SQL_injection_notes.sql

-- SQLi is #1 of OWASP Top 10 Web vulns
-- Sample code of vuln php script

$sql_cmd ="SELECT * FROM user WHERE id = " . $_POST['id'];

-- Form-Input: 42; UPDATE user SET type="admin" WHERE id=23;
-- Resulting Query:

SELECT * FROM USER WHERE id =42; UPDATE USER
SET TYPE="admin" WHERE id=23;

SELECT author, subject FROM article
WHERE ID=42 UNION SELECT login,
password FROM USER;

-- Very fast, can sometimes retrieve multiple strings in one request

--------------------------------------------------

-- Boolean SQLi
-- No output of the quer can be seen
-- There's an indication, if the result of a query is true or false
-- because a certain string appears in the webpage, e.g. an error message

-- Fastest retreiving method is binary search:
-- Is the ASCII-Code of the 1st character of the password of the user
-- 'admin' lower than 64?
-- If 'true': Is the ASCII-Code of the 1st character of the password
-- of user 'admin' lower than 32?
-- ...

-- Slow: Needs 7 requests per ASCII character (but can be multithreaded)

----------------------------------------------------

-- Time based SQLi
-- Neither output of the query can be seen nor any indication of its result
-- Only possible way to determine the result, is to let the database SLEEP()
-- some seconds, if the query turns out false and continue immediately if true.
-- In other databases time intensive instructions have to be executed
-- (effectively doing a short DoS)
-- Very slow and prone to errors because of hard distinction between SLEEP()
-- and a network lag
-- Multithreading difficult to impossible

-- Time based SQLi binary search
-- String to get:"1234", only 4 possibilities
-- Is number <= 2?
-- If true:
    -- Is it 1?
    --  If true: found 1
    --  If false:found 2
-- If false:
    -- Is it 3?...
-- To get 1234 it takes 8 requests

-- linear search takes 9 requests
-- Is this not a 1  -- 6 slow and 3 fast requests