-
Notifications
You must be signed in to change notification settings - Fork 149
/
detection.html
108 lines (104 loc) · 5.63 KB
/
detection.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
---
layout: default
description: SQL injections can be detected in a number of ways, use these methods to help you start your escalation path.
keywords: sql injection detection, detection, blind sql injection, error based sql injection
title: Detection | NetSPI SQL Injection Wiki
---
<h3 id="sql-injection-detection">SQL Injection Detection</h3>
<p class="pageDescription">{{site.data.injectionDescriptions.injectionDetection}}</p>
<h4 class="subheading">Parameter Locations</h4>
<p>Browse the tabs below to see common injection points in various HTTP requests. Common injection points are <span class="injectionHighlight">highlighted in red</span></p>
<div id="tabs" class="tabs">
<input class="tabInput" name="tabs" type="radio" id="Query" checked/>
<label class="tabLabel" for="Query">GET - HTTP Request</label>
<div class="tabPanel">
<p>In a generic HTTP GET request (and most request types) there are a few common injection points. URL parameters, like <code>id</code> in the below request, cookie names and values, the Host header, and any custom headers are most likely. However, any
content in an HTTP request can be vulnerable to SQL injection.</p>
<pre>
GET /?id=<span class="injectionHighlight">homePage</span> HTTP/1.1
Host: <span class="injectionHighlight">www.netspi.com</span>
Connection: close
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-Server-Name: <span class="injectionHighlight">PROD</span>
Cookie: user=<span class="injectionHighlight">harold</span>;
</pre>
</div>
<input class="tabInput" name="tabs" type="radio" id="FormData"/>
<label class="tabLabel" for="FormData">POST - Form Data</label>
<div class="tabPanel">
<p>In a standard HTTP POST request with a Content-Type of application/x-www-form-urlencoded the injections will be similar to URL parameters in a GET request. They are located below the HTTP headers, but can still be exploited in the same ways.</p>
<pre>
POST / HTTP/1.1
Host: netspi.com.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
username=<span class="injectionHighlight">harold</span>&email=<span class="injectionHighlight">[email protected]</span></pre>
</div>
<input class="tabInput" name="tabs" type="radio" id="JSON"/>
<label class="tabLabel" for="JSON">POST - JSON</label>
<div class="tabPanel">
<p>In a standard HTTP POST request with a Content-Type of application/json the injections will be usually be in the values of a JSON <code>{"key":"value"}</code> pair. The value may be an array or an object as well. Although the notation is different,
the values can be injected the same way as all other parameters. (Hint: try <code>'</code>, but make sure the JSON is using double quotes, otherwise you may break the request format.)</p>
<pre>
POST / HTTP/1.1
Host: netspi.com.com
Content-Type: application/json
Content-Length: 56
{
"username":"<span class="injectionHighlight">harold</span>",
"email":"<span class="injectionHighlight">[email protected]</span>"
}</pre>
</div>
<input class="tabInput" name="tabs" type="radio" id="XML"/>
<label class="tabLabel" for="XML">POST - XML</label>
<div class="tabPanel">
<p>In a standard HTTP POST request with a Content-Type of application/xml the injections will usually be inside an <code><xmlObject></xmlObject></code>. Although the notation is different, the values can be injected the same way as all other
parameters. (Hint: <code>'</code>)</p>
<pre>
POST / HTTP/1.1
Host: netspi.com.com
Content-Type: application/xml
Content-Length: 79
<root>
<username><span class="injectionHighlight">harold</span></username>
<email><span class="injectionHighlight">[email protected]</span></email>
</root>
</pre>
</div>
</div>
<h4 class="subheading">Detecting Injections</h4>
<p>Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application. Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements will trigger different responses
from the web server.</p>
<p><i>Note: True or false statements should return different responses through HTTP status codes or HTML contents. If these responses are consistent with the true/false nature of the query, this identifies an injection.</i></p>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>Description</th>
<th align="left">Query</th>
</tr>
</thead>
<tbody>
<tr>
<td>Logic Testing<br/></td>
<td>page.asp?id=1 or 1=1 -- <i>true</i><br>page.asp?id=1' or 1=1 -- <i>true</i><br>page.asp?id=1" or 1=1 -- <i>true</i><br>page.asp?id=1 and 1=2 -- <i>false</i></td>
</tr>
<tr>
<td>Arithmetic</td>
<td>product.asp?id=1/1 -- <i>true</i><br/>product.asp?id=1/0 -- <i>false</i><br>
product.asp?id=1/abs(1) -- <i>true</i><br/>product.asp?id=1/abf(1) -- <i>false</i></td>
</tr>
<tr>
<td>Blind based<br/><i>Note: Detecting blind injection may require identification or guess-and-check of the DBMS to find the proper timing function.</i></td>
<td>See <a href="{{site.pagebase}}/injectionTypes/blindBased/">here</a></td>
</tr>
<tr>
<td>Error based<br/><i>Note: Logic testing and arithmetic with invalid syntax may also help cause errors.</i></td>
<td>See <a href="{{site.pagebase}}/injectionTypes/errorBased/">here</a></td>
</tr>
</tbody>
</table>