Skip to main content

SQL Injection

Basic

Impact of SQL Injection attack has severe effect on the CIA of the sensitive data as the attacker could have an unauthorized access and compromise the Confidentiality of the users PII or Integrity by altering the data Or Availability by denying or deleting the user information. This was at the top of the OWASP TOP 10 list till 2017

Detect SQL injection

First, observe the behavior of the web application and then try disrupting its normal behavior. There are few methods to detect SQLi.

  • ' or " using single quote or double quote and observer for anomalies or if there are any errors.
  • Observe the http response while manipulating the parameters.
  • Conditional response with SQL statements
    • OR 1=1 forcing a TRUE condition
    • OR 1=2 forcing a FALSE condition
  • Triggering time delay with the SQLi payload and observe the difference in time delay in the application response.
  • OAST (Out-of-band Application Security Testing), use this payload to interact with servers on the external networks.

Once SQLi is detected, close the SQLi statement with -- or # or /* and bring it back to normal behavior.

Various methods in SQLi

Blind SQL injection

Detecting conditional sqli

vulnerable-para' AND 1=1 -- - detecting for TRUE condition
vulnerable-para' AND 1=2 -- - detecting for FALSE condition

Detecting a table exists - Conditional

The statement below when executed will return X if the USERS_TABLE table exists and LIMIT the output to 1 row. Now if the X is returned then USERS_TABLE exists then the condition ='X' is TRUE. This condition can be used to detect the USERS_TABLE and can be used in the indirect way to detect the table as long as there is a way to detect TRUE and FALSE condition.

(SELECT 'X' FROM USERS_TABLE LIMIT 1)='X' -- -

Detecting user exists in the table using the above condition.

(SELECT USERNAME FROM USERS_TABLE WHERE USERNAME='administrator' LIMIT 1)='administrator' -- -

Detecting the length of the password in the USERS_TABLE

(SELECT USERNAME FROM USERS WHERE USERNAME='administrator' AND LENGTH(PASSWORD)>1)='administrator'

This is again the TRUE and FALSE conditional statement where the user administrator exists in the USERS_TABLE in USERNAME column and the length of password in the PASSWORD column is greater than 1, will return administrator. This will be true condition when satisfied. Now loop through the condition till it fails. Now we have the length of the password.

Extracting the password

(SELECT SUBSTRING(PASSWORD,1,1) FROM USERS_TABLE WHERE USERNAME='administrator')='a' --

Here SUBSTRING is used to extract the first character of the password from the PASSWORD column of the username administrator from USERNAME columns and the condition it is looking to satisfy is equal to a. If the statement executes and returns a then the condition is TRUE satisfying 'a'='a'. This confirms that the first character of the password is a.

Now loop through the length of the password and the character set allowed in the password .

(SELECT SUBSTRING(PASSWORD,{i},1) FROM USERS_TABLE WHERE USERNAME='administrator')='{j}' --

Increase the count of i to cover the length of the password and change the value of j through the character set like abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMOPQRSTUVWXYZ1234567890. If there is a possibility that the password may contain special character then it is better to compare with ascii value. Use ASCII() to convert the char extracted from the substring. In python ord() to convert char to ASCII value.

info

SUBSTRING(PASSWORD,1,1)

  1. First parameter PASSWORD is the column or a string
  2. Second is the position of the char in the password string
  3. Third is the number of chars to return from the position

ASCII() - to convert char to ASCII in sql

ord() - to convert to ASCII in python