SQL code injection is a method of using inputs for web forms, which are poorly secured, to execute SQL queries to exploit a system.
An SQL injection attack consists of insertion or “injection” of an SQL query via the input data from the client (browser) to the application (server script).
https://www.youtube.com/watch?v=ciNHn38EyRc&feature=youtu.be
If you type a single quote (') into an input box, it may be sanitised (protected from attack) and in this case it will display a result, however if it isn’t sanitised then it may display an error. The page will display “error in query”, so we know that there is a chance this input is vulnerable.
Different SQL implementations have slightly different syntax. In order to exploit the SQL server we need to know the type of server that is running. This can be done by using commands specific to the different types of database implementations.
One way to do this is to use a SLEEP command which slows down the fetching of rows in a query. For example:
SLEEP(2) is a MySQL command to wait 2 seconds between fetching rows in the answer to a query.pg_sleep(2) is a PostgreSQL command to make the server wait 2 seconds when executing a query.WAITFOR DELAY ‘2:00’;You can use these commands to test which type of database implementation is being used.
For instance, if you use the SLEEP(2) command and there is a delay to displaying the results, you know that this is a MySQL implementation.
If an input box has been discovered to be vulnerable because the input is not sanitised it means that it is not checked as the string is passed, as it is receives, to the database engine. You can add a single quote and this will appear in the string and can be used to add SQL commands to the query.
Now you can start to use this vulnerability to get data by inserting SQL SELECT statements to display data. To do this you need to use the SQL UNION command. The UNION command adds the results of a second query to the result of an initial query. So, this would allow another query to be added.