vimwiki/tech/sqli.wiki

= SQLI =

SQLI or SQL injection is a type of attack where sql is placed into a field in
an application, as is directly passed to a DBMS.

An attack typically works by prematurely terminating a text string and
appending a new command. Because the inserted command may have additional
strings appended to it before it is executed, SQLI attack string generally end
with a comment or `--`.

== Typical attack avenues ==

=== user input ===

Attacker crafts some input field text to send to server, that is then passed to
a database without first being sanatized.

=== server variables ===

Server varaibles include HTTP headers, network protocol headers, and enviroment
variables. Web applications use these for logging usage stats and IDing browsing
trends. If put in a database without sanitiztation, when the data is later
queried by some application, it could be placed back into a database request,
triggering an attack.

=== Second order injection ===

This occours when incomplete prevention mechanisms against SQLi attacks are in
place. This happens when the attacker provides some data to the system that is
first processed by the server, but after processing becomes an attack vector.

=== Cookies ===

When client returns to a web application server, cookies restore client state.
Because client can control the cookie, attacker can alter cookies such that
when the pplication server builds an SQL Query based on the cookies content,
the structure/function of query is modified.

=== Physical user input ===

Attacker may construct physical things outside of the realm of web requests.
This includes QR codes, RFID tags, or paper forms scanned with optical
character recognition.


== Also see ==

* [[sql]]
Update for 28-02-22 16:00 2022-02-28 21:00:01 +00:00			`= SQLI =`

			`SQLI or SQL injection is a type of attack where sql is placed into a field in`
			`an application, as is directly passed to a DBMS.`

			`An attack typically works by prematurely terminating a text string and`
			`appending a new command. Because the inserted command may have additional`
			`strings appended to it before it is executed, SQLI attack string generally end`
			with a comment or `--`.
Update for 28-02-22 16:15 2022-02-28 21:15:01 +00:00
Update for 08-03-22 13:15 2022-03-08 18:15:01 +00:00			`== Typical attack avenues ==`

			`=== user input ===`

			`Attacker crafts some input field text to send to server, that is then passed to`
			`a database without first being sanatized.`

			`=== server variables ===`

			`Server varaibles include HTTP headers, network protocol headers, and enviroment`
			`variables. Web applications use these for logging usage stats and IDing browsing`
			`trends. If put in a database without sanitiztation, when the data is later`
			`queried by some application, it could be placed back into a database request,`
			`triggering an attack.`

			`=== Second order injection ===`

			`This occours when incomplete prevention mechanisms against SQLi attacks are in`
			`place. This happens when the attacker provides some data to the system that is`
			`first processed by the server, but after processing becomes an attack vector.`

			`=== Cookies ===`

			`When client returns to a web application server, cookies restore client state.`
			`Because client can control the cookie, attacker can alter cookies such that`
			`when the pplication server builds an SQL Query based on the cookies content,`
			`the structure/function of query is modified.`

			`=== Physical user input ===`

			`Attacker may construct physical things outside of the realm of web requests.`
			`This includes QR codes, RFID tags, or paper forms scanned with optical`
			`character recognition.`

Update for 28-02-22 16:15 2022-02-28 21:15:01 +00:00

			`== Also see ==`

Update for 08-03-22 13:15 2022-03-08 18:15:01 +00:00			`* [[sql]]`