x0prc's notes

SQLi

3 min read

  • The point wherein a web application using SQL can turn into SQL Injection is when user-provided data gets included in the SQL query.
  • The semicolon in the URL signifies the end of the SQL statement, and the two dashes cause everything afterwards to be treated as a comment. By doing this, you’re just, in fact, running the query:
SELECT * from blog where id=2;--

In-Band

  • Refers to the same method of communication being used to ==exploit the vulnerability and also receive the results.==
  • For example, discovering an SQL Injection vulnerability on a website page and then being able to extract data from the database to the same page.

Error-Based

  • This type of SQL Injection is the most useful for easily obtaining information about the database structure as error messages from the database are printed directly to the browser screen.

Union-Based

  • This type of Injection utilises the ==SQL UNION operator alongside a SELECT statement to return additional results to the page.==
  • Query will gather a list of tables that are in this database.
0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'/

Blind

Authentication Bypass

  • It is when we get little to no feedback to confirm whether our injected queries were, in fact, successful or not, this is because the error messages have been disabled, but the injection still works regardless.

Boolean Based

  • Refers to the response we receive back from our injection attempts which could be a true/false, yes/no, on/off, 1/0 or any response which can only ever have two outcomes.
  • That outcome confirms to us that our SQL Injection payload was either successful or not.

Time Based

  • Is very similar to the above Boolean based, in that the same requests are sent, but there is no visual indicator of your queries being wrong or right this time. Instead, your indicator of a correct query is based on the time the query takes to complete.
  • This time delay is introduced by using built-in methods such as SLEEP(x) alongside the UNION statement. ==The SLEEP() method will only ever get executed upon a successful UNION SELECT statement.==

Out of Band

  • Classified by having two different communication channels, one to launch the attack and the other to gather the results.
  • For example, the attack channel could be a web request, ==and the data gathering channel could be monitoring HTTP/DNS requests made to a service you control.==

Prevention

  • Prepared Statements (With Parameterized Queries)
    • Writing prepared statements ensures that the SQL code structure doesn’t change and the database can distinguish between the query and the data.
  • Input Validation
    • Employing an allow list can restrict input to only certain strings, or a string replacement method in the programming language can filter the characters you wish to allow or disallow.
  • Escaping User Input
    • Escaping user input is the method of prepending a backslash (****) to these characters, which then causes them to be parsed just as a regular string and not a special character.

Graph View