Impact of SQL Injection<\/h2>\n
SQL Injection can have severe consequences:<\/p>\n
- \n
- Unauthorized Access:<\/strong>\u00a0Attackers can gain unauthorized access to your application and steal sensitive data, compromising user privacy.<\/li>\n
- Data Manipulation:<\/strong>\u00a0They can alter, delete, or manipulate data within your database, leading to data corruption or loss.<\/li>\n
- System Takeover:<\/strong>\u00a0By executing database-specific system commands, attackers can take control of the system where your database server is running.<\/li>\n<\/ul>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nHow SQL Injection Works<\/h2>\n
Let’s illustrate SQL Injection using a Java-based example. Consider a database table named tblUsers\u00a0storing user data, with userId as the primary column. A simple Java query might look like this:<\/p>\n
\r\nString userId = {get data from end user};\u00a0\r\nString sqlQuery = \"SELECT * FROM tblUsers WHERE userId = \" + userId;\r\nValid User Input: When provided with valid data (e.g., userId value 132), the query executes normally.<\/code><\/pre>\n1. Valid Input Data: 132<\/strong><\/p>\n
Executed Query:\u00a0SELECT * FROM tblUsers\u00a0WHERE userId=132<\/p>\n
Result:\u00a0Data for the user with userId 132 is retrieved, and no SQL Injection occurs.<\/p>\n
2. Hacker User Input:<\/strong><\/p>\n
An attacker can manipulate user input to inject malicious code (e.g., 2 or 1=1) bypassing UI-side validation.<\/p>\n
Input Data:\u00a02 or 1= 1<\/p>\n
Executed Query:\u00a0SELECT * FROM tblUsers\u00a0WHERE userId=2 or 1=1<\/p>\n
Result:\u00a0The query has two conditions joined by SQL OR.<\/p>\n
- \n
- userId=2: This matches rows with userId equal to ‘2’.<\/li>\n
- 1=1: This condition always evaluates to true, returning all rows from the table.<\/li>\n<\/ul>\n
In the second scenario, SQL Injection occurs as the attacker has crafted input that manipulates the query’s logic.<\/p>\n
Certainly, let’s explain each type of SQL Injection with input data and queries<\/p>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nTypes of SQL Injection<\/h2>\n
1. Boolean-Based SQL Injection<\/h3>\n
Input Data:\u00a0Suppose we have a login form where users enter their credentials. A malicious user inputs the following in the password field: `2 or 1=1`.<\/p>\n
SQL Query:\u00a0In the background, the SQL query for this login check might look like this:<\/p>\n
\r\nSELECT * FROM users WHERE username = 'input_username' AND password = 'input_password'<\/code><\/pre>\n<\/div>\nBut with the malicious input, it becomes:<\/p>\n
\r\nSELECT * FROM users WHERE username = 'input_username' AND password = '2 or 1=1'<\/code><\/pre>\n<\/div>\nExplanation: The injected `2 or 1=1` creates a boolean expression that always evaluates to true. So, the query effectively becomes a search for any user where the username matches and the password is either the actual password or always true (1=1). This allows the attacker to log in without knowing the correct password.<\/p>\n
2. Union-Based SQL Injection<\/h3>\n
In a search field of a vulnerable web application, an attacker enters the following:<\/p>\n
Input Data:\u00a0 `2 UNION SELECT username, password FROM users`.<\/p>\n
SQL Query:\u00a0The original query might be something like:<\/p>\n
<\/div>\n\r\nSELECT name FROM products WHERE name = 'input_data'<\/code><\/pre>\n<\/div>\nWith the injected input, it becomes:<\/p>\n
<\/div>\n\r\nSELECT name FROM products WHERE name = '2 UNION SELECT username, password FROM users'<\/code><\/pre>\n<\/div>\nExplanation:<\/strong> The attacker uses the SQL UNION operator to combine the original query with a second query, fetching usernames and passwords from the `users`<\/strong> table. If the query is successful, it will return the results of both queries, effectively exposing sensitive user data.<\/p>\n
3. Time-Based SQL Injection<\/h3>\n
