search
GitHubTwitterExegolTools

SQL injection

hashtag
Theory

Many web applications use one or multiple databases to manage data. In order to dynamically edit the database while users browse the website, some SQL queries can rely on input vectors. When input parameters used in those queries are insufficiently validated or sanitized, these web apps can be vulnerable to SQL injections.

SQL injection attacks can allow attackers to read, update, insert or delete database data by injecting a piece of SQL query through the input vector, hence affecting the intended execution of the original query. In some cases, these attacks can also lead to File Download, File Upload or even Remote Code Execution.

hashtag
Practice

Testers need to identify input vectors (parts of the app that accept content from the users) that could be used for database operations. For each identified vector, testers need to check if malicious strings and values successfully exploit any vulnerability.

hashtag
Vulnerable input recon

Using special SQL characters (', ", #, ;, ), *,%) in an input could lead to SQL errors sometimes echoed back to the users for debugging. This would indicate an entry point not sanitized enough and thus potentially vulnerable to SQL injection.

circle-info

For every payload do not forget to try url encoding or others.

hashtag
Manual testing

With some.website/?parameter=value some basic useful payload to detect vulnerable inputs are:

parameter=1
parameter=1'
parameter=1"
parameter=[1]
parameter[]=1
parameter=1`
parameter=1\
parameter=1/**/
parameter=1/*!111'*/
parameter=1' or '1'='1
parameter=1 or 1=1
parameter=' or ''='
parameter=' OR 1 -- -
parameter=1' or 1=1 --
parameter=1' or 1=1 -- -
parameter=1' or 1=1 /*
parameter='='
circle-exclamation

GET parameters are not the only ones that could be vulnerable to SQLi. Testers should thoroughly test all user inputs (parameters, user-agents, cookies...)

The following payload is used for testing SQL injections, XSS (Cross-Site Scripting) and SSTI (Server-Side Template Injection).

hashtag
Extracting information with UNION

1. Finding number of columns:

2. Extract database information:

3. Find tables name:

4. Retrieve information from table:

hashtag
Automated tests

Tools like SQLmaparrow-up-right (Python) or SQLninjaarrow-up-right (Perl) can also be used to fuzz input vectors, find vulnerable entry points and automatically exploit them.

triangle-exclamation

Just like any fuzzing tool, these scans need to be slowed down when testing production instances as it could lead to an unintended denial of service. In addition to that, testers need to use those tools with the greatest care since creating issues with production instances databases (like overwriting or deleting data) could have a serious fallout.

It is also possible to load request files and let SQLmap do the heavy work of fuzzing every parameter and input vector.

The request file should look like a standard HTTP request (line, headers, empty line, optional data). It can be obtained by many ways like inspecting network operations in a browser, intercepting requests with a proxy (like Burp Suite), and so on.

hashtag
Resources

LogoMySQL Injection Cheat SheetASafetychevron-right
LogoSQL Injection | OWASP Foundationowasp.orgchevron-right
LogoWhat is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademychevron-right
SQL Injection | pentestmonkeypentestmonkey.netchevron-right
SQL injection cheatsheets (MSSQL, MySQL, Oracle SQL, Postgres SQL, ...)
LogoPayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right
LogoSQL injection cheat sheet | Web Security AcademyWebSecAcademychevron-right
LogoSQL injection (second order)portswigger.netchevron-right
LogoGitHub - Hakumarachi/Loose-Compare-Tables: A complete table of results of types comparison in multiple languagesGitHubchevron-right
PreviousUnrestricted file uploadNextXSS (Cross-Site Scripting)

Last updated

Was this helpful?