Types of SQL Injection

Types of SQL Injection: A Comprehensive Guide

Understanding Types of SQL Injection for CEH Exam Success

SQL Injection remains one of the most dangerous web application security flaws. As a CEH candidate, thoroughly understanding the various types of SQL injection is crucial for exam success and real-world security assessments.

Why SQL Injection Types Matter

SQL injection vulnerabilities can lead to unauthorized data access, data modification, and even complete system compromise. Different types of SQL injection require different detection and exploitation techniques, making this knowledge essential for comprehensive security testing.

Main Types of SQL Injection

1. In-band SQL Injection
This is the most common and straightforward type where attackers use the same communication channel for both launching the attack and collecting results.

Two primary subtypes include:

• Error-based SQL Injection: Attackers force the database to generate error messages, then use these messages to gather information about the database structure. Look for examples where database error messages reveal table names, column names, or data types.

• Union-based SQL Injection: Uses the UNION SQL operator to combine the results of the original query with results from an injected query. Requires knowledge of the database schema. Example: ' UNION SELECT username, password FROM users--

2. Inferential (Blind) SQL Injection
Here, no data is actually transferred via the web application, making these attacks harder to detect. The attacker sends payloads and observes the application's behavior to infer information.

Two main types:

• Boolean-based Blind SQL Injection: Sends SQL queries that force the application to return different results depending on whether the query returns TRUE or FALSE. Example: ' OR 1=1-- vs. ' OR 1=2--

• Time-based Blind SQL Injection: Forces the database to wait for a specified time before responding if a condition is true. Example: ' IF 1=1 WAITFOR DELAY '0:0:5'--

3. Out-of-band SQL Injection
This occurs when the attacker cannot use the same channel for attack and information retrieval. Instead, they use alternative channels (like DNS or HTTP requests) to extract data. This is used when server responses are unstable or filtered.

Example: Using the xp_dirtree command in MS SQL Server to make DNS requests to an attacker-controlled server.

4. Stored Procedure Injection
Targets the stored procedures present in the database. Particularly dangerous as it can sometimes lead to operating system command execution.

Example: '; EXEC xp_cmdshell 'net user'--

5. Mass SQL Injection
A technique where attackers compromise a large number of websites at once by injecting malicious code into database tables that are later served to users.

Exam Tips: Answering Questions on Types of SQL Injection

• Identify the injection type from scenarios: Practice recognizing which type of SQL injection is being described in a scenario-based question.

• Know the syntax variations: Different databases (MySQL, Oracle, SQL Server) use different syntax. Understand common variations for each.

• Understand detection methods: For each type of SQL injection, know how it can be detected (error messages, time delays, etc.).

• Focus on countermeasures: Be prepared to identify the most effective countermeasure for each specific type of injection attack.

• Remember the UNION technique details: Know that the number of columns must match between queries and that data types must be compatible.

• Blind injection indicators: Remember that blind injections are characterized by no visible errors but observable changes in application behavior.

• Context matters: Pay attention to where the injection is occurring (URL parameters, form fields, cookies, headers) as this may influence the type of injection possible.

When faced with SQL injection questions on the CEH exam, carefully analyze the scenario, identify the type of injection being described, and select the answer that addresses the specific vulnerability characteristics or appropriate mitigation technique.