Input Data:\u00a0The attacker inputs something like `2 + SLEEP(5)` into a search field.<\/p>\n
SQL Query:\u00a0The original query might be:<\/p>\n
\r\nSELECT product_name FROM products WHERE id = 'input_data'<\/code><\/pre>\nWith the injected input, it becomes:<\/p>\n
\r\nSELECT product_name FROM products WHERE id = 2 + SLEEP(5)<\/code><\/pre>\nExplanation:<\/strong> In this case, the attacker injects a function (`SLEEP(5)`) into the query. If the database executes this query, it will pause for 5 seconds. This can slow down the database server and potentially lead to a denial of service (DoS) attack.<\/p>\n
4. Error-Based SQL Injection<\/h3>\n
Input Data:\u00a0The attacker inputs something like `2′ OR 1=1; –`.<\/p>\n
SQL Query:\u00a0The original query might be:<\/p>\n
\r\nSELECT product_name FROM products WHERE id = 'input_data'<\/code><\/pre>\nWith the injected input, it becomes:<\/p>\n
\r\nSELECT product_name FROM products WHERE id = '2' OR 1=1; --'<\/code><\/pre>\nExplanation:<\/strong> In this type, the attacker deliberately injects SQL syntax errors into the query. The `–` is used to comment out the rest of the query. The attacker attempts to provoke an error that provides valuable information about the database structure or other sensitive details. In this case, the query will likely result in an error message that the attacker can use to learn more about the database.<\/p>\n
Important note:\u00a0<\/strong> These examples are for educational purposes, and ethical hacking should only be performed with proper authorization on systems you own or have explicit permission to test.<\/div>\n<\/div>\nJava SQL Injection Example<\/h2>\n
In this example, we’ll create a simple Java web application<\/a> that simulates user login using a MySQL database. We’ll demonstrate how SQL Injection can occur and how to prevent it.<\/p>\n
- \n
- Database Setup [MySQL]:<\/li>\n
- Create a database named userdb.<\/li>\n
- Create a table named users with columns id, username, and password.<\/li>\n<\/ul>\n
Insert some sample data into the user’s table:<\/h3>\n
SQL Query<\/h4>\n
<\/div>\n\r\nCREATE DATABASE userdb;\r\nUSE userdb;\r\nCREATE TABLE users (\r\n\u00a0 \u00a0 id INT AUTO_INCREMENT PRIMARY KEY,\r\n\u00a0 \u00a0 username VARCHAR(255),\r\n\u00a0 \u00a0 password VARCHAR(255)\r\n);<\/code><\/pre>\n<\/div>\n<\/div>\n\r\nINSERT INTO users (username, password) VALUES ('alice', 'alice_password');\r\nINSERT INTO users (username, password) VALUES ('bob', 'bob_password');<\/code><\/pre>\n<\/div>\nJava Servlet Code<\/h3>\n
Create a Java servlet named LoginServlet.java:<\/p>\n
<\/div>\n\r\nimport java.io.IOException;\r\nimport java.io.PrintWriter;\r\nimport java.sql.Connection;\r\nimport java.sql.DriverManager;\r\nimport java.sql.PreparedStatement;\r\nimport java.sql.ResultSet;\r\nimport java.sql.SQLException;\r\nimport javax.servlet.ServletException;\r\nimport javax.servlet.annotation.WebServlet;\r\nimport javax.servlet.http.HttpServlet;\r\nimport javax.servlet.http.HttpServletRequest;\r\nimport javax.servlet.http.HttpServletResponse;\r\n@WebServlet(\"\/LoginServlet\")\r\npublic class LoginServlet extends HttpServlet {\r\n\u00a0 \u00a0 private static final long serialVersionUID = 1L;\r\n\u00a0 \u00a0 protected void doPost(HttpServletRequest request, HttpServletResponse response)\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 throws ServletException, IOException {\r\n\u00a0 \u00a0 \u00a0 \u00a0 String username = request.getParameter(\"username\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 String password = request.getParameter(\"password\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \/\/ Perform authentication\r\n\u00a0 \u00a0 \u00a0 \u00a0 boolean isAuthenticated = authenticateUser(username, password);\r\n\u00a0 \u00a0 \u00a0 \u00a0 response.setContentType(\"text\/html\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 PrintWriter out = response.getWriter();\r\n\u00a0 \u00a0 \u00a0 \u00a0 if (isAuthenticated) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<html><body>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<h1>Login Successful<\/h1>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<p>Welcome, \" + username + \"!