SQL injection overview

What is it?

SQL injection is where an attacker is able to manipulate database queries made by an application.

A simple example

A vulnerable web application has the endpoint /search?product={productName}
When a request is made, the application uses SQL to search for the product SELECT * FROM products WHERE name=$productName
If an attacker inserts a payload into {productName} such as anything' UNION SELECT password FROM users WHERE username = 'admin that modifies the query, sensitive data could be leaked.
The vulnerable application sends this query to the database and the database returns the admin's password.

It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:

Sensitive data exposure
Data manipulation
Remote code execution
Denial of service

Other learning resources:

PostSwigger: https://portswigger.net/web-security/sql-injection
Swisskeyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

Writeups:

https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498

Have a good writeup & want to share it here? Drop me a message on LinkedIn.

Checklist

Exploitation

# Basic login bypass
' AND 1=1#

# UNION SELECT
' UNION SELECT null,null FROM users-- -

# Blind
' AND SUBSTR((SELECT version()),1,1)='7'#
CAST((SELECT example_column FROM example_table) AS int)

PreviousSpidering NextDetection

Last updated 6 months ago