As explained in the below post, Injections are nothing but the security flaws (i.e. vulnerabilities), using which the attacker can take advantage through client-side submission of malicious input. i.e. Malicious Input/Data/Commands are provided as input into the Client-side fields, which when accepted by the System will lead to compromising of vulnerabilities in the system and allowing the attacker to bypass the authentication & gaining administrative privileges to fully access the application and its database.
Types of SQL Injection: Based on the ways the attackers perform attacks, the SQL Injections can be categorized into following types.
- In-band SQL Injections (Classic SQL Injections): In this category of SQL Injections, the attacker has the possibility of using same communication channel for performing attacks and retrieving results. The following are the two types of In-band SQL Injections.
- Error Based SQL Injections:
- This is a type of In-band SQL Injection in which the attacker uses the error messages thrown by the application to exploit the database.
- To overcome this problem, the error messages displayed during the development phase of the application should be disabled on the applications which went live, or these error messages should be logged into a file having access restrictions set.
- Union Based SQL Injections:
- This is a type of In-band SQL Injections in which the attacker uses Union operator of SQL to combine the results of two or more Select statements into a single result and thereby retrieving the results.
- Error Based SQL Injections:
- Inferential SQL Injections (Blind SQL Injections): In this category of SQL Injections, it takes longer time for the attacker to exploit when compared to In-band SQL Injections. And also, in this category of SQL Injections, the attacker won’t transfer the data via applications for SQL Injecting and also the results retrieved from the attack are not visible as they are displayed in In-band SQL Injections. Hence these type of SQL Injections are called as Blind SQL Injections. The following are the two types of Inferential SQL Injections.
- Boolean-based Blind SQL Injections:
- This is a type of Inferential SQL Injection in which the SQL query is sent to the database with an intention of forcing the application to return a different result.
- Depending on the result, the HTTP response either changes or remains same.
- With this HTTP response, attacker guesses whether the payload is returning true or false.
- In this type of SQL Injection, no data will be returned in the response.
- This type of attack is very slow as the attacker has to enumerate the database character by character.
- Time-based Blind SQL Injections:
- This is a type of Inferential SQL Injection in which the SQL query is sent to the database with an intention of forcing it to wait for a specific amount of time before responding back.
- Based on the HTTP response time (with a delay or immediate response), the attacker can guess whether the payload is returning true or false.
- In this type of SQL Injection, no data will be returned in the response.
- This type of attack is very slow as the attacker has to enumerate the database character by character.
- Boolean-based Blind SQL Injections:
- Out-of-band SQL Injections: This type of uncommon SQL Injection, depending on the features enabled on the database which is being used by the application. In this type of SQL Injections, the attacker has to use different channels for launching the attacks and retrieving the results.
The following diagram depicts, different types of SQL Injections:
All the above-specified SQL Injection types will be demonstrated in the upcoming articles.
Conclusion: Based on the ways the attacker perform attacks, SQL Injections can be categorized in the above-specified types.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)
well explained
Thank you Bharat 🙂