SQL injection may be a set of SQL commands that are placed during a URL string or in data structures so as to retrieve a response that we would like from the databases that are connected with the online applications. this sort of attacks generally takes place on webpages developed using PHP or ASP.NET.

An SQL injection attack are often through with the subsequent intentions −

To dump the entire database of a system,
To modify the content of the databases, or
To perform different queries that aren’t allowed by the appliance.

This type of attack works when the applications don’t validate the inputs properly, before passing them to an SQL statement. Injections are normally placed put in address bars, search fields, or data fields.

The easiest thanks to detect if an internet application is susceptible to an SQL injection attack is to use the ” ‘ ” character during a string and see if you get any error.

Example 1

Let’s attempt to understand this idea employing a few examples. As shown within the following screenshot, we’ve used a ” ‘ ” character within the Name field.

Now, click the Login button. It should produce the subsequent response −

It means the “Name” field is susceptible to SQL injection.

Example 2

We have this URL − http://10.10.10.101/mutillidae/index.php?page=site-footer-xssdiscussion.php

And we want to check the variable “page” but observe how we’ve injected a ” ‘ ” character within the string URL.

When we press Enter, it’ll produce the subsequent result which is with errors.

SQLMAP

SQLMAP is one among the simplest tools available to detect SQL injections. It are often downloaded from http://sqlmap.org/

It comes pre-compiled within the Kali distribution. you’ll locate it at − Applications → Database Assessment → Sqlmap.

After opening SQLMAP, we attend the page that we’ve the SQL injection then get the header request. From the header, we run the subsequent command in SQL −

./sqlmap.py --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0)
Gecko/20100101 Firefox/25.0" --cookie="security=low;
PHPSESSID=oikbs8qcic2omf5gnd09kihsm7" -u '
http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#' -
level=5 risk=3 -p id --suffix="-BR" -v3

The SQLMAP will test all the variables and therefore the result will show that the parameter “id” is vulnerable, as shown within the following screenshot.

SQLNinja

SQLNinja is another SQL injection tool that’s available in Kali distribution.

JSQL Injection

JSQL Injection is in Java and it makes automated SQL injections.

Quick Tips

To prevent your web application from SQL injection attacks, you ought to keep the subsequent points in mind −

Unchecked user-input to database shouldn’t be allowed to undergo the appliance GUI.
Every variable that passes into the appliance should be sanitized and validated.
The user input which is passed into the database should be quoted.

So, this brings us to the end of blog. This Tecklearn ‘Concept of SQL Injection Attack’ blog helps you with commonly asked questions if you are looking out for a job in Cyber Security. If you wish to learn Ethical Hacking and build a career in Cyber Security domain, then check out our interactive, Certified Ethical Hacker Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/certified-ethical-hacker-training/

Certified Ethical Hacker Training

About the Course

Tecklearn’s CEH certification training course provides you the hands-on training required to master the techniques hackers use to penetrate network systems and fortify your system against it. In this training, you will master how to identify security vulnerabilities by inspecting network infrastructures and defend the malicious hacker with essential tools and techniques, advanced network packet analysis and system penetration testing techniques to build your network security skill-set and prevent hackers. We will train you on the advanced step-by-step methodologies that hackers actually use such as writing virus codes and reverse engineering so you can better protect corporate infrastructure from data breaches.

Why Should you take Certified Ethical Hacker Training?

The average salary for a Cybersecurity Specialist is $110,881 per year in the United States and INR 900,000 per year in India – Indeed.com
Global Cybersecurity industry is estimated to cross US$ 220 billion by 2021.
Today cyber security is one of the most important aspects for any organization. In today’s digitally-driven world every organization needs professionals who can keep the hackers at bay. Hence the salaries for certified ethical hackers are among the best in the industry.

What you will Learn in this Course?

Introduction to Ethical hacking

Scope of ethical hacking
Enterprise information security architecture
Introduction and PCI Data Security Standard Overview
Role of Security and Penetration Testers
Vulnerability assessment
Various cyber security laws
Penetration testing

Various aspects of Information Security

Information security attacks
OS attacks
Application level attacks
Phases and Concepts of Hacking
Information Security Law and Standards

System Hacking

What is System Hacking
Goals of System Hacking
Understanding the certified ethical hacker methodology
About Kali Linux
Hands On

Technology Standards

Introduction to F5 Technology and Terms
POS (Point of Sale ) , mPoS
What is GLBA Compliance
OWASP
Site monitoring Tools
Introduction to PCI DSS Standard

Semantics and Introduction to Footprinting

What is Semantics
Fuzzy Logic
Footprinting

Threats

Types of Threats
Threats against the Application
Threat modelling
Hands on

Threat modelling

Threat modelling with STRIDE model
Ways to Find Security Issues
Penetration Testing Tools
Modelling Models – Whiteboard Diagrams, Brainstorming, Structured Diagrams etc.
Trust Boundaries
Threat Trees
DREAD Model

Example of Attack

Vulnerability Scanning Tools

OpenVAS
Wapiti
Burp Suite Community
Metasploit

Threat Modelling with Different models

Various Threat Models
PASTA Model in Depth

Advanced concepts like network packet analysis

Network scanning
How to scan the network, overview of scanning
WireShark
Sniffing attacks
File Signature

Got a question for us? Please mention it in the comments section and we will get back to you.

535