SQLi
last edited Sat, 20 Jul 2024 12:26:17 GMT
backlinks: null
A threat actor can manipulate queries that a web application makes to its database. SQL injections can enable DDoS attacks or a furhter compromise of the server's backend.
Detection direct link to this section
Use systemic tests against every entry point in the application:
'
- boolean conditions
OR 1=1
andOR 1=2
- OAST payloads
- time delays when exec commands
- Burp Scanner can be used if it is available
While most injections occur in the WHERE
clause of a SELECT
query, it can occur at any location within the query.
In UPDATE
statements, within the updated values or the WHERE
clause.
In INSERT
statements, within the inserted values.
In SELECT
statements, within the table or column name.
In SELECT
statements, within the ORDER BY
clause.
Examples direct link to this section
Retrieving hidden data direct link to this section
The given URL https://insecure-website.com/products?category=Gifts
displays the following:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
using a comment indicator --
can erase portions of the original SQL query:
https://insecure-website.com/products?category=Gifts'--
Alternatively:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
1=1
is always true- comment indicator nullifies the remainder of the query
Subverting application logic direct link to this section
SQL query example for password authentication
SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'