sql-injection

SQL injection (SQLi) is a vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This might allow an attacker to view, modify or delete sensitive data they are not authorized to access.

SQL injections can be detected manually using test patterns against application entry points:

  • ' - Single quote character
  • OR 1=1 and OR 1=2 - Boolean conditions
  • Payloads to trigger time delays when executed

Exploitation

LAB 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

With the filters on the webshop's header, it is possible to narrow down the list of products currently offered.

lab1-1

The request header GET /filter?category=Pets HTTP/2 may be vulnerable to SQL injection if the category parameter is directly used in an SQL query without proper sanitization or parameterization.

lab1-2

Giving it the value '+OR_1=1 the product category filter can be modified to inject an SQL query that evaluates to true and comments out (disregards) whatever is following the statement.

lab1-3

  • ' - Closes a string prematurely
  • + - Includes the rest of the injection
  • OR - Combines multiple conditions in a WHERE clause
  • 1=1 - Evaluates to true
  • -- - Disregards the rest of the query

LAB 2 - SQL injection vulnerability allowing login bypass

The webshop has a login functionality that may worth investigating more closely.

lab2-1

The intercepted POST request submits the credentials as parameters for the application that will check them with an SQL query.

lab2-2

By modifying the parameters, it is possible to make the application disregard the part of the query that would check for a valid password.

lab2-3

The application has performed the check as expected, and logged in as the administrator user.

lab2-3

Mitigation

  1. Use parameterized queries

    • Never concatenate user input into queries
    • Let database drivers handle parameter sanitization

  2. Input validation

    • Validate type, length, format, and range of all inputs
    • Whitelist acceptable characters instead of blacklisting unacceptable ones

  3. Least privilege database accounts

    • Use database accounts with minimal permissions needed for the application
    • Avoid using admin accounts for application connections

  4. Escape special characters

    • Use language/framework-specific escaping functions when parameterized queries are not possible