SQL Injection For Beginners: Introduction
SQL Injection is a type of injection attack in which a SQL statement is altered by injecting a malicious payload, which is used to execute the attacker’s SQL query on the application database.
To understand it better consider this layman example.
If I’ll create an account on some website with my name, then the website will send instruction to its backend to ‘CREATE USER WITH NAME PRATHAM’.
Here ‘PRATHAM’ is my name given as an input. If I replace my input name ‘ PRATHAM’ with something like ‘PRATHAM AND ALSO GIVE ME ALL USERNAMES AND PASSWORDS’ than it will totally change the meaning of the Instruction that was given to the backend.
The new instruction will become ‘CREATE USER WITH NAME PRATHAM AND ALSO GIVE ALL USERNAMES AND PASSWORDS’. This may trick the server to give all the private information to a non-authorized user and is called command injection.
This SQL injection Tutorial is divided in three parts i.e. Introduction, SQL Injection Manually, SQL Injection using Sqlmap. In this section, I will explain about SQL and some basic queries in context to SQL injection. If you are already familiar with SQL than you can skip this post and continue to next part of this tutorial where you will learn to find and exploit SQL injection manually.
What is SQL
SQL or Standard Query Language is a programming language that is used to manage and perform operations in relational databases. In SQL, every single operational line is called a SQL Query.
This is a SQL query to select all rows & columns from a table named ‘users’
SELECT * FROM users;
Basic Types of SQL
As a beginner, you need to know about these 3 most used types of SQL statements.
Data Definition Language (DDL)
DDL queries are used to define the schema of a database. It is used in creating databases and tables, defining the structure of the tables and the columns.
Examples :- Create table, Alter table, Drop table
Data Manipulation Language (DML)
DML queries are used to manipulate already existing data inside a table or insert new data (rows) inside a table. It helps to edit, delete, and create rows.
Examples :- Insert into, update table (rows) and delete table (rows)
Data Query Language (DQL)
DQL queries are used to fetch required data from the database. It can be used to fetch data from all the rows, fetch specific data, sort data, count data and even calculate values inside the rows.
Examples :- Select * from table; Select count(id) from table;
Basic Operations using SQL
These SQL queries are used to perform basic operations in a database like CREATE, INSERT, UPDATE, SELECT, DELETE.
Create a new Database
This query creates a database called facebook. A Database is a collection of tables and is usually the same or related to the application name.
CREATE DATABASE facebook;
Create a new Table
This query creates a new table called ‘users’ with columns id, name, password, email. Here, INT and VARCHAR are the data types.
CREATE TABLE users(id INT(6),name VARCHAR(50),password VARCHAR(100),email VARCHAR(128))
But in a more realistic query, some attributes like AUTO_INCREMENT, PRIMARY KEY and NOT NULL are used.
CREATE TABLE users(id INT(6) AUTO_INCREMENT PRIMARY KEY,name VARCHAR(50) NOT NULL,password VARCHAR(100) NOT NULL,email VARCHAR(128) NOT NULL)
Insert a new row
This query inserts a new row in to the table ‘users’ which we previously created. This is an important query because it’s often injected with SQL payloads.
INSERT INTO users(name, password, email) VALUES ('John Doe', 'supersecret', 'firstname.lastname@example.org');
Select data from Table
The SELECT query is used to select row/rows from a table with given condition or logic.
This query selects all the rows and columns from the table called ‘users’
SELECT * FROM users;
WHERE clause: It is used to select rows based on a specified condition.
This query selects all users where email is ‘email@example.com’ and password is ‘supersecret’. A similar implementation of SQL query is often found in basic login mechanisms. If the query gives at least 1 row, then it indicates that the credentials are correct and authentication is successful.
SELECT id FROM users WHERE email = 'firstname.lastname@example.org' AND password = 'supersecret';
Delete a row from Table
This query deletes a row from the table ‘users’ where id is 2. (Notice the use of quotes where ever the data is used. Strings should be surrounded with single quotes, and Numerical & Boolean Values can be used directly with any quotes.)
DELETE from users WHERE id = 6;
In this part, you learned about SQL Injection, SQL, its types and basic queries. This was all the pre-required knowledge you needed to actually start exploiting SQL vulnerabilities. You can now continue to the next post, where we will actually exploit the vulnerability.