Common Web Vulnerability - PHP
  • Introduction to Common Web Vulnerability
  • LFI (Local File Inclusion)
  • SQL Injection
  • OS Command Injection
  • Remote Code Injection
  • Cross Site Scripting
  • Insecure File Upload
  • IDOR (Insecure Direct Object Referrence)
  • RFI(Remote File Inclusion)
  • Broken Access Control
  • Broken Authorization
  • Source code disclosure
  • php type juggling
  • git of terror
Powered by GitBook
On this page
  • Explain LFI like im 5
  • 4 Comon types of SQL Injection

SQL Injection

SQL injection is a common security vulnerability that occurs when an attacker manipulates input data to execute unauthorized SQL queries in an application's backend database. In PHP applications, SQL injection vulnerabilities can have severe consequences, allowing attackers to access, modify, or delete sensitive data, bypass authentication mechanisms, and even take control of the entire system. This guide provides a detailed explanation of SQL injection in PHP applications, its impact, and best practices for prevention.

Explain LFI like im 5

Imagine you have a secret box where you keep your toys. You tell your friend, "Hey, can you get me the toy with the name 'car' from my box?" But instead of just getting you the toy with the name "car," your friend decides to play a trick. They tell you, "Sure, but let me try something first."

Your friend sneaks in and says, "Get me all the toys from the box," and you trust them. So, they grab all the toys, including your special ones like "car," "doll," and "train." They bring them all to you, not just the one you asked for.

Understanding SQL Injection:

In PHP applications, SQL injection typically occurs when user-supplied input is concatenated directly into SQL queries without proper sanitization or parameterization. Consider the following vulnerable PHP code snippet:

<?php
    $username = $_POST['username'];
    $password = $_POST['password'];
    
    $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
    $result = mysqli_query($conn, $sql);
?>

In the above example, if the user input for $username and $password is not properly validated, an attacker can craft malicious input to manipulate the SQL query. For instance, an attacker could input ' OR 1=1 -- as the username and bypass the authentication mechanism, resulting in the following query:

SELECT * FROM users WHERE username='' OR 1=1 --' AND password='...'

This query always returns true because of the 1=1 condition, allowing the attacker to log in without a valid password.

Impact of SQL Injection: SQL injection vulnerabilities can have severe consequences for PHP applications, including:

  1. Data Leakage: Attackers can extract sensitive information such as usernames, passwords, credit card details, or personal identifiable information (PII) from the database.

  2. Data Manipulation: Attackers can modify or delete existing data in the database, causing data integrity issues.

  3. Authentication Bypass: Attackers can bypass authentication mechanisms, gaining unauthorized access to privileged accounts or administrative functionalities.

  4. Server Takeover: In extreme cases, attackers can execute arbitrary commands on the underlying server, leading to a complete system compromise.

4 Comon types of SQL Injection

There is four common types of SQL injection attacks are Union-based, Blind, Time-Based, and Error-Based.

Union-Based SQL Injection: Union-based SQL injection involves injecting additional SQL queries into an existing query using the UNION operator. This allows attackers to combine the results of their injected query with the original query, enabling them to retrieve data from other tables or databases.

Example (Union-Based): Suppose a PHP application dynamically constructs a SQL query to retrieve user data based on a specified username. An attacker can manipulate the input to inject a UNION SELECT statement to retrieve data from a different table:

$username = $_GET['username'];
$query = "SELECT * FROM users WHERE username='$username'";

If the attacker inputs ' UNION SELECT * FROM sensitive_data--, the resulting query becomes:

SELECT * FROM users WHERE username='' UNION SELECT * FROM sensitive_data--'

This query returns the combined results of the original query and the injected query, potentially exposing sensitive data.

Blind SQL Injection: Blind SQL injection occurs when an attacker can't directly see the results of their injected queries but can infer information based on the application's response. Blind SQL injection techniques include Boolean-based and Time-based attacks.

Example (Boolean-Based Blind SQL Injection): In a login form, suppose the application returns a different message for valid and invalid credentials. An attacker can craft a payload to extract data by guessing characters one by one:

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

An attacker inputs a payload like

 ' OR SUBSTRING((SELECT password FROM users WHERE username='admin'), 1, 1) = 'a'--

which extracts the first character of the admin's password. By repeating this process, the attacker can gradually retrieve the entire password.

Time-Based SQL Injection: Time-Based SQL injection involves injecting queries that cause delays in the application's response. Attackers can infer information based on the time it takes for the application to respond, allowing them to extract data or perform actions indirectly.

Example (Time-Based): Suppose a PHP application has a vulnerable parameter vulnerable to Time-Based SQL injection. An attacker can inject a delay into the query to determine if a condition is true or false:

$query = "SELECT * FROM users WHERE id='$id' AND SLEEP(5)";

By injecting a payload like ' OR IF(1=1, SLEEP(5), 0)--, the attacker can observe a delay in the application's response if the condition is true.

Error-Based SQL Injection: Error-Based SQL injection exploits error messages generated by the database server to extract information about the database structure or data. Attackers inject malicious queries to provoke error messages containing sensitive information.

Example (Error-Based): Suppose a PHP application dynamically constructs a query with a vulnerable parameter. An attacker injects a query to generate an error message:

$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id=$id";

An attacker inputs a payload like 

1' AND (SELECT 1/0 FROM users LIMIT 1)--

causing a division by zero error. The error message reveals information about the database schema and underlying data.

Preventing SQL Injection: To mitigate SQL injection vulnerabilities in PHP applications, follow these best practices:

  • Use Parameterized Queries: Instead of concatenating user input directly into SQL queries, use prepared statements with parameterized queries. This ensures that user input is treated as data rather than executable code.

    Example:

$stmt = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();

  • Input Validation and Sanitization: Implement strict input validation and sanitization mechanisms to ensure that user input adheres to expected formats and does not contain malicious characters.

  • Least Privilege Principle: Limit database privileges granted to application accounts to minimize the impact of a successful SQL injection attack. Avoid using highly privileged accounts for routine application tasks.

  • Use Web Application Firewalls (WAFs): Deploy WAFs to monitor and filter incoming HTTP requests, blocking malicious SQL injection attempts before they reach the application server.

  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate SQL injection vulnerabilities and other security issues proactively.

PreviousLFI (Local File Inclusion)NextOS Command Injection

Last updated 1 year ago