and third characters.

Blind SQL injection attacks can also be performed using out of band exploitation technique. This is when the out of band connection is used to get results to an injected query, as part of the target's results.



This tool is automated, and can take advantage of SQL weaknesses in any database. Marathon Tool: this is used by attackers to send heavy queries for time-based blind SQL attacks. SQL power injector: this helps the penetration tester find and use the weaknesses of a web application.



This attack tool gives malicious personnel access to things like back-end database fingerprint, execute commands on the operating system, gain access to hidden file systems, username and password hashes, get data from the database and run SQL statements.

Insert caption here

There are also SQL tools for mobile devices:


This app deals with techniques such as normal injection, time based injections, blind injections and so on, by letting users test MySQL web applications against SQL attacks.


It is possible to check which systems are vunerable to SQL attacks. This can be done manually or with tools like CodeSecure, Microsoft Source Code Analyser, HP QAinspect and others. This method of determining vulnerable web applications is known as source cod review. The types include dynamic code analysis where, the analysis is run continuously in problem solving time, and is used in discovering vulnerabilities in code with respect to web services, SQL databases and so on. Static code analysis: here, the issues in the source code of the program is found by analysis without execution.

Published with the express permission of the author.