SQL injection has been around for a long time, and there’s no telling when or how many times

attackers were able to get access to the law firm. Security Researcher Caleb Simatells his story
about working at Internet Security Systems (ISS) as a member of their X-force in 1994

According to him, he was employed to break into break into companies to prove that people
needed to buy their software. He did a pentest for a Canadian oil company, and called up a few
SQL injection experts. They figured out how to piggy-back SQL into the command, then bypass
the login to get access to this oil company.

Part of the problem was, when he first started researching the attack method in the mid-90s, no
one else cared about the web, including VCs. They thought firewalls solved the problem of web
app vulnerabilities - including ones that allowed Caleb to hack into eBay’s administrator menu
and cancel bids, choose winners and more.

Well, this is his story - in his words - about how he made bank at age 17 doing research on SQL
injection vulnerabilities. Watch this dramatic action-figure reenactment of Caleb’s story:

An anonymous reader writes with this history of SQL injection attacks. From the Motherboard
article: "SQL injection (SQLi) is where hackers typically enter malicious commands into forms
on a website to make it churn out juicy bits of data. It's been used to steal the personal details of
World Health Organization employees, grab data from the Wall Street Journal, and hit the sites
of US federal agencies. 'It's the most easy way to hack,' the pseudonymous hacker w0rm, who
was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a 'few
hours.' But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of
corporations and governments alike, SQLi is relatively easy to defend against.
SQL DEMONSTRATION

$id = $_REQUEST['id'];
//echo time();
$query = "SELECT
cat_id,id,category,title,description,pict_url,minimum_bid,ends,cat_name,quantity,flag
FROM " . $DBPrefix . "categories INNER JOIN ". $DBPrefix . "auctions
ON vesp_categories.cat_id=vesp_auctions.category where id=".$id."
AND starts <= ".time()." AND suspended = 0";
Multiple queries are out of the question - mysql_query is being used and not instructed to use
multiple queries.

?id=143 AND 1=0 union select null,null,null,nick,password,null,null,null,null,null,null from

bidz_users limit 1,1-- -

SQLmap

SQLMap is the open source SQL injection tool and most popular among all SQL injection tools
available. This tool makes it easy to exploit the SQL injection vulnerability of a web application
and take over the database server. It comes with a powerful detection engine which can easily
detect most of the SQL injection related vulnerabilities.

It supports a wide range of database servers, including MySQL, Oracle, PostgreSQL, Microsoft
SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and
HSQLDB. Most of the popular database servers are already included. It also supports various
kind of SQL injection attacks, including boolean-based blind, time-based blind, error-based,
UNION query-based, stacked queries and out-of-band.

One good feature of the tool is that it comes with a built-in password hash recognition system. It
helps in identifying the password hash and then cracking the password by performing a
dictionary attack.
This tool allows you to download or upload any file from the database server when the db server
is MySQL, PostgreSQL or Microsoft SQL Server. And only for these three database servers, it
also allows you to execute arbitrary commands and retrieve their standard output on the database
server.

After connecting to a database server, this tool also lets you search for specific database name,
specific tables or for specific columns in the whole database server. This is a very useful feature
when you want to search for a specific column but the database server is huge and contains too
many databases and tables

SQL Injections:Advantage

SQL injection consists insertion of SQL query from the client to the web application via the
input data.

SQL injection is a security feat and a technique in which malicious users adds SQL code to web
form input to get access to the data resources and make changes in it. SQL query is a request to
perform actions on the database. These SQL injections can alter the entire database. Any
malicious user can use SQL injections to attack the database and control the web application's
database server to alter database or copy the whole source code from the web page. In some
cases, it also issues commands to the operating system.

SQL injections can be used to edit, delete or modify the records & content of the database to
affect data integrity. By taking advantage of the SQL injection an attacker can use it to retrieve
the whole content, information and authentication mechanism of the web application's entire
database.
 How SQL injections work
An attacker needs to find an input that includes SQL queries within the web application to run
vicious SQL queries adjacent to the database server. In order, for an SQL injection to take place
the website need to directly include user input within SQL statement.

An attacker can insert SQL injection in such a way, from the username and password database
input that would alter the SQL statements being executed by the SQL database server. Once the
query is executed the result will be processed. An attacker can then insert a payload in SQL
query and run opposite to the database server. The pseudo code to authenticate the user from
server side:

"

# Define POST variables uname = request.POST['username'] passwd =

request.POST['password'] # SQL query vulnerable to SQLi sql = "SELECT id FROM users
WHERE username='" + uname + "' AND password='" + passwd + "'" # Execute the SQL
statement database.execute(sql)"

SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'

The code is the simple example to insert the username and password in the username table
database. An attacker can control over the rest of SQL query database execution.

Risk factors
Platform that can be affected from SQL injections

 SQL language
 Any platform that supports SQL.
Main Consequences
 Confidentiality
 Authorization
 Integrity
 Authenticity
 Disadvantage sql injection

What's the worst an attacker can do

SQL, a programming language designed for managing data stored in an RDBMS. It is used to
access, delete, modify the database. It could run commands on the operating systems. As
mention above, you can have the assumption that how advantageous SQL injection attack can be
for the attacker.

 An attacker can bypass authentication, destroy the database, pretend to be like or impersonate
the user.
 SQL functions to select the database to generate the queries like add, delete and modify the
database and execute them to get the output. An SQL injection allows the disclosure of whole
data resides in the database.
 It is used to delete the data from the database or destroy the whole data.
 It is also used to alter the information within the database.