<\/p>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<\/body><\/html>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 } else {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<html><body>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<h1>Login Failed<\/h1>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<p>Invalid credentials. Please try again.<\/p>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 out.println(\"<\/body><\/html>\");\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 \u00a0 private boolean authenticateUser(String username, String password) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 String jdbcUrl = \"jdbc:mysql:\/\/localhost:3306\/userdb\";\r\n\u00a0 \u00a0 \u00a0 \u00a0 String dbUser = \"your_db_username\";\r\n\u00a0 \u00a0 \u00a0 \u00a0 String dbPassword = \"your_db_password\";\r\n\u00a0 \u00a0 \u00a0 \u00a0 try (Connection connection = DriverManager.getConnection(jdbcUrl, dbUser, dbPassword)) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 String sql = \"SELECT * FROM users WHERE username = ? AND password = ?\";\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 PreparedStatement preparedStatement = connection.prepareStatement(sql);\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 preparedStatement.setString(1, username);\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 preparedStatement.setString(2, password);\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ResultSet resultSet = preparedStatement.executeQuery();\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 return resultSet.next(); \/\/ User is authenticated if a result is found\r\n\u00a0 \u00a0 \u00a0 \u00a0 } catch (SQLException e) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 e.printStackTrace();\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 return false;\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n}<\/code><\/pre>\n<\/div>\nWeb Page (login.html)<\/h3>\n
Create an HTML login form in a file named login.html:<\/strong><\/p>\n
Sign up and avail $100 free credits now!!<\/a><\/p>\n
HTML code<\/h4>\n
<\/div>\n\r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n\u00a0 \u00a0 <title>Login Page<\/title>\r\n<\/head>\r\n<body>\r\n\u00a0 \u00a0 <h2>Login<\/h2>\r\n\u00a0 \u00a0 <form action=\"LoginServlet\" method=\"post\">\r\n\u00a0 \u00a0 \u00a0 \u00a0 <label for=\"username\">Username:<\/label>\r\n\u00a0 \u00a0 \u00a0 \u00a0 <input type=\"text\" id=\"username\" name=\"username\" required><br><br>\r\n\u00a0 \u00a0 \u00a0 \u00a0 <label for=\"password\">Password:<\/label>\r\n\u00a0 \u00a0 \u00a0 \u00a0 <input type=\"password\" id=\"password\" name=\"password\" required><br><br>\r\n\u00a0 \u00a0 \u00a0 \u00a0 <input type=\"submit\" value=\"Login\">\r\n\u00a0 \u00a0 <\/form>\r\n<\/body>\r\n<\/html><\/code><\/pre>\n<\/div>\nIn this example, the LoginServlet receives the username and password from the login form. It then authenticates the user by querying the database using a prepared statement, which prevents SQL Injection.<\/p>\n
Feel free to use this example as a reference while ensuring that you have configured your database connection properly, and replace your_db_username and your_db_password with your actual database credentials.<\/p>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nPreventing SQL Injection in Java<\/h2>\n
- Data Manipulation:<\/strong>\u00a0They can alter, delete, or manipulate data within your database, leading to data corruption or loss.<\/li>\n
![\"SQL](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2023\/12\/3sql.png\" "\\"SQL")
<\/a><\/p>\n