Advanced SQL Injection

Core Types of SQL Injection

• In-band SQL Injection:
  • Error-Based: Manipulate queries to produce error messages revealing database info (e.g., SELECT * FROM users WHERE id = 1 AND 1=CONVERT(int, (SELECT @@version))).
  • Union-Based: Use UNION to combine results from multiple SELECT statements (e.g., SELECT name, email FROM users WHERE id = 1 UNION ALL SELECT username, password FROM admin).
• Inferential (Blind) SQL Injection:
  • Boolean-Based: Send queries that force the application to return different results based on true/false conditions (e.g., SELECT * FROM users WHERE id = 1 AND 1=1 vs. SELECT * FROM users WHERE id = 1 AND 1=2).
  • Time-Based: Send queries that delay responses based on true/false conditions (e.g., SELECT * FROM users WHERE id = 1; IF (1=1) WAITFOR DELAY '00:00:05'--).
• Out-of-band SQL Injection:
  • Used when the same channel can't be used for attack and data retrieval.
  • Relies on the database server making out-of-band requests (e.g., HTTP, DNS) to send data to the attacker.

Second-Order SQL Injection

• Exploits vulnerabilities where user input is stored and later used in a different context.
• Bypasses front-end defenses as the payload doesn't cause immediate disruption.
• Example: Injecting malicious code into a book name field, which is later used in an update query.

Filter Evasion Techniques

• Character Encoding:
  • URL Encoding: %27%20OR%201%3D1--
  • Hexadecimal Encoding: 0x61646d696e
  • Unicode Encoding: \u0061\u0064\u006d\u0069\u006e
• No-Quote SQL Injection:
  • Using numerical values: OR 1=1
  • Using SQL comments: admin--
  • Using CONCAT() function: CONCAT(0x61, 0x64, 0x6d, 0x69, 0x6e)
• No Spaces Allowed:
  • Comments to replace spaces: SELECT/**//*FROM/**/users
  • Tab or newline characters: SELECT\t*\tFROM\tusers
  • Alternate characters: %09, %0A, %0C, %0D, %A0

Out-of-band (OOB) SQL Injection

• Used when traditional methods are ineffective or direct responses are restricted.
• Leverages features like HTTP requests, DNS queries, or SMB protocol to exfiltrate data.
• Stealthy and reliable, bypassing firewalls and security measures.
• Techniques vary across databases (MySQL, MSSQL, Oracle).
• Examples:
  • MySQL/MariaDB: SELECT... INTO OUTFILE, load_file
  • MSSQL: xp_cmdshell, OPENROWSET, BULK INSERT
  • Oracle: UTL_HTTP, UTL_FILE

Advanced SQL Injection Techniques

• HTTP Header Injection: Manipulating headers like User-Agent to inject SQL commands.
• Exploiting Stored Procedures: Injecting malicious code into stored procedure parameters.
• XML and JSON Injection: Injecting malicious data into XML or JSON structures used in SQL queries.

Automation of SQL Injection

• Tools: SQLMap, SQLNinja, BBQSQL
• Challenges: Dynamic queries, variety of injection points, security measures, context-specific detection.

Best Practices

• Secure Coders:
  • Parameterised queries and prepared statements.
  • Input validation and sanitisation.
  • Least privilege principle.
  • Stored procedures.
  • Regular security audits and code reviews.
• Pentesters:
  • Exploiting database-specific features.
  • Leveraging error messages.
  • Bypassing WAF and filters.
  • Database fingerprinting.
  • Pivoting with SQL injection.