SQLi is one of the oldest vulnerabilities around, while it’s not that common anymore the impact can be very severe. SQLi has been on the number one spot (as part of “Injection” categorie) since the OWASP 2010 and still is on the number one spot in the OWASP 2017.
What is SQLi?
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.OWASP
short explanation/intro before video
SELECT bounty FROM researcher WHERE id = 31337;
Some key takeaways:
A must read on how to manually discover and exploit SQLi by Gerben Javado.
If the video was not enough or you just want more. Portswigger has a great explanation about SQL Injection.
EXTRA VIDEO: A CTF challenge exploiting SQLi (by John Hammond)
The impact of SQL injection can be quite severe from viewing other people’s data or accessing other people’s account (by leaking the credentials) to deleting the entire database or changing data.
Spraying single quotes to find SQLi be like
Error Based SQLi
With error based SQLi it’s possible to extract information by triggering SQL error messages on the site. SQL errors should always be disabled on public accessible sites.
A write-up show casing how to exploit a SQLi as error based SQLi and blind SQLi by Redforce
Union Based SQLi
Union based SQLi allows to extract information by extending the result from the original query via the SQL UNION operator.
A tutorial on UNION attacks by Portswigger.
Blind SQLi is a more difficult type of SQLi because the information your are trying to extract is not visible on the webpage. With blind SQLi it is possible to extract information by asking “questions” to the database and determine the answer based on the response and/or time.
A tutorial on blind SQLi by Portswigger
A great example on how to make an innocent proof of concept for a blind SQLi in the User-Agent by harisec.
Time for practice!
10 levels on SQLi, can you beat them all?
Pentester lab has some free exercises, one of them is a SQLi challenge including a course as well!
The go to tool for SQLi is SQLmap, but always remember to be careful when using tools. Specially in this case since you don’t want to brake the database because you were being a script kiddie. RTFM before using SQLMap! & A short tutorial on how to use SQLMap.
How to prevent SQLi?
A short summary on how to prevent SQLi:
- Make use of prepared statements
- Make use of stored procedures
- Whitelist input validation
- Escape all user supplied input
- Limit the rights of the database user (aka don’t use root)
- Don’t store the passwords in plaintext!
SQL Injection Prevention Cheat Sheet by OWASP
A page everyone should bookmark, the SQL injection cheat sheet by Portswigger.
Want to know if your account has been compromised in a data breach? Go check “Have I Been Pwned” by Troy Hunt.
Simple explanation about SQLi by Computerphile