Page cover image

Notes

SQL injection: A vulnerability where the attacker disrupts SQL queries executed by an application on a DB. Example: Using 'admin'-- to gain access to an authentication page, where the query would be select * from users where username = 'admin' -- and password = '';

If the app properly validates things, the DB will search for a matching 'admin' -- and not find it, but if it doesn't validate user input or use parameterized queries any characters become part of it. So, the ' would close the str of the original statement and the query would look like select * from users where username = admin instead and the DB would pull the profile allowing login.

Same channel used to launch/receive attacks (easier since results seen)

  • Manipulating queries to extract/modify data directly

  • Retrieved data presented in app


  1. Error-Based: DB is forced to generate errors from queries that give up information about it

    • Errors are generated so possible to refine

    • www.random.com/app.php?id=' (outputs error)

  2. Union-Based: Uses UNION: Combines results of diff queries to gather from other tables

    • www.random.com/app.php?id=' UNION SELECT username, password FROM users --

    • (outputs something like carlos, password123, administrator, 37894327hdj3204)


  1. Map the app: Visit URL, pages, input vectors that talk to backend

    • Understand logic and how it functions

    • Enumerate directories/subdomains

    • Most vulnerabilities logic flaws, or embedded in pages a scanner can't crawl

  2. Fuzz: Add special chars and seeing if app responds unusually

    • Submitting SQL specific characters like ', ", -, --, ;

    • Refine payloads as you work

  3. Enable server/DB logging: Look at logs:

    • See how the backend responds/generated errors help you

  4. Code review: Follow code path for all input vectors to help feel things

Last updated