SQL Injection

A SQL injection (SQLi) occurs when an unfiltered user parameter is rendered as executable logic by a database management system (DBMS). The impact stemming from this vulnerability can range from disclosure of sensitive data to arbitrary code execution.

As with most vulnerabilities, this deficiency is caused by improper input validation and/or output encoding. Concatenation of strings to create SQL statement is commonly associated with vulnerable code.

Exploitation

An attacker will append series of special characters to request parameters in search of SQLi. System errors or abnormal responses help diagnose vulnerable segments of the application.

A methodical process of tweaking the request parameter will then ensue to perfect the payload. This process often necessitates setting up a test instance of the target DBMS. Contrastingly, a more haphazard approach would employ automated exploitation frameworks; most notably SQLMap.

Technical hurdles will often accompany exploitation of a SQLi vulnerability. Attackers will often need to utilize creative solutions to exfiltrate data and further their attack. For example, appending exfiltrated data into a user retrievable value within the database. The below image depicts a payload that stores data into a user’s profile image. An attacker can subsequently retrieve the information by simply navigating the image URL.

Remediation

The utilization of parameterized statements will output encode any values being appended to a SQL command. This will almost always prevent exploitation.