SQL injection overview

What is it?

SQL injection is where an attacker is able to manipulate database queries made by an application.

A simple example

• A vulnerable web application has the endpoint /search?product={productName}

• When a request is made, the application uses SQL to search for the product SELECT * FROM products WHERE name=$productName

• If an attacker inserts a payload into {productName} such as anything' UNION SELECT password FROM users WHERE username = 'admin that modifies the query, sensitive data could be leaked.

• The vulnerable application sends this query to the database and the database returns the admin's password.

It's important to note that a payload or attack may change depending on the application, the query, and the database. SQL injection can often lead to:

• Sensitive data exposure

• Data manipulation

• Remote code execution

• Denial of service

Other learning resources:

• PostSwigger: https://portswigger.net/web-security/sql-injection

• Swisskeyrepo: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

Writeups:

• https://infosecwriteups.com/how-i-found-multiple-sql-injections-in-5-minutes-in-bug-bounty-40155964c498

Have a good writeup & want to share it here? Drop me a message on LinkedIn.

Checklist

• What is the technology stack you're attacking?

  • What application/framework is being used

  • What backend DB is being used

  • Is there an ORM?

• Verify injection points

  • URL parameters

  • Form fields

  • HTTP headers (e.g. cookies, etc)

  • Out-of-band (e.g. data retrieved from a third party)

• Test ' and "

  • Can you trigger an error?

  • Can you trigger a different response?

• Test with SQLmap

• Test for login bypass ' and 1=1-- - etc

• Test for blind SQLi

  • Test for errors

  • Test for conditional responses

  • Test for conditional errors

  • Test for time delays

• Test for out-of-band interactions

• Test for NoSQL injection

• Is there a blocklist?

  • Can you bypass the blocklist?

    • Encoding

    • Alternative characters

    • Alternative payloads

• Test for second-order SQLi

Exploitation

# Basic login bypass
' AND 1=1#

# UNION SELECT
' UNION SELECT null,null FROM users-- -

# Blind
' AND SUBSTR((SELECT version()),1,1)='7'#
CAST((SELECT example_column FROM example_table) AS int)