
SQL Injection Wiki - sidcool
https://sqlwiki.netspi.com/
======
grantcox
The only successful SQL injection attack I've encountered in the wild was
interesting, because the injection point had no visible output. But by
injecting timing calls (eg "SLEEP()") and appropriate conditionals, the
attacker was able to extract a few bits of information each request. Their
script executed some tens of thousands of requests, and they managed to
extract all the table names, and start to extract data from our "users" table.

In retrospect such an attack is obvious, and presumably tools like metasploit
make them trivial to execute. But previously I'd had the idea that SQL
injection was usually "literal raw data output".

~~~
altharaz
You should take a look at [https://sqlmap.org](https://sqlmap.org) : this tool
runs SQL attacks with « raw data output » as you say, but also without outputs
(Blind SQL injections).

~~~
dspillett
I'm getting SSL errors on that link: it is presenting GitHub's wildcard
certificate which obviously doesn't match.

The site is accessible as plain http (or https if you skip the warnings, of
course).

~~~
jokr004
I thought that was sketchy too but it occurred to me that they probably are
hosting this site with github but are using their own domain name.

sqlmap.org turns out to me an A record for an IP address owned by github.

~~~
dspillett
_> it occurred to me that they probably are hosting this site with github but
are using their own domain name_

That is exactly what they are doing, and in itself this is not at all a
problem.

But presumably the link worked for the original poster, so either there is a
dynamic DNS problem (we are being sent to an address that serves the
_.github.com certificate an not the "right" one but he was sent somewhere that
does have a certificate for that name) _or* someone is resigning content and
his machine is set to trust their CA certificate. This latter cause could be
normal/expected (his company having a MiTM policy for regulatory monitoring
reasons) or his machine could be cracked by an external entity.

------
cm2187
Universities and managers must do a little bit of torture, spanking and ruler
on the knuckles every time they see a student or a new dev not parameterize a
query. It must become a reflex like watching for cars before crossing a
street.

~~~
amatera
Some weeks ago an experience developer said to me: "Parameterize a query?
Since years i don't care about it, because ORMs like Doctrine or Sequelize
take care of that"... So it's not only students or new devs who should watch
out, because even ORMs can open up SQL injections.

~~~
zetaben
Rails is well know for this. Here is a nice page listing common ones:
[https://rails-sqli.org/](https://rails-sqli.org/)

------
bwann
When I did firewall/network support for managed hosting customers, the number
of customers' custom/vendor apps that were vulnerable (and exploited!) by SQL
injection attacks was astounding. Of course the very first thing they said was
"but we have a firewall, why can't you ACL it?" Sorry, your Cisco ASA doesn't
work that way. It's like people never expected their code to run in a hostile
world.

~~~
Toast_25
It's because they don't. Two things I've found in less than a year of working
in the security industry is that people only care if things work, not if they
work well and, that they either believe security can be delegated or that they
will never be attacked because they're special in some way.

------
hjek
> Javascript is required for viewing, please enable.

Someone should tell them about _progressive enhancement_.

------
geekamongus
A common refrain from developers I hear is, "They can't inject SQL...the
database is read-only."

Unfortunately, SQL Injection is a misnomer.

~~~
nostoc
Is it a misnomer? "Injection" is not because you're injecting data, it's
because you're injecting commands.

------
esnard
It seems that PostgreSQL is missing from this cheat sheet. Does anyone know
why?

~~~
jreynoldsdev
Hey Esnard! I'm one of the people who worked on the wiki at NetSPI. We're
planning on adding more DBMSs in the near future. Was there anything specific
you're looking for about PostgreSQL?

~~~
esnard
Hey! Thanks for replying. Nothing specific, I just find more and more apps
using PostgreSQL in the wild, so I was just curious about its absence. Thanks
for your work on the wiki. I'm going to use it a lot. :)

