SQL (Structured Query Language) is a programming language that is used to communicate with databases, it can perform numerous tasks such as removing, adding and deleting information within the database by using the relevant SQL commands.
SQL Injection is a common type of attack that allows malicious actors use to execute malicious SQL statements that can occur on any websites that use an SQL database. In 2015, the personal details of over 150,000 customers of TalkTalk were compromised by exploiting a vulnerability in their website, allowing the unintended execution of SQL commands.
SQL Injection can be used to bypass security measures and obtain any information that is held within the database, this could include usernames, passwords, credit card numbers, medical records. For example, if the site is vulnerable to SQL injection the malicious actor could inject a statement into a vulnerable field on a website to output a list of user credentials, allowing them to log in as another user.
When attempting to retrieve information such as account credentials, trial and error using the SQL Server ASCII function can be used. This can be used to determine if the first letter of the username/password is in a certain character range, characters in this range can be tested until the database returns true. Once the first character has been obtained, the process is repeated for the remaining characters until the credentials have been obtained. Automated tools can be used to speed up the process and try numerous injections per second, and in some cases map out an entire database with relative ease and speed.
Next week’s article will detail various techniques that can be used to reduce the risk of personal or company sensitive information being accessed by an unauthorised user.