Database Hacking with common SQL Injection commands
Decoding SQL Injection: Essential Commands for Database Hacking
As per the Open Web Application Security Project (OWASP), one of the most dangerous and prevalent online application attacks is command injection.
Furthermore, because these attacks target databases that include valuable data like credit card numbers and personally identifiable information (PII), they frequently cause significant financial losses for businesses and other entities.
OWASP Top 10
Database hacking common sql injection commands
Despite the fact that there are many different kinds of database assaults, SQL injection is the most common. SQL injection transfers commands from the web to the databases on the back end.
Database hacking common sql injection commands 1
If these SQL statements are not cleared up at the client (browser) level, they can be transferred to the database and cause chaos, such as,
1. Exfiltrate data
2. Delete data
3. add data
4. Update data
These are some frequently used commands and special characters that should be looked for while checking for SQL injection vulnerabilities. Your chances of success with the SQL injection attack increase with your level of SQL knowledge.
Note:
Single quote ('): Often used to end alphanumeric characters.
Double quote ("): Can also be used to terminate alphanumeric characters in some databases.
Comment Sequences:
Double dash (-): This is an SQL comment and can be used to invalidate the rest of a query.
Hash (#): In MySQL, it is an alternative way to comment out the rest of the query.
Slash-star (/*...*/): Multiline comment.
It can be used to comment on parts or the entire query.
Functions and commands:
Period (?): Represents the end of one query and the beginning of another.
Logical operator: AND, OR.
Functions control: UNION, UNION ALL.
Boolean values:
TRUE or 1=1: Always evaluates to true and can be used to handle WHERE clauses.
FALSE or 1=0: Always evaluates to false.
Functions of time delays:
SLEEP(x): In MySQL, this causes a delay of x seconds.
WAITFOR DELAY 'hh:mm:ss': SQL server and hosting cause delay.
pg_sleep(x): In PostgreSQL, this causes a delay of x seconds.
Retrieving information:
@version: Works on so many databases.
CURRENT_USER: Retrieves the current user.
Hex encoding:
Attackers may encode their payloads in hexadecimal to bypass the wrong files.
Wild cards:
- Percentage sign (%): Represents zero or more characters in SQL LIKE clauses. This was used in the recent MoveIT attacks by Clop.
Special functions:
CONCAT(): Used to concatenate strings in SQL.
CAST(), CONVERT(): Used to conversion type.
ASCII(), CHAR(): Functions to get ASCII values or characters can be used in blind SQLi.
Sub-options and metadata queries:
SELECT... FROM information_schema.tables: Used in databases such as MySQL and PostgreSQL to collect metadata about tables.
SELECT... FROM sysobjects...: Used in SQL Server to collect metadata.
Summary:
The injection attacks on web forms leading to a database leak are one of the most serious attacks that compromise page security.
These database attacks are used in the form of SQLi attacks, where SQL commands are sent to the backend database from unscanned input from the client (browser).
Although SQLi attacks are becoming more and more difficult, a thorough deep understanding of SQL is necessary to carry out such an attack.