[go: up one dir, main page]
Scribd
Upload
40 views9 pages

SQL Injection Report With t1190

SQL injection report with images

Uploaded by

RAJ YADAV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
40 views9 pages

SQL Injection Report With t1190

SQL injection report with images

Uploaded by

RAJ YADAV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Abstract

SQL Injection (SQLi) is a code injection vulnerability


that allows attackers to manipulate queries an
application sends to its database. It is one of the most
common and dangerous vulnerabilities in web
applications. This report explores SQLi in the context of
MITRE ATT&CK Technique T1190 – Exploit Public-
Facing Application – to help understand, detect, and
mitigate such attacks.
Introduction
SQL Injection (SQLi) occurs when untrusted input is
inserted into an SQL query without proper sanitization.
It enables attackers to bypass authentication, access,
modify, or delete database data. Historically, SQLi has
been responsible for some of the largest data breaches,
and it remains relevant today due to widespread use of
SQL databases.
MITRE ATT&CK Mapping
SQLi maps to MITRE ATT&CK Technique ID T1190 –
Exploit Public-Facing Application. Adversaries exploit
vulnerabilities in Internet-facing systems to gain initial
access.
Reference: https://attack.mitre.org/techniques/T1190

Types of SQL Injection


● Classic/Basic SQLi: Injection in form fields or URLs.
Example: ' OR '1'='1
● Blind SQLi: No visible errors; information inferred
through true/false behavior.
● Time-Based Blind SQLi: Server response time
indicates payload success.
● Union-Based SQLi: Uses UNION to fetch data from
other tables.
● Error-Based SQLi: Uses SQL errors to extract data.
● Out-of-Band SQLi: Uses alternate channels like
DNS/HTTP to extract data.
Example SQL Injection payload in a login query:
SELECT * FROM users WHERE username = 'admin' AND
password = '1234';
' OR '1'='1 --
Testing Methods
Common tools and methods for detecting SQLi:
● SQLMap – Automated SQLi testing
● Burp Suite – Web proxy for interception
● Nmap + NSE Scripts – Service detection
● Manual Payloads – e.g., ' OR 1=1 --
Prevention Techniques
● Parameterized Queries / Prepared Statements
● Use of ORMs (Object Relational Mappers)
● Strict Input Validation (Whitelisting)
● Least Privilege Principle
● Web Application Firewall (WAF)
Case Studies
Sony Pictures Hack (2011): SQLi was used to leak user
data.
Heartland Payment Systems (2008): SQLi contributed
to a breach affecting over 100 million records.
Diagram: SQL Injection Process

The diagram below illustrates the flow of a SQL


Injection attack. It begins with user input, such as from
a login form, which is processed by the application
without proper validation. Malicious SQL code is
inserted into the query and executed by the database,
potentially leading to the exposure, modification, or
deletion of sensitive data.
Screenshot: SQLMap Testing

The following screenshot shows an example run of


SQLMap, an automated SQL Injection testing tool. In this
simulated case, SQLMap detects a UNION-based SQL
injection vulnerability in the 'user' parameter and
successfully retrieves the names of the databases from
the target server.
MITRE ATT&CK Mapping – SQL Injection and T1190
Technique ID: T1190 – Exploit Public-Facing Application
Tactic: Initial Access
Reference: https://attack.mitre.org/techniques/T1190

How SQL Injection Maps to T1190


SQL Injection (SQLi) is a specific example of T1190, which covers exploiting vulnerabilities
in internet-facing systems to gain unauthorized access.

In SQLi:
1. Public-Facing Entry Point – A website, API, or application connected to a database is
accessible from the internet.
2. Vulnerability – Poor input validation or insecure SQL query construction.
3. Exploitation – The attacker injects crafted SQL commands into input fields.
4. Initial Access – Malicious queries execute on the backend, allowing the attacker to bypass
authentication, extract/modify sensitive data, or pivot deeper into the network.

This matches T1190’s definition because:


- The target is an internet-facing application.
- The method is exploiting a coding flaw.
- The outcome is initial access to systems and data.

Example Flow
1. Attacker scans for a vulnerable login page.
2. Injection payload submitted:
' OR '1'='1 --
3. Backend executes malicious SQL without validation.
4. Access granted to protected data or admin accounts.
Diagram – SQLi Mapping to T1190

You might also like