Official post from Ask Buddie
Join our discord server for more intellect discussions “Big Brains”.
Follow my blog “Big Brains”, if you like the content I post.
What is SQL Injection (SQLi)
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Wiki help
Injection occurs when the user input is sent to an interpreter as part of command or query and trick the interpreter into executing unintended commands and gives access to unauthorized data.
How attackers exploit SQL?
An attacker can inject SQL control characters and command keywords (example like single quote (‘), double quote (“), equal (=), comment (- -), etc.) to change the query structure. Using these control characters with common SQL commands (example like , SELECT, FROM, DELETE, etc.) enables access to control a database server behind a web application.
A successful attack requires a Web application to include malicious code from an attacker in a SQL statement. The malicious code usually comes from an untrusted source. In some cases, internal system databases can also be the source of malicious data. When malicious SQL statements execute against a backend database, control a database server behind a web application. an attacker can modify or access the database. This depends how the attacker crafts the malicious data.
Implication
Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.
- An attacker can inject malicious content into the vulnerable fields.
- Sensitive data like User Names, Passwords, etc. can be read from the database.
- Database data can be modified (Insert/Update/ Delete).
- Administration Operations can be executed on the database