SQL Injection (Portswigger)

Question 1

What does SQLi stand for?

Answer 1

SQL Injection

Question 2

What is SQLi?

Answer 2

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Question 3

What does SQLi allow an attacker to do?

Answer 3

It allows an attacker to view data that they are not normally able to retrieve.

Question 4

What kind of data could an attacker using SQLi view?

Answer 4

They could view data belonging to other users, or any other data that the application itself is able to access.

Question 5

What could an attacker using SQLi do that’s common?

Answer 5

An attacker could modify or delete data, causing persistent changes to the applications behavior.

Question 6

What could an attacker using SQLi do that’s not common

Answer 6

An attacker could escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

Question 7

What is the impact of a successful SQL injection attack?

Answer 7

It can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information.

Question 8

What could an attacker potentially do with SQLi that is not very common?

Answer 8

An attacker could obtain a persistent backdoor into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period.

Question 9

List 5 SQLi examples and give a brief explanation about each one.

Answer 9

• Retrieving hidden data: can modify an SQL query to return additional results
• Subverting application logic: can change a query to interfere with the application’s logic
• UNION attacks: can retrieve data from different database tables
• Examining the database: can extract information about the version and structure of the database
• Blind SQLi: where the results of a query you could control are not returned in the application’s responses

Question 10

Explain the double-dash sequence for revealing hidden data.

Answer 10

It’s a comment indicator in SQL, and means that the rest of the query is interpreted as a comment. This effectively removes the remainder of the query which could show hidden data.

Question 11

What is this an example of and what could it do?

SELECT * FROM users WHERE username = ‘administrator’–’ AND password = ‘’

Answer 11

Subverting application logic

It returns the user whose username is administrator and successfully logs the attacker in as that user

Question 12

What keyword would an attacker use to leverage an SQL injection vulnerability to retrieve data from other tables within a database?

Answer 12

UNION

Question 13

What is this an example of and what does it do?

An application executes the following query containing the user input “Gifts”:

SELECT name, description FROM products WHERE category = ‘Gifts’

then an attacker can submit the input:

’ UNION SELECT username, password FROM users–

Answer 13

Retrieving data from other database tables
(SQL injection UNION attacks*)
This will cause the application to return all usernames and passwords along with the names and descriptions of products.

Question 14

What are two ways of exploring a database?

Answer 14

Query the version details e.g.
Oracle:
SELECT * FROM v$version

Determine what database tables exist e.g.
Most databases you can use this to list the tables:
SELECT * FROM information_schema.tables

Question 15

True or False?
Many instances of SQL injection are blind vulnerabilities.
If True, what does this mean?

Answer 15

It means the application does not return the results of the SQL query or the details of any database errors within its responses.

Question 16

Give 3 examples of techniques that can be used to exploit blind injection vulnerabilities.

Answer 16

• Change the logic of the query to trigger a detectable difference in the application’s response depending on the truth of a single condition. This might involve injecting a new condition into some Boolean logic, or conditionally triggering an error such as a divide-by-zero.
• Conditionally trigger a time delay in the processing of the query, allowing you to infer the truth of the condition based on the time that the application takes to respond.
• Trigger an out-of-band network interaction, using OAST techniques. This technique is extremely powerful and works in situations where the other techniques do not. Often, you can directly exfiltrate data via the out-of-band channel, for example by placing the data into a DNS lookup for a domain that you control.

Question 17

True or False?
The majority of SQL injection vulnerabilities can be found quickly and reliably using Burp Suite’s web vulnerability scanner.

Answer 17

True

Question 18

List 5 typical tests to manually detect every entry point in an application via SQL injection.

Answer 18

• Submitting the single quote character ‘ and looking for errors or other anomalies.
• Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
• Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application’s responses
• Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
• Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.

Question 19

What is this used to detect?

• Submitting the single quote character ‘ and looking for errors or other anomalies.

Answer 19

SQL injection vulnerability

Question 20

What is this used to detect?

• Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.

Answer 20

SQL injection vulnerability

Question 21

What is this used to detect?

• Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application’s responses

Answer 21

SQL injection vulnerability

Question 22

What is this used to detect?

• Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.

Answer 22

SQL injection vulnerability

Question 23

What is this used to detect?

• Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.

Answer 23

SQL injection vulnerability

Question 24

Where do most SQL injection vulnerabilities arise within?

What are other most common locations?

Answer 24

Most common is in the WHERE clause of a SELECT query.

Other common locations:

• In UPDATE statements, within the updated values or the WHERE clause.
• In INSERT statements, within the inserted values.
• In SELECT statements, within the table or column name.
• In SELECT statements, within the ORDER BY clause.

Question 25

Describe first-order SQL injection

Answer 25

It arises where the application takes user input from an HTTP request and, in the course of processing that request, incorporates the input into an SQL query in an unsafe way.

Question 26

What is second-order SQL injection also known as?

Answer 26

Stored SQL injection

Question 27

Describe second-order SQL injection

Answer 27

The application takes user input from an HTTP request and stores it for future use. This is usually done by placing the input into a database, but no vulnerability arises at the point where the data is stored. Later, when handling a different HTTP request, the application retrieves the stored data and incorporates it into an SQL query in an unsafe way.

Question 28

How does Second-order SQL injection often arise?

Answer 28

In situations where developers are aware of SQL injection vulnerabilities, and so safely handle the initial placement of the input into the database. When the data is later processed, it is deemed to be safe, since it was previously placed into the database safely. At this point, the data is handled in an unsafe way, because the developer wrongly deems it to be trusted.

Question 29

List 5 techniques for detecting and exploiting SQL injection that work differently on different platforms.

Answer 29

• Syntax for string concatenation
• Comments
• Batched (or stacked) queries
• Platform-specific APIs
• Error messages

Question 30

What is the following code vulnerable to? Why? And how can it be rewritten in a way that prevents this vulnerability?

String query = “SELECT * FROM products WHERE category = ‘”+ input + “’”;

Statement statement = connection.createStatement();

ResultSet resultSet = statement.executeQuery(query);

Answer 30

It’s vulnerable to SQL injection because the user input is concatenated directly to the query.

It can be rewritten to prevent user input from interfering with the query structure:

PreparedStatement statement = connection.prepareStatement(“SELECT * FROM products WHERE category = ?”);

statement.setString(1, input);

ResultSet resultSet = statement.executeQuery();

Question 31

When can parameterized queries be used?

Answer 31

For any situation where untrusted input appears as data within the query, including the WHERE clause and values in an INSERT or UPDATE statement. They can’t be used to handle untrusted input in other parts of the query, such as table or column names, or the ORDER BY clause.

Application functionality that places untrusted data into those parts of the query will need to take a different approach, such as white-listing permitted input values, or using different logic to deliver the required behavior.

Question 32

How does a parameterized query need to be effective in preventing SQL injection?

Answer 32

The string that is used in the query must always be a hard-coded constant, and must never contain any variable data from any origin. Do not be tempted to decide case-by-case whether an item of data is trusted, and continue using string concatenation within the query for cases that are considered safe. It is all too easy to make mistakes about the possible origin of data, or for changes in other code to violate assumptions about what data is tainted.

Question 33

When an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses, what keyword can be used to retrieve data from other tables within the database? What kind of attack is this called?

Answer 33

UNION

UNION attack

Question 34

What is this an example of and what will it return?

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

Answer 34

UNION query to get results from multiple tables.

It will return a single result set with two columns containing values from columns a and b in table1 and columns c and d in table2

Question 35

What two key requirements must be met for a UNION query to work?

Answer 35

• The individual queries must return the same number of columns.
• The data types in each column must be compatible between the individual queries.

Question 36

What two requirements must be figured out to carry out an SQL injection UNION attack?

