Welcome back, my aspiring cyberwarriors!
According to the Open Web Application Security Project (OWASP), command injection is perennially one of the most serious and numerous attacks against web applications. In addition, these attacks usually involve serious financial damage to the companies and other institutions as they are attacks against the database, the repository of so much valuable information such as credit card numbers and personally identifiable information (PII).
OWASP Top 10
Although there are numerous attack vectors against databases, the most common is the SQL injection. SQL injection sends SQL commands from the web form to the backend database.
If these SQL commands are not sanitized at the client level (browser) they can move to the database and wreak havoc, including;
Exfiltrate data
Delete data
Add data
Update data
When testing for SQL injection vulnerabilities, these are some of the most common commands and special characters. The better you understand SQL, the more successful you will be with SQL injection.
Quotes
Single quote ('): Frequently used to terminate string literals.
Double quote ("): Can also be used to terminate string literals in some databases.
Comment sequences:
Double dash (--): This is an SQL comment and can be used to nullify the rest of a query.
Hash (#): In MySQL, it's an alternate way to comment out the rest of the query.
Slash-asterisk (/* ... */): Multiline comment.
Can be used to comment out parts or all of a query.
Operators and commands:
Semicolon (;): Represents the end of one query and the start of another.
Logical operators: AND, OR.
Control functions: UNION, UNION ALL.
Boolean values
TRUE or 1=1: Always evaluates to true and can be used to manipulate WHERE clauses.
FALSE or 1=0: Always evaluates to false
Time-delay functions
SLEEP(x): In MySQL, causes a delay for x seconds.
WAITFOR DELAY 'hh:mm:ss': In SQL Server, causes a delay.
pg_sleep(x): In PostgreSQL, causes a delay for x seconds.
Information retrieval
@@version: Retrieves the database version (works in many databases).
CURRENT_USER: Retrieves the current user.
Hex encoding
Attackers might encode their payloads in hexadecimal to bypass naive filters.
Wildcards
Percent sign (%): Represents zero or more characters in SQL LIKE clauses. This was used the recent MoveIT attack by C|op.
Special functions
CONCAT(): Used to concatenate strings in SQL.
CAST(), CONVERT(): Used for type conversion.
ASCII(), CHAR(): Functions to get ASCII values or characters, can be used in blind SQLi.
Subselects and metadata queries
SELECT ... FROM information_schema.tables: Used in databases like MySQL and PostgreSQL to gather metadata about tables.
SELECT ... FROM sysobjects ...: Used in SQL Server to gather metadata.
Summary
Injection attacks against web forms leading to exfiltration of database data are among the most serious attacks compromising web security. These attacks against the database are using in the form SQLi attacks where SQL commands are sent to the backend database from unsanitized input from the client (browser). Although SQLi attacks are becoming increasingly difficult, a thorough and deep understanding of SQL is necessary to be successful in our more security conscious era.