Note Task 4: Port Swigger Training -SQL

# Yêu cầu Tìm hiểu về lỗ hổng SQL Injection (bao gồm khái niệm, các dạng tấn công, ví dụ minh họa) và đồng thời hoàn thành mỗi dạng tấn công là 2 labs. Đối với các dạng blind injection, viết script khai thác tương ứng và tìm cách optimze cách tấn công cho tối ưu nhất (ít tốn thời gian, số lần lặp nhất). - [x] Khái niệm - [x] Các dạng tấn công và VD - [x] Mỗi dạng 2 bài labs - [x] Blind injection viết script -> Tối ưu cách tấn công --- [ToC] # What is SQL Injection? A structured query language (SQL) injection is a vulnerability, where malicious types of SQL statements are placed inside entry fields in backend databases, either deleberately or in advertently, which facilitates attacks on data-driven applications ![](https://hackmd.io/_uploads/Hk7ce5gT3.png) :::info :bulb: **SQLi** is a commonly used attack vector in which *a malicious SQL script is utilized to manipulate back-end databases to obtain data that was not meant to be exposed* ::: # Types of SQL Injections ![](https://hackmd.io/_uploads/rkhJS5gp3.png) ## In-band SQLi (Classic SQLi) In-band SQL Injection is the most common and easy-to-exploit of SQL injection attacks. :::info :bulb: **In-band SQL Injection** occurs when an attacker is able to use the same communication channel to both launch the attack and gather results ::: #### [Detecting SQL injection vulnerable](https://hackmd.io/AHoU_W5STpGIUYxv2vWATA) :::info :bulb: SQL injection can be detected manually by using systematic set of tests against **every entry point** in the application ::: This typically involves: - Submitting the **single quote character `'`** and looking for errors or other anomalies - Submitting some **SQL-specific syntax** that *evaluates to the base* (original), and to a different value, and *looking for systematic differences* in the resulting application responses - Submitting **Boolean conditions such as `OR 1=1` and `OR 1=2`**, and looking for differences in the application's responses - Submiting **payloads designed to trigger time delays** when execute within a SQL query, and looking for differences in the time taken to respond. - Submitting OAST payloads designed to trigger an out-of-band #### [Examining the database in SQL injection attacks](https://hackmd.io/TZu-bBKaTvGwHeXokxYtVw) :::info :bulb: Some core features of the SQL language are implemented in the same way across popular database platforms, and so many ways of detecting and exploiting SQL injection vulneralilities work identically on different types of database. However, there are also many differences between common databases. **There mean that some techniques for detecting and exploiting SQL injection work differently on different platforms**. ::: For example: - Syntax for string concatenation - Comments - Bathed (or stacked) queries - Platform-specific APIs - Error messages ::: success :point_right: [SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet) ::: ### [Union-based SQLi](https://hackmd.io/@W8hH7NRgT8-m1aWaJJjIoA/S1mTYCsFn) :::info :thinking_face: When an applicaiton is vulnerable to SQL injection and the results of the query are returned within the application's responses :bulb: **UNION** keyword can be used to retrive data from other tables within the database. ::: The **UNION** keyword lets you execute one or more additional **SELECT** queries and append the results to the original query. For example: ```sql SELECT a, b FROM table1 UNION SELECT c, d FROM table2 ``` This SQL query will return a single result set with two columns, containing values from columns `a` and `b` in `table1` and columns `c` and `d` in `table2` For a `UNION` query to work, two key requirements must be met: - The individual queries must return the same nubmer of columns - The data types in each colums must be compatible between the individual queries To carry out a SQL injection UNION attack, you need to ensure that your attack meets these two requirements. This generally involves figuring out: - How many columns are being returned from the original query? - Which columns returned from the original query are of a suitable data type to hold the results from the injected query? ### [Error-based SQLi](https://hackmd.io/@W8hH7NRgT8-m1aWaJJjIoA/ry_468v22) :::info :bulb: Misconfiguration of the database sometimes results in verbose error messages. These can provide information that may be useful pto an attacker ::: ## [Blind SQLi](https://hackmd.io/@W8hH7NRgT8-m1aWaJJjIoA/BkI4namq3) :::info :bulb: Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. . ::: ### Boolean-based (content-based) Blind SQLi This technique relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTP response will change, or remain the same. ### Time-based Blind SQLi This technique relies on sending and SQL query to thhe database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE Depending on the result, an HTTP response will be returned with a delay, or returned immediately. ## [Out-of-band SQLi](https://hackmd.io/@W8hH7NRgT8-m1aWaJJjIoA/Hk977h7c2) Out-of-band SQLi occurs when an attacker is unable to use the same channel to launch the attack and gather results. This technique used to exploit vulnerabilities in web applications that allow an attacker to extract data from a database indirectly, without receiving the results of the SQL query directly within the response of the web application.