💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • String concatenation
  • Narrowing the search
  1. VULNERABILITIES
  2. SQL Injection

Code review

String concatenation

One of the possible sinks in code when it comes to SQL Injection is using string concatenation instead of parametrized queries:

Vulnerable code samples:

  • Pasting the data directly from parameter without prepared statements

$id = $_GET['id']; // User input taken directly from GET request

$query = "SELECT * FROM users WHERE id = '$id'";

  • Concatenation

$username = $_GET['username'];
$password = $_GET['password'];

// Vulnerable SQL query using string concatenation (username and password)
$query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";

Non-vulnerable code sample:

$id = $_GET['id'];

$stmt = $mysqli->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $id);

Narrowing the search

Usually web applications have huge amounts of code. That is why we often have to use regexes in order to search for queries.

Sample regex searching (in notepad++)

^.*?query.*?select.*?
PreviousSQLi debuggingNextErrors and additional information

Last updated 2 months ago