2022-02-28 21:00:01 +00:00
|
|
|
= SQLI =
|
|
|
|
|
|
|
|
SQLI or SQL injection is a type of attack where sql is placed into a field in
|
|
|
|
an application, as is directly passed to a DBMS.
|
|
|
|
|
|
|
|
An attack typically works by prematurely terminating a text string and
|
|
|
|
appending a new command. Because the inserted command may have additional
|
|
|
|
strings appended to it before it is executed, SQLI attack string generally end
|
|
|
|
with a comment or `--`.
|
2022-02-28 21:15:01 +00:00
|
|
|
|
2022-03-08 18:15:01 +00:00
|
|
|
== Typical attack avenues ==
|
|
|
|
|
|
|
|
=== user input ===
|
|
|
|
|
|
|
|
Attacker crafts some input field text to send to server, that is then passed to
|
|
|
|
a database without first being sanatized.
|
|
|
|
|
|
|
|
=== server variables ===
|
|
|
|
|
|
|
|
Server varaibles include HTTP headers, network protocol headers, and enviroment
|
|
|
|
variables. Web applications use these for logging usage stats and IDing browsing
|
|
|
|
trends. If put in a database without sanitiztation, when the data is later
|
|
|
|
queried by some application, it could be placed back into a database request,
|
|
|
|
triggering an attack.
|
|
|
|
|
|
|
|
=== Second order injection ===
|
|
|
|
|
|
|
|
This occours when incomplete prevention mechanisms against SQLi attacks are in
|
|
|
|
place. This happens when the attacker provides some data to the system that is
|
|
|
|
first processed by the server, but after processing becomes an attack vector.
|
|
|
|
|
|
|
|
=== Cookies ===
|
|
|
|
|
|
|
|
When client returns to a web application server, cookies restore client state.
|
|
|
|
Because client can control the cookie, attacker can alter cookies such that
|
|
|
|
when the pplication server builds an SQL Query based on the cookies content,
|
|
|
|
the structure/function of query is modified.
|
|
|
|
|
|
|
|
=== Physical user input ===
|
|
|
|
|
|
|
|
Attacker may construct physical things outside of the realm of web requests.
|
|
|
|
This includes QR codes, RFID tags, or paper forms scanned with optical
|
|
|
|
character recognition.
|
|
|
|
|
2022-02-28 21:15:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
== Also see ==
|
|
|
|
|
2022-03-08 18:15:01 +00:00
|
|
|
* [[sql]]
|