Segfault ethical hacking week 9

SQL Injection Point

1. SQL Injection

=> Inserting SQL queries to extract desired information.
Example from DB: SELECT * FROM member

• When the SQL query result is displayed on the screen:
   → Use Union-Based SQL Injection

• When SQL error messages are shown:
   → Use Error-Based SQL Injection

• Blind SQL Injection:
   → Use Blind SQL Injection when there's a difference in response based on true/false conditions.
   It works in most situations where the above two don't apply.
   (Currently, this method feels too slow for me to use efficiently.)

The key is executing the specific SELECT query you need. Know what you want to run.

Finding SQL Injection Points

Look for areas where SQL queries are used by the database:

• For example, when SQL uses a WHERE user_id LIKE '%____%' clause
   Try:
   nor %' and '1%'='1
   This inserts an always-true condition using AND.

Check whether the result changes between:

• AND '1'='1' (true condition)

• AND '1'='2' (false condition)

If the result differs → SQLi is likely possible.

Use Burp Suite to inspect parameters, headers, and other request data.

2. When Finding SQL Injection Points:

• Focus on places where data is retrieved from the DB.

• Think about how SQL queries are used in the Web Server.

Examples:

• INSERT INTO table VALUES (...) during Sign-up

• SELECT statements used in MyPage, like:
   WHERE userid = '_____'
   → Usually, the server inserts a stored value here.

Test case:

Try:

• sfUser' and '1'='1

• sfUser' and '1'='2

If the result differs → SQLi is possible → You may be able to extract all data.

You can extract data using:

• Parameters

• Cookies

• User-Agent, etc.

SQLi is not limited to text input fields.

Understand How SQL Works

• Always consider how the server-side logic might use SQL.

• Cookies can also be injection points.

Example: A bulletin board displaying posts:

• Option parameter:
   option=title, value=test, result=...

• The query might look like:
   WHERE title LIKE '%test%'

Test:

• test% and '1%'='1 → (fails)

Try injecting in the column name:

• order by title → Try injecting SELECT inside this to test conditions.

If "true" returns content and "false" does not → Vulnerability confirmed.

 Avoid using # for comments unless absolutely necessary.

Advanced Points

• SQLi is possible in:
   1. Cookies
   2. Column names
   3. ORDER BY clauses

Case When syntax (SQL equivalent of if):

CASE WHEN (condition) THEN (true value) ELSE (false value) END

Example:

CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END

Use in sort parameter:

sort = (SELECT 1 UNION SELECT 2 WHERE (1=2))

• Results in a matrix output.

• If false condition → No output → Good test case.

To trigger errors (for error-based detection), try:

sfUser' AND (SELECT 1 UNION SELECT 2 WHERE (1=2)) AND '1'='1

---

SQL Injection Mitigation

1. Prepared Statements

• Pre-compiles the SQL query:

SELECT ... WHERE id = ?

• Originally designed to improve performance, but now widely used for SQLi prevention.

 Common mistakes:

• Not using prepared statements properly, e.g.:

WHERE id = 'user_input'

Prepared statements cannot be used for:

• ORDER BY, TABLE names, COLUMN names

Always inspect for:

• sort, ord, or other dynamically-inserted SQL identifiers.

2. Whitelist Filtering

• Whitelist filtering: Only allow specific safe keywords (preferred).

• Blacklist filtering: Block known dangerous keywords (less secure).

CTF

1.