A Blind SQL Injection is an attack on a web-based application's database.
It allows the attacker to inject malicious queries without knowledge of the target's structure or valid queries. The goal is often to extract data from the database, such as usernames and passwords.
This guide will walk you through how such an attack works, what steps can be taken to prevent it, and more!
So whenever you're ready to learn more about the SQL injection attack types, keep reading.
SQL stands for Structured Query Language, a special computer language designed to communicate with relational databases. It allows the user to query and efficiently manage data.
SQL is used in the backend of many websites, including major ones such as Twitter and Facebook. In fact, it's estimated that around 70% of all data is stored in a relational database accessed with SQL!
The reason companies use SQL and not something else is because it's very efficient. SQL is swift, allowing for many queries per second that one can complete in less than a half-second!
When a website contains an input field (such as login or signup forms), hackers can use this information. They use it to create malicious queries that inject their own code into your database.
This typically happens due to improperly sanitized user-inputted strings. For instance, email addresses and passwords.
Furthermore, this type of attack can be tough to detect because the code injected actually looks like a legitimate query.
For example, you may have written out form fields like: "username" => $_POST['username'], "password" => $_POST['password'] . These are vulnerable because if I entered '; drop table users -' , then my entire username and password information would be wiped from the database.
Several steps happen when an attack is carried out successfully.
First, hackers must trick site users into giving up their user-inputted strings through phishing or other means.
Next, after getting these sensitive details, they can create malicious queries. They do so by carefully manipulating them with characters such as quotation marks and semicolons.
Afterward, this data will be sent back to the hacker's computer, where it can then extract information from your database!
This final step may make all previously entered content on your website inaccessible. This is until you fix what has been extracted (meaning lost revenue).
The best way to prevent this is by using a prepared statement or stored procedure in your query. Do this instead of a string concatenation, which you can read more about here.
This essentially wraps whatever inputted data within a function and prevents it from being executed on its own.
An example might look something like:
"SELECT * FROM users WHERE username = '" . $_POST['username'] . "' AND password='" . $_POST['password'] ."'"
This will change your previously broken form fields into an actual executable line. It deletes all rows with matching usernames and passwords.
These statements are typically much safer. This is because they use placeholders rather than direct strings.
Another great way to prevent SQL injection is to use vulnerability scanners. You want a scanner that has penetrator functionality for SQL. This will allow you to perform SQL injections on your own to find any vulnerable areas in your database.
As we said before, prevention is the best protection. There's no and, ifs or buts about it.
A blind SQL injection, as the name implies, means that there are no results returned to the user when you issue your malicious query.
To do this, we add '; WAITFOR DELAY '0:0:20'-- before our statement and then use ORDER BY RAND(). This randomly organizes our result set, so it's harder to identify whether or not data was actually deleted using WHERE.
This type of attack is typically used in conjunction with a privilege escalation exploit. This is when you gain access to someone else's account using an already existing user-inputted string.
This can be done if, for example, the website doesn't use sufficient security measures such as two-factor authentication.
In the above query, I have set a random delay of up to twenty seconds and then randomly selected users who meet my criteria. So even if an administrator were watching their logs, they probably wouldn't see any malicious activity!
This is because we used WAITFOR DELAY rather than JUST WAIT. Otherwise, it would result in no results returned regardless of whether or not there was tampering with the database.
Blind SQL injections are by far one of the most common types of attacks on databases. This is due to how simple it can be to execute such attacks without drawing attention to your presence.
The steps are very similar, except this time hackers must rely on other means than simply seeing the results returned to them. They must carefully analyze timing and error messages to determine whether or not data was deleted successfully or not!
That said, here are all of the general steps required.
First, our malicious query will look like ' UNION SELECT (username/password), SLEEP(20)--' where we will insert our username and password.
Next, we must inject this into the URL of a legitimate page on the site (for example, by creating an account), and we can use '; WAITFOR DELAY '0:20'-- as before.
Now that our data has been entered successfully, hackers enter another URL with their malicious query.
For instance, as '/admin/users-details.php?id=UNION SELECT(username/password), SLEEP(20)--'.
