Life Hacker: Segfault ethical hacking week 8

SQL Injection = Extracting data using SQL flaws

1. Types of SQL Injection

1.1 UNION-based SQLi

Used when query results are displayed on the screen.

Attacker injects a `UNION SELECT` to retrieve additional data.

1.2 Error-Based SQLi

Used when SQL errors are shown on the page.

Errors are triggered intentionally to extract database information.

1.3 Blind SQLi

Works when the application does not display query results or errors.

The attacker relies on behavioral differences (like page content or response time).

Depending on the situation, one of the three methods is chosen.

2. The Goal of SQL Injection

To execute your own SELECT queries on the server and extract sensitive data.

3. How to Identify SQL Injection Points

Step-by-step:

Find inputs that are sent to the server (text fields, cookies, headers, etc.)
Test with a payload like:
```
' AND '1'='1
' AND '1'='2
```
- If the results differ: the input is vulnerable.
- If results are identical: test further using variations.

Check parameters in:

Form fields
URL query strings
HTTP headers (e.g. User-Agent)
Cookies

Always consider how the server constructs its SQL queries.
Don't inject blindly — think about the query logic first.

4. Real-world Injection Examples

Cookie-based Injection Example

A forum post listing shows:


SELECT * FROM posts WHERE title LIKE '%sfUser%'

Test with:


' AND '1'='1  --> Returns normal results
' AND '1'='2  --> Returns nothing

Result differs → SQLi confirmed.

Column Name Injection


ORDER BY 1
ORDER BY 2
...

Use this to guess how many columns exist.

You can also inject:


CASE WHEN (1=1) THEN column1 ELSE column2 END

Or even:


SELECT 1 UNION SELECT 2

To trigger an error or test visibility of injected data.

5. SQLi via ORDER BY clause

Some parameters may be used in `ORDER BY` clauses, allowing injection if not sanitized properly.

6. SQL Injection Prevention Methods

6.1 Prepared Statements

Use placeholders (e.g., ?) to pre-compile SQL queries.
Protects against injection by separating data from code.


SELECT * FROM users WHERE id = ?

Note:

Can't always be used with ORDER BY, table names, or column names.

6.2 Whitelisting (Allow-List Filtering)

Only allow approved input values.

Safer than blacklisting forbidden characters or words.

7. SQL Injection Cheat Sheet Summary

1. UNION-based SQLi

Combine queries using UNION.
Determine number of columns using ORDER BY.
Match data types before injecting.

Example:

sql

' UNION SELECT username, password FROM users--

2. Error-Based SQLi

Trigger type or logic errors to reveal system details.
Works only if DB error messages are shown to the user.

Example:


' AND 1=CONVERT(int, (SELECT TOP 1 name FROM sys.tables))--

3. Blind SQLi

A. Boolean-based Blind SQLi

Observe content changes on the page.

Example:


' AND 1=1--  → Page loads normally  
' AND 1=2--  → Page is empty or shows error

B. Time-based Blind SQLi

Inject SLEEP() or WAITFOR DELAY to observe response time.

Example:


' AND IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)--

2025년 6월 9일 월요일

Segfault ethical hacking week 8

SQL Injection = Extracting data using SQL flaws

1. Types of SQL Injection

1.1 UNION-based SQLi

Used when query results are displayed on the screen. Attacker injects a UNION SELECT to retrieve additional data.

1.2 Error-Based SQLi

Used when SQL errors are shown on the page. Errors are triggered intentionally to extract database information.

1.3 Blind SQLi

Works when the application does not display query results or errors. The attacker relies on behavioral differences (like page content or response time). Depending on the situation, one of the three methods is chosen.

2. The Goal of SQL Injection

To execute your own SELECT queries on the server and extract sensitive data.

3. How to Identify SQL Injection Points

Step-by-step:

4. Real-world Injection Examples

Cookie-based Injection Example

A forum post listing shows: SELECT * FROM posts WHERE title LIKE '%sfUser%' Test with: ' AND '1'='1 --> Returns normal results ' AND '1'='2 --> Returns nothing Result differs → SQLi confirmed.

Column Name Injection

ORDER BY 1 ORDER BY 2 ... Use this to guess how many columns exist. You can also inject: CASE WHEN (1=1) THEN column1 ELSE column2 END Or even: SELECT 1 UNION SELECT 2 To trigger an error or test visibility of injected data.

5. SQLi via ORDER BY clause

Some parameters may be used in ORDER BY clauses, allowing injection if not sanitized properly.

6. SQL Injection Prevention Methods

6.1 Prepared Statements

Use placeholders (e.g., ?) to pre-compile SQL queries. Protects against injection by separating data from code. SELECT * FROM users WHERE id = ? Note: Can't always be used with ORDER BY, table names, or column names.

6.2 Whitelisting (Allow-List Filtering)

Only allow approved input values. Safer than blacklisting forbidden characters or words.

7. SQL Injection Cheat Sheet Summary

1. UNION-based SQLi

Combine queries using UNION. Determine number of columns using ORDER BY. Match data types before injecting. Example: sql' UNION SELECT username, password FROM users--

2. Error-Based SQLi

Trigger type or logic errors to reveal system details. Works only if DB error messages are shown to the user. Example:' AND 1=CONVERT(int, (SELECT TOP 1 name FROM sys.tables))--

3. Blind SQLi

A. Boolean-based Blind SQLi

Observe content changes on the page. Example:' AND 1=1-- → Page loads normally ' AND 1=2-- → Page is empty or shows error

B. Time-based Blind SQLi

Inject SLEEP() or WAITFOR DELAY to observe response time. Example:' AND IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)--

댓글 없음:

댓글 쓰기

Segfault ethical hacking week 16

Used when query results are displayed on the screen.

Attacker injects a `UNION SELECT` to retrieve additional data.

Used when SQL errors are shown on the page.

Errors are triggered intentionally to extract database information.

Works when the application does not display query results or errors.

The attacker relies on behavioral differences (like page content or response time).

Depending on the situation, one of the three methods is chosen.

A forum post listing shows:

`SELECT * FROM posts WHERE title LIKE '%sfUser%'`

Test with:

`' AND '1'='1 --> Returns normal results ' AND '1'='2 --> Returns nothing`

Result differs → SQLi confirmed.

`ORDER BY 1 ORDER BY 2 ...`

Use this to guess how many columns exist.

You can also inject:

`CASE WHEN (1=1) THEN column1 ELSE column2 END`

Or even:

`SELECT 1 UNION SELECT 2`

To trigger an error or test visibility of injected data.

Some parameters may be used in `ORDER BY` clauses, allowing injection if not sanitized properly.

Use placeholders (e.g., `?`) to pre-compile SQL queries.

Protects against injection by separating data from code.

`SELECT * FROM users WHERE id = ?`

Note:

Can't always be used with `ORDER BY`, table names, or column names.

Only allow approved input values.

Safer than blacklisting forbidden characters or words.

Combine queries using `UNION`.

Determine number of columns using `ORDER BY`.

Match data types before injecting.

Example:

sql

`' UNION SELECT username, password FROM users--`

Trigger type or logic errors to reveal system details.

Works only if DB error messages are shown to the user.

Example:

`' AND 1=CONVERT(int, (SELECT TOP 1 name FROM sys.tables))--`

Observe content changes on the page.

Example:

`' AND 1=1-- → Page loads normally ' AND 1=2-- → Page is empty or shows error`

Inject `SLEEP()` or `WAITFOR DELAY` to observe response time.

Example:

`' AND IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)--`