vimwiki/tech/sqli.wiki

72 lines
2.3 KiB
Plaintext

= SQLI =
SQLI or SQL injection is a type of attack where sql is placed into a field in
an application, as is directly passed to a DBMS.
An attack typically works by prematurely terminating a text string and
appending a new command. Because the inserted command may have additional
strings appended to it before it is executed, SQLI attack string generally end
with a comment or `--`.
== Typical attack avenues ==
=== user input ===
Attacker crafts some input field text to send to server, that is then passed to
a database without first being sanatized.
=== server variables ===
Server varaibles include HTTP headers, network protocol headers, and enviroment
variables. Web applications use these for logging usage stats and IDing browsing
trends. If put in a database without sanitiztation, when the data is later
queried by some application, it could be placed back into a database request,
triggering an attack.
=== Second order injection ===
This occours when incomplete prevention mechanisms against SQLi attacks are in
place. This happens when the attacker provides some data to the system that is
first processed by the server, but after processing becomes an attack vector.
=== Cookies ===
When client returns to a web application server, cookies restore client state.
Because client can control the cookie, attacker can alter cookies such that
when the pplication server builds an SQL Query based on the cookies content,
the structure/function of query is modified.
=== Physical user input ===
Attacker may construct physical things outside of the realm of web requests.
This includes QR codes, RFID tags, or paper forms scanned with optical
character recognition.
== Inband attacks ==
Inband attacks use the same communication channel for injecting SQL as for
retreiving it.
=== tautology ===
Consider the PHP code example
{{{
$query = "SELECT info FROM user WHERE name='$_GET["name"]' AND pwd='$_GET["pwd"]'"
}}}
If the attacker submits `" ' OR 1=1 --` for the `name` field, the resulting
query would be
`SELECT info FROM user WHERE name=' ' OR 1=1 --AND pwd='$_GET["pwd"]'`
This would disable the password check, and return all rows to the application.
=== Piggybacked queries ===
Attacker can send another query after the intended query, allowing them to
extract more information.
== Also see ==
* [[sql]]