SQL Injection Identification

  • Spotting Potential Injection Points What to Look For: Injection points are places where an application takes input from the user or another source and uses it to construct an SQL query. Common points include:

User inputs in forms (login forms, search boxes, etc.) URL parameters HTTP headers Cookies Example: Consider a URL like http://example.com/product?id=1. If the 'id' parameter is directly used in an SQL query, it could be a potential injection point.

  • Crafting Injection Payloads What to Do: Create payloads that can alter the SQL query's logic when inserted into the application. These payloads might aim to:

Reveal database information Bypass authentication Modify database data Example: To test the URL mentioned above, a tester might modify it to http://example.com/product?id=1' OR '1'='1. If this results in a different behavior (like displaying more products than expected), it might be vulnerable.

  • Error-Based Injection What to Look For: Incorrect SQL queries can cause the database to generate error messages. These messages can reveal insights into the database structure or prove that the injection was successful.

Example: Injecting http://example.com/product?id=1' may cause an error message indicating a syntax error in the SQL query, confirming the injection point.

  • Blind/Inference-Based Injection What to Do: When the application does not display errors, you can still infer information by sending requests that will cause the application behavior to change based on the truthfulness of the injected query.

Example: You can try accessing http://example.com/product?id=1 AND 1=1 and http://example.com/product?id=1 AND 1=2. If the responses differ, the application is likely vulnerable.

  • Union-Based Injection What to Do: Use the UNION SQL operator to combine the results of two or more SELECT statements into a single result.

Example: If the original query is something like SELECT column FROM table WHERE id = 1, you might inject http://example.com/product?id=1 UNION SELECT username, password FROM users to attempt retrieving user credentials.

  • Boolean-Based Blind SQL Injection What to Do: Craft queries that will change the application's response based on a true or false condition.

Example: Changing the request to http://example.com/product?id=1 AND LENGTH(database()) > 10 can help determine the length of the database name based on how the application responds.

  • Time-Based Blind SQL Injection What to Do: This method involves injecting SQL statements that will cause the database to wait for a specified amount of time before responding. The difference in response time will indicate whether the condition was true or false.

Example: Injecting something like http://example.com/product?id=1; WAITFOR DELAY '0:0:5'-- can indicate a vulnerability if the response is delayed by 5 seconds.