Scribd
Upload
255 views

SQL Injection Cheat Sheet PDF

The document provides information about SQL injection attacks, including: - SQL injections occur when unsanitized user input is used in SQL statements, allowing malicious users to execute unexpected SQL code. - There are several types of SQL injections, such as error-based, union-based, boolean-based, time-based, and out-of-band SQL injections. - SQL injections can lead to data leaks or full system compromise if not addressed properly.

Uploaded by

Job Go
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
255 views

SQL Injection Cheat Sheet PDF

The document provides information about SQL injection attacks, including: - SQL injections occur when unsanitized user input is used in SQL statements, allowing malicious users to execute unexpected SQL code. - There are several types of SQL injections, such as error-based, union-based, boolean-based, time-based, and out-of-band SQL injections. - SQL injections can lead to data leaks or full system compromise if not addressed properly.

Uploaded by

Job Go
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

ASSUMPTIONS

In this cheat sheet, we will assume that:


• You are a developer or you know programming
• You have limited web application security knowledge
• You need to know how SQL injection attacks happen
• You need to know how to fix SQL injection issues in your code

SQL Injection GOALS

Cheat Sheet
In this cheat sheet, you will learn:
• How do malicious hackers conduct SQL injection attacks
• How to fix your code that has SQL injection vulnerabilities
FOR DEVELOPERS
• How to avoid SQL injection vulnerabilities for the future

PART 1 What Are SQL Injection Attacks

SQL injections happen when:


• Your code uses unsanitized data from user input in SQL statements
• A malicious user includes SQL elements in the input in a tricky way
• Your code executes these SQL elements as part of legitimate SQL statements

SQL INJECTION FAQ

• What SQL servers are affected by SQL injections?


All SQL servers may be affected by SQL injections: MySQL, MSSQL, Oracle, PostgreSQL, and more.

• What programming languages are affected by SQL injections?


SQL injections may happen in any programming language.

• What may be the consequences of an SQL injection?


An SQL injection may lead to hdata
t ps:/ w w.acunetix.com/blog/web-security-zoleaks
ne/sql-injection-compromises-entire-country/ but it may also lead to https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
complete system compromise.

• How common are SQL injections?


https://www.acunetix.com/acunetix-web-application-vulnerability-report/
In 2020, SQL injections were found by Acunetix on average in 7% of web apps.

• Do web application firewalls (WAF) protect against SQL injections?


No, https://www.acunetix.com/white-papers/using-dast-to-get-the-most-out-of-wafs/
WAFs only make it more difficult for the attacker to send SQL injection payloads.

SIMPLE SQL INJECTION EXAMPLE


YOUR CODE IN PHP:

<?PHP
$userid = $_GET["userid"];
$query = "SELECT user FROM users WHERE userid = $userid;";
$result = pg_query($conn, $query);
?>

ATTACKER REQUEST:

YOUR CODE PROCESSES THE FOLLOWING SQL QUERY:

$query = "SELECT user FROM users WHERE userid = 0; DELETE FROM users WHERE 1;";

As a result, if the current user (current database user) has suitable permissions, the entire users table is cleared.

SQL INJECTION TYPES

TYPE 1: IN-BAND SQL INJECTION: ERROR-BASED SQL INJECTION

• The attacker sends a request designed to EXAMPLE:


cause an error in the database server • Payload:
• The server returns an error message to the http://testphp.vulnweb.com/listproducts.php?cat=1%27
attacker • Result: The web application displays the following
• The attacker uses information contained in error in the browser:
the error to escalate the attack Error: You have an error in your SQL syntax; check the
• This type of SQL injection is used to access manual that corresponds to your MySQL server version
sensitive information such as database type, for the right syntax to use near ''' at line 1 Warning:
file names, and more mysql_fetch_array() expects parameter 1 to be resource,
boolean given in /hj/var/www/listproducts.php on line 74

TYPE 2: IN-BAND SQL INJECTION: UNION-BASED SQL INJECTION

• The attacker uses a UNION clause in the payload EXAMPLE:

• The SQL engine combines sensitive information • Payload:


with legitimate information that the web
application should display http:/ testphp.vulnweb.com/artists.php?artist=-1%20UNION%20SELECT%201,version(),cur ent_user()
• The web application displays sensitive • Result: The web application displays the system version
information and the name of the current user:
8.0.22-0ubuntu0.20.04.2
acuart@localhost

TYPE 3: BLIND SQL INJECTION: BOOLEAN-BASED SQL INJECTION

• The attacker sends many payloads containing EXAMPLE:


expressions that evaluate to either TRUE or FALSE •
• Alternating between the two, the attacker can draw http://testphp.vulnweb.com/artists.php?artist=1%20AND%201=1
conclusions about the database and its contents •
• This type of SQL injection is often used to access http://testphp.vulnweb.com/artists.php?artist=1%20AND%201=0
sensitive information when the web application •
returns neither meaningful error messages nor the
targeted data itself

TYPE 4: BLIND SQL INJECTION: TIME-BASED SQL INJECTION

• If the web application doesn’t return errors and the returned information is the EXAMPLE:
same for boolean-based payloads, the attacker sends a payload that includes a •
time delay command such as SLEEP, which delays the whole response

