Q: How can one determine the cause of an SQL injection vulnerability, and how can it be prevented? What are the types of injection? Besides exfiltrating database data, what other exploitation methods exist?
A: Consider the following example:
SELECT * FROM news WHERE id='$SQL';
When a program executes operations such as fetching news, it makes an SQL call. If, during this call, invalid data is submitted that the database cannot recognise, an error will be returned – essentially, all input is harmful.
There are six main types of injection, which can be categorised with reference to SQLmap: error-based, blind, union-based, time-based, inline and stacked queries.
Injection vectors include: GET, POST, cookies and HTTP headers.
Exploitation methods depend on the database type. For example, SQL Server allows command execution; MySQL can be used to write shell files. Some MySQL configurations with elevated privileges may also permit command execution, but this is conditional on a Linux environment.
Prevention measures: boundary protection (e.g., CDN), scripting language filtering, database-level filtering with least privilege, and host-level security.