SQL Injection

What is SQL Injection (SQLi)?

SQL Injection is a web vulnerability that allows an attacker to interfere/manipulate with the queries that an application makes to its database.

This can allow the attacker to view or modify data that they are not normally able to access. In some situations, an attacker can also cause a denial of service by deleting the entire database table.

What is the impact of a successful SQL injection attack?

• Unauthorize access to sensitive data.

• Data manipulation

• Denial-of-Service.

• Persistent backdoor access to the systems.

Types of SQL Injection

• In-band SQL Injection

  • Error Based SQL Injection

  • Union-based SQL Injection

• Blind SQL Injection

• Out-of-Band SQL Injection

SQL Commands

• SELECT: extracts data from a database

• UPDATE: updates data in a database

• DELETE: deletes data from a database

• INSERT INTO: inserts new data into a database

• CREATE DATABASE: creates a new database

• ALTER DATABASE: modifies a database

• CREATE TABLE: creates a new table

• ALTER TABLE: modifies a table

• DROP TABLE: deletes a table

• CREATE INDEX: creates an index (search key)

• DROP INDEX: deletes an index

• WHERE: It is used to filter records.

• UNION: Combines the result set of two or more SELECT statements (only distinct values)

• UNION ALL: Combines the result set of two or more SELECT statements (allows duplicate values)

• CONCAT: Add several strings together

Enumeration

• Technology Stack

  • Is the website an eCommerce website?

• Injection Points

  • URL parameters

  • Form fields

  • HTTP headers (e.g. cookies, etc)

  • Out-of-band (e.g. data retrieved from a third party)

Detecting SQL Injection

• Submit single quote character ‘ and look for errors or other anomalies.

• Test for SQL Injection by adding single apostrophy ‘ or single quote “ at the end of an input string and closing it with SQL comments like # or --.

• Check if there are any errors returned by the application.

• Use SQL queries to return data to the browser without displaying an error message.

• Boolean conditions such as OR 1=1 and OR 1=2, and look for differences in the application's responses.

• Payloads designed to trigger time delays when executed within a SQL query, and look for differences in the time taken to respond.

• OAST payloads designed to trigger an out-of-band network interaction when executed within a SQL query, and monitor any resulting interactions.

Injection Points

• URL parameters

• Form fields

• HTTP headers (e.g. cookies, etc)

• Out-of-band (e.g. data retrieved from a third party)

SQLi Cheat Sheet

Get Database Name

0 UNION SELECT 1,2,database()

Get Database Tables

0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = '[DATABASE_NAME]'

Get Column Names

0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = '[TABLE_NAME]'

References / Resources

• https://portswigger.net/web-security/sql-injection

• https://portswigger.net/web-security/sql-injection/cheat-sheet

• https://owasp.org/www-community/attacks/SQL_Injection

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection

• https://appsecexplained.gitbook.io/appsecexplained/common-vulns/sql-injection-overview