Many bug hunters believe that “SQL injection is dead” or “SQL injection is hard to find”. This is not true, and if you believe it you are missing out on critical bugs.
<aside> 💡 SQL injection (SQLi) allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.
</aside>
CVE-2024-2879 was awarded a 5500$ bounty, which is so far the highest paid bounty by the WordFence bug bounty program. It is an unauthenticated SQL injection in the LayerSlider WordPress Plugin. LayerSlider has an endpoint with the ls get popup markup parameter, which was vulnerable to SQL injection. Check here and here for further details.
<aside> 💡 Error-based SQLi relies on error messages thrown by the database server to obtain information about the structure of the database.
</aside>
<aside> 💡 Union-based SQLi leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
</aside>
<aside> 💡 Boolean-based SQLi relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
</aside>
<aside> 💡 Time-based SQLi relies on sending an SQL query to the database which forces the database to wait for a specified amount of time before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
</aside>
<aside> 💡 Out-of-band SQLi occurs when an attacker uses a different channel to launch the attack and to gather the results. This requires the database server to make DNS or HTTP requests to deliver data to an attacker.
</aside>