This time hackers are looking for any errors or delays to determine whether or not they were successful. Their goal is in deleting all records from the database using were or similar commands.
This type of attack is often used when there's no other method you can use to determine whether or not you've successfully deleted all rows from a table.
The most dangerous outcome of a successful Blind SQL Injection is the ability to delete rows from any of your application's databases. This can lead to massive data theft, such as usernames and passwords.
This goes on further attacks on accounts or even credit card information if you keep that stored in an online database. However, this isn't the only thing attackers could do using a blind injection.
They might use it to create access points into your systems by creating new admin accounts. But more commonly, they will simply steal all of the data they want then leave without being noticed at all!
Furthermore, they don't even need to use blind injections for this. If they can see results returned from their queries, then it's possible that your data isn't stored properly. This would allow them to gain full access with ease.
Unfortunately, there is not much you can do about these types of attacks. You must do all that you can to prevent SQL injection in the first place and keeping a close eye on any suspicious activity within your logs!
This is because once someone has found an exploit like this, they will most likely keep trying until they eventually find something.
Something that lets them run whatever code they want on your database servers behind the scenes without anyone.
The best way to protect yourself against these dangerous attacks is always to sanitize your database inputs so they are not parsed as SQL.
This means that you should never allow any HTML or Javascript tags through to the backend of your application, which will greatly reduce the chance of someone finding an exploit in this way!
Furthermore, if you have a RESTful API, one must validate all requests for malicious input since these types of attacks can come from many different sources and affect many more users than just those who use the website itself.
The best thing you can do now is learning how to properly write secure SQL queries and ensure that whoever has access to modify data within your databases understands what they're doing and why!
Letting untrusted individuals run wild on your servers without oversight is the worst thing you can do regarding security. Hence, always keep an eye on what they're doing and ensure that nothing strange or unexpected happens.
Unfortunately, if your application doesn't handle data input correctly, it's already too late for you. You should do everything in your power to ensure that all of the code running on any server which you use is secure and regularly check for anything suspicious, but once someone has gotten this far, there isn't much more that can be done!
The only thing I would recommend doing after such an attack is learning how they did what they did so that you can block them from ever getting back into your systems again, even with new exploits!
If anyone accessed databases directly rather than just taking advantage of misconfigured RESTful APIs, then my best advice would be to change every password everywhere as well as to deactivate or delete any accounts they may have created themselves too.
After this, you should look at all of your code to ensure that it is written securely and start taking steps toward preventing these types of attacks in the future!
Not to mention, make sure that you keep an eye on all of your systems if they try to get back into them with new exploits. The best way to do this is by setting up a threat detection tool like SECPOINT penetrator, which can monitor your networks for anything suspicious and send alerts to administrators when it detects something!
The following are examples of some famous SQL injections which have happened before:
In 2017 a security researcher could steal the personal data of over 30,000 FBI employees by exploiting an online form.
In 2012 a hacker exploited a vulnerability in Facebook to gain access to private information from 83 million user accounts! He then tried selling this info on the black market but only received around $150 for it all due to how easy he found it to be acquire such sensitive material!
An injection against Washington Social and Health Services gave control to hackers. They were caught back in 2015 after running up quite a large bill with Amazon Web Services. They did so behind everyone's backs without anyone knowing what was going on or stopping them!
In 2012, one of the biggest attacks ever was launched against Google. Its Senate election campaign was hacked by cybercriminals.
These criminals were able to send out over two million emails to trick people into installing malware onto their computers. Thus, giving them full access and control over everything on the affected device.
As you can see, one can carry out many different kinds of SQL injections against your website or API, and they all have their own unique method of working!
The best way for companies like yours to protect themselves is by making sure that the code running on their servers never allows this kind of attack through in the first place, but if it does ever get past security, then knowing what happens next will help you ensure that everything gets fixed up quickly before any damage occurs.
Don't fall victim to the blind SQL injection. Write secure queries today!
If you're interested in protecting your business data, get in touch with us, and we will happily accommodate your needs.