Notes
SQL injection: A vulnerability where the attacker disrupts SQL queries executed by an application on a DB. Example: Using 'admin'-- to gain access to an authentication page, where the query would be select * from users where username = 'admin' -- and password = '';
If the app properly validates things, the DB will search for a matching 'admin' -- and not find it, but if it doesn't validate user input or use parameterized queries any characters become part of it. So, the ' would close the str of the original statement and the query would look like select * from users where username = admin instead and the DB would pull the profile allowing login.
Same channel used to launch/receive attacks (easier since results seen)
Manipulating queries to extract/modify data directly
Retrieved data presented in app
Error-Based: DB is forced to generate errors from queries that give up information about it
Errors are generated so possible to refine
www.random.com/app.php?id=' (outputs error)
Union-Based: Uses UNION: Combines results of diff queries to gather from other tables
www.random.com/app.php?id=' UNION SELECT username, password FROM users --
(outputs something like carlos, password123, administrator, 37894327hdj3204)
Map the app: Visit URL, pages, input vectors that talk to backend
Understand logic and how it functions
Enumerate directories/subdomains
Most vulnerabilities logic flaws, or embedded in pages a scanner can't crawl
Fuzz: Add special chars and seeing if app responds unusually
Submitting SQL specific characters like
', ", -, --, ;Refine payloads as you work
Enable server/DB logging: Look at logs:
See how the backend responds/generated errors help you
Code review: Follow code path for all input vectors to help feel things
Last updated