SQLi

last edited Mon, 22 Jul 2024 09:53:43 GMT
backlinks: null

A threat actor can manipulate queries that a web application makes to its database. SQL injections can enable DDoS attacks or a furhter compromise of the server's backend.

Detection direct link to this section

Use systemic tests against every entry point in the application:

• '
• boolean conditions OR 1=1 and OR 1=2
• OAST payloads
• time delays when exec commands
• Burp Scanner can be used if it is available

While most injections occur in the WHERE clause of a SELECT query, it can occur at any location within the query. In UPDATE statements, within the updated values or the WHERE clause. In INSERT statements, within the inserted values. In SELECT statements, within the table or column name. In SELECT statements, within the ORDER BY clause.

Examples direct link to this section

Retrieving hidden data direct link to this section

The given URL https://insecure-website.com/products?category=Gifts displays the following:

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

using a comment indicator -- can erase portions of the original SQL query:

https://insecure-website.com/products?category=Gifts'--

Alternatively:

https://insecure-website.com/products?category=Gifts'+OR+1=1--

• 1=1 is always true
• comment indicator nullifies the remainder of the query

Subverting application logic direct link to this section

SQL query example for password authentication

SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'

SQL UNION attacks direct link to this section

Blind SQL injection direct link to this section