• The attacker draws conclusions from the length of response delays and repeats
the process as many times as necessary with different arguments
ht p:/ testphp.vulnweb.com/artist .php?%20artist=1-SLE P(3)
• This type of an SQL injection is often used to check whether any other SQL •
injections are possible

• This type of SQL injection may also, for example, be used to guess the content of a
database cell a character at a time by using different ASCII values in conjunction
with a time delay

TYPE 5: OUT-OF-BAND SQL INJECTION

• This type of SQL injection is possible only for some databases, for example, EXAMPLE:
Microsoft SQL Server and Oracle •
• The attacker includes a special database command in the payload – this
command causes a request to an external resource (controlled by the attacker)

• The attacker monitors for attempts to contact the external resource, for example, •
DNS lookups or HTTP request logs of the external resource

• If there is a request coming once the payload is executed, this confirms that the
SQL injection is possible

• The attacker accesses database information and can send it to the external resource

PART 2 SQL Injection Defense

PARAMETERIZED QUERIES (PREPARED STATEMENTS)


• This technique is available in many programming languages
• Instead of forming the query by using string concatenation, the query string includes parameters
• The prepared statements library replaces these parameters with values supplied by the user, so that SQL commands
and user input (parameters) are passed separately

PHP EXAMPLE
Using PHP Data Objects (PDO):

$dbh = new PDO('mysql:host=localhost;dbname=database', 'dbuser', 'dbpasswd');


$query = "SELECT column_name FROM table_name WHERE id = :id order by column_name desc";
$sth = $dbh->prepare($query);
$sth->bindParam(':id', $_GET["id"]);
$sth->execute();
$result = $sth->fetchColumn();

JAVA EXAMPLE

int id = Integer.parseInt(id);
String query = "SELECT column_name FROM table_name WHERE id = ? order by column_name desc";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setInt(1,id);
ResultSet results = stmt.executeQuery();

STORED PROCEDURES
• Use only if your programming language does not support prepared statements
• To avoid SQL injections, you must use prepared statements in stored procedures
• Available only for database engines that support stored procedures but most modern engines support them
• The query is prepared and stored in the database engine
• The application calls the stored procedure and passes variables to it

MYSQL EXAMPLE
Creating the procedure:

CREATE PROCEDURE example(IN suppliedId VARCHAR(8))


BEGIN
SELECT column_name FROM table_name WHERE id = suppliedId;
END

Calling the procedure with id = 1:

CALL example("1");

SQL injection payload will not work:

CALL example("0;DELETE FROM users WHERE 1");

MSSQL EXAMPLE
Creating the procedure:

CREATE PROCEDURE dbo.example @id nvarchar(8)


AS
SELECT column_name FROM table_name WHERE id = @id;
GO

Calling the procedure with id = 1:

EXEC database.dbo.example 1;

SQL injection payload will not work:

EXEC database.dbo.example 0;DELETE FROM USERS WHERE 1

PART 3 SQL Injection Detection

METHOD TOOLS KEY PROS KEY CONS RATING

Development May improve the Unlikely to find


Manual code review
environment general quality of code SQL injections

Manual penetration Attack Able to find even very Very time and
testing proxies complex and rare types resource intensive

Reports a lot of
Automatic code
SAST Can reach even code false positives and
analysis (white box
software that is not used directly does not prove that
scanning)
a vulnerability exists

Automatic Can run in any Does not point to


DAST
vulnerability scanning environment and at any the issue in the
software
(black box scanning) development stage source code

Proves that the


vulnerability exists by
Automatic showing data that
vulnerability scanning should be restricted;
Acunetix
with proof of exploit points to the error in
and grey box sensors source code or bytecode
(PHP, Java, .NET,
Node.js)

Note: To improve detection, it is best to employ several methods at the same time.
However, if you cannot afford it, go for the most effective method first.

APPENDIX: ADDITIONAL RESOURCES


We keep your web applications secure
Acunetix: A general introduction to SQL injections
https://www.acunetix.com/websitesecurity/sql-injection/

Acunetix: A more detailed explanation of SQL injection types


https://www.acunetix.com/websitesecurity/sql-injection2/ Read more: https://www.acunetix.com/blog/
acunetix.com/blog

Acunetix: A more detailed explanation of blind SQL injections


https://www.acunetix.com/websitesecurity/blind-sql-injection/

https://www.acunetix.com/blog/articles/blind-out-of-band-sql-injection-vulnerability-testing-added-acumonitor/
Acunetix: A detailed explanation of out-of-band SQL injections

https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
Acunetix: A practical example that shows how an SQL injection may lead to system compromise

https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
Acunetix: A practical example that shows how to analyze logs to discover an SQL injection attack

https://www.acunetix.com/blog/articles/prevent-sql-injection-vulnerabilities-in-php-applications/
Acunetix: A detailed article about preventing SQL injections in PHP

https://www.acunetix.com/how-to-prevent-sql-injections-java/
Acunetix: An article about preventing SQL injections in Java

https://www.acunetix.com/blog/articles/blind-sql-injection/
Acunetix: An article about preventing blind SQL injections

http://pentestmonkey.net/category/cheat-sheet/sql-injection
Pentestmonkey: Detailed SQL injection cheat sheets for penetration testers

ht
Bobby tp
Tables: s:
The most //bo
comprehensible b
library b
of SQL y-
injection ta
defense ble
techniques s.
for many com
programming /
languages

You might also like