12/21/2022 - SQL Injection and Command Injection Flashcards
Types of Database Management Systems (DBMS)
Examples of both types
Relational
- (MySQL, Microsoft SQL Server, Access, PostgreSQL, SQLite)
Non-Relational (NoSQL)
- MongoDB, Cassandra, ElasticSearch
What is a relational DB comprised of
Information stored within tables with a unique ID (Primary Key) for other tables to reference
What is a non-relational DB comprised of
Any data set with no tables or rows of information
- Each row can contain different information
- Huge advantage is flexibility
What are the four basic commands in SQL with a definition for each?
Bonus: What does the command limit do?
Select - Retrieve data from database
ex) select username, password from users
*BONUS: select * from users LIMIT 1;
Insert - Tells the DB we wish to insert a new row of data into the table
ex) insert into users (username,password) values (‘bob’, ‘password123’);
Update - Tells the DB we wish to update one or more rows of data within a table
ex) update users SET username=’root’, password=’pass123’ where username=’admin’
Delete - Tells the DB we wish to delete one or more rows
ex) delete from users where username=’martin’;
ex) delete from users
*Since no where clause is used all the data is deleted
What does the like clause do? What wildcard symbol is used in conjunction?
Like clause : Specify data that isnt an exact match
% : wildcard
ex) select * from users where username like ‘a%’;
ex) select * from users where username like ‘%n’;
What does the UNION statement do?
Combine the results of two or more select statements
What are the types of SQL injections with definitions
In-Band: Bidirectional method of communication (ie Web Browser sends and gathers results of attack)
Blind SQLi: Little to no feedback given (seek response speed, any error messages given)
Out-of-Band - Having two different communication channels (one to launch attack and one to receive data back)
What function is used to enumerate the database? (ie DB type)
database()
ex) [code] union select [columns] where database() like …
what does information_schema do?
provide metadata pertaining to a database
What is table_schema?
Filter to use if you know the database name
What is command injection
Abuse of an application’s behavior to execute commands on the OS (also known RCEs) “Remote Code Execution”
What shell operators are used or in combination together to cause unintended command injection behavior?
;
&
&&
Types of command injection
Blind - No direct output from the app when testing payloads
Verbose - Direct feedback from the app
How do you detect blind command injection?
Use sleep (windows) or ping command
Use curl with linux or windows command (ie whoami)
Remediating Command injection
Eliminate Vulnerable Functions: exec, passthru, system
- use pattern attribute in php
Input Sanitization: (ie filter_input)