Answer 36

• How man columns are being returned from the original query?
• Which columns returned from the original query are of a suitable data type to hold the results from the injected query?

Question 37

In determining the number of columns required in an SQL injection UNION attack, there are two methods to determine how many columns are being returned from the original query.

What are they?

Answer 37

• One method involves injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs.
• The other method involves submitting a series of SERIES SELECT payloads specifying a different number of null values.

Question 38

Describe the ORDER BY method

Answer 38

This method involves injecting a series of ORDER BY clauses and incrementing the specified column index until an error occurs. For example, assuming the injection point is a quoted string within the WHERE clause of the original query, you would submit:

’ ORDER BY 1–
‘ ORDER BY 2–
‘ ORDER BY 3–
etc.

This series of payloads modifies the original query to order the results by different columns in the result set. The column in an ORDER BY clause can be specified by its index, so you don’t need to know the names of any columns. When the specified column index exceeds the number of actual columns in the result set, the database returns an error, such as:

The ORDER BY position number 3 is out of range of the number of items in the select list.

The application might actually return the database error in its HTTP response, or it might return a generic error, or simply return no results. Provided you can detect some difference in the application’s response, you can infer how many columns are being returned from the query.

Question 39

Describe the UNION SELECT method

Answer 39

This method involves submitting a series of UNION SELECT payloads specifying a different number of null values:

’ UNION SELECT NULL–
‘ UNION SELECT NULL,NULL–
‘ UNION SELECT NULL,NULL,NULL–
etc.

If the number of nulls does not match the number of columns, the database returns an error, such as:

All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.

Again, the application might actually return this error message, or might just return a generic error or no results. When the number of nulls matches the number of columns, the database returns an additional row in the result set, containing null values in each column. The effect of the resulting HTTP response depends on the application’s code. If you are lucky, you will see some additional content within the response, such as an extra row on an HTML table. Otherwise, the null values might trigger a different error, such as a NullPointerException. Worst case, the response might be indistinguishable from that which is caused by an incorrect number of nulls, making this method of determining the column count ineffective.

Question 40

In determining the number of columns required in an SQL injection UNION attack, what is the reason for using NULL as the values returned from the injected SELECT query?

Answer 40

The data types in each column must be compatible between the original and the injected queries. Since NULL is convertible to every commonly used data type, using NULL maximizes the chance that the payload will succeed when the column count is correct.

Question 41

What is the reason for performing an SQL injection UNION attack?

Answer 41

To be able to retrieve the results from an injected query.

Question 42

What can you do if you’ve already determined the number of required columns with an SQLi UNION attack?

Answer 42

You can probe each column to test whether it can hold string data by submitting each column to test whether it can hold string data by submitting a series of UNION SELECT payloads that place a string value into each column in turn.

Question 43

What is the reason for using ‘a’?

’ UNION SELECT ‘a’,NULL,NULL,NULL–
‘ UNION SELECT NULL,’a’,NULL,NULL–
‘ UNION SELECT NULL,NULL,’a’,NULL–
‘ UNION SELECT NULL,NULL,NULL,’a’–

Answer 43

To find if the column is compatible with string data. If no database error occurs then the relevant column is suitable for retrieving string data.

Question 44

Within an SQLi UNION attack

Suppose that:

The original query returns two columns, both of which can hold string data.
The injection point is a quoted string within the WHERE clause.
The database contains a table called users with the columns username and password.

Give an example of the input

Answer 44

’ UNION SELECT username, password FROM users–

Question 45

What is this an example of and on what platform would it take place? What is the result of this query?

’ UNION SELECT username || ‘~’ || password FROM users–

Answer 45

A double-pipe sequence || which is a string concatenation operator on Oracle.

Result:
administrator~s3cure
weiner~peter
carlos~montoya

Question 46

What information is necessary to exploit SQL injection vulnerabilities?

Answer 46

Type and version of the database software, and the contents of the database in terms of which tables and columns it contains.

Question 47

Querying the database type and version question

Answer 47

.