SQL Injection notes from portswigger academy.

3 min readMar 30, 2022

SQL Injection is a vulnerability that lets an attacker interfere with the SQL queries an application makes to a database.

SQL Injection attack is divided into Three

In-Band SQL Injection

It occurs when an attacker uses the same communication channel to launch the attack and gather the result of the attack.
Retrieved data is shown directly on the application web page
Two types:
- Error based: the attacker forces the database to generate an error, giving the attacker information upon which to refine the injection
- Union-based: that leverages the UNION SQL operator to combine the results of two queries into a single result set

Inferential (Blind) SQL Injection

There is no actual transfer of data via the web application. We don't see the output of the result. Based on asking true/false questions.
It takes longer than In-Band SQL Injection.
Two Types:
- Boolean-based SQLi is a blind SQLi technique that uses Boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result. [The injection contains a command to compare some part of the result and check the result is TRUE or FALSE]
Time-Based SQLi is a blind SQLi technique that relies on the database pausing for a specified amount of time, then returning the results, indicating a successful SQL query execution. [The injection contains a command to sleep for some time and check if it accepts the injection or not]

Out-of-Band (OAST) SQLi

the vulnerability that consists of triggering an out-of-band network connection to a system that you control
Not common
Happen when a database tries to make a call using protocols such as DNS HTTP.

Finding SQLi vulnerabilities

Black Box Testing and White Box Testing

In Blak box Testing, it is good to follow the following steps:

Map the application
Fuzz the application:
Submit SQL-specific characters (e.g.,')and look for errors and anomalies
Submit boolean conditions such as OR 1=1 and OR 1=2 and look for differences in the application's response
Submit payloads designed to when executed within a SQL query, and look for discrepancies in the time taken to respond
Submit OAST payloads designed to target out-of-band network interactions.

In White box testing, it is good to follow these steps

Enable web server and database logging to see the output of our injection
Map the application
discover visible functionality in the application
Regex searches on all instances in the code to find a code that talks to the database.
Search for the usage of insecure SQL functions
Code review
follow the code path for all input vectors
Test any potential SQLi vulnerabilities

Exploiting error-based SQLi

Submit SQL-specific characters such as 'or ", and look for errors or other anomalies
Different characters can give you various errors

Determining if the parameter is expl

Exploitation

Figure out the number of columns that query is making
Figure out the data types of the columns
use the UNION to output information from the database
Ways to figure out several** columns** are:
- to use ORDER BY (since order by clause orders the columns based on the position of the column; when the order by is above the number of columns error happens)
- To use UNION SELECT NULL. increase the amount of NULL until the number of NULL is the same as the number of columns required

Ways to figure out data types of the column:

To keep the probing column to test whether it can hold string data by submitting a series of UNION SELECT payloads that place a string value into each column.

Automated Exploitation Tools

Primary Defences:
- Use of prepared statements (parameterized Queries)
- Use of Stored Procedures (Partial)
- Use Allowlist Input Validation (Partial)
- Escaping All User Supplied Inputs (Partial)
Additional Defences:
- Enforcing Least Privilege
- Performing Allowlist Input Validation as a Secondary Defence