03 Apr, 2023

SQL wildcard injection

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

A SQL wildcard injection is a type of SQL injection attack where the attacker exploits a vulnerability in a web application to inject wildcard characters such as % or _ into an SQL query, causing the query to return more data than intended. This can lead to the exposure of sensitive information or the ability to execute unauthorized commands on the database.

The use of wildcard characters in a SQL query allows the attacker to bypass input validation checks and inject malicious SQL code that can modify, extract, or delete data from the database. Wildcard injections can be used in conjunction with other SQL injection techniques to increase the chances of a successful attack.

Example of vulnerable code on different programming languages:


in php:

				
					$uname = $_GET['username'];
$sql = "SELECT * FROM users WHERE username LIKE '%" . $uname . "%'";
$result = mysqli_query($conn, $sql);

				
			

 

In this example, the user input for the ‘username’ parameter is directly concatenated into the SQL query without proper input validation, allowing an attacker to inject wildcard characters and potentially perform a SQL wildcard injection attack.

• in Java:

				
					String username = request.getParameter("username");
String query = "SELECT * FROM users WHERE username LIKE '%" + username + "%'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);

				
			

 

This Java code suffers from the same vulnerability as the PHP example. The input received from the ‘username’ parameter is directly concatenated into the SQL query, allowing an attacker to inject wildcard characters and perform a SQL wildcard injection attack.

• in Python:

				
					username = request.args.get('username')
query = "SELECT * FROM users WHERE username LIKE '%" + username + "%'"
cursor.execute(query)
result = cursor.fetchall()

				
			

 

Similarly, this Python code concatenates the user input for ‘username’ directly into the SQL query without proper input validation, making it vulnerable to SQL wildcard injection attacks.

Examples of exploitation SQL wildcard injection

Let’s say we have a vulnerable SQL query that takes input from the user to search for a product in a database. The SQL query looks like this:

				
					SELECT * FROM products WHERE name LIKE '%user_input%';

				
			

 

The user input is directly concatenated into the SQL query, making it vulnerable to SQL wildcard injection. An attacker can exploit this vulnerability in various ways:

  • Extracting data: An attacker can use wildcard characters to extract data from the database. For example, if the attacker enters ‘a%’; SELECT password FROM users WHERE username = ‘admin’, the SQL query would become:

				
					SELECT * FROM products WHERE name LIKE 'a%'; SELECT password FROM users WHERE username = 'admin%';

				
			

The second part of the query will execute as a separate statement and return the password of the ‘admin’ user.

  • Bypassing authentication: An attacker can use wildcard characters to bypass authentication checks. For example, if the application checks the username and password as follows:

				
					SELECT * FROM users WHERE username = 'user_input' AND password = 'user_input';

				
			


An attacker can enter a wildcard character as the password to bypass the authentication check:

				
					SELECT * FROM users WHERE username = 'admin' AND password LIKE '%';

				
			

 

This query will return all users, including the admin user, whose password field contains any value.

  • Deleting data: An attacker can use wildcard characters to delete data from the database. For example, if the application deletes a product based on the product ID as follows:

				
					DELETE FROM products WHERE id = 'user_input';

				
			

 

An attacker can enter a wildcard character as the product ID to delete all products from the database:

				
					DELETE FROM products WHERE id LIKE '%';

				
			

 

This query will delete all products from the database.

Privilege escalation techniques for SQL wildcard injection

Union query:

An attacker can use a UNION query to combine the results of two or more SELECT statements. This technique can be used to extract data from other tables in the database or to escalate privileges by impersonating a user with higher privileges. For example, an attacker can use the following query to extract the password hashes of all users and escalate privileges:

				
					SELECT username, password FROM users WHERE username = 'admin' UNION SELECT username, password FROM users WHERE username <> 'admin';

				
			

 

This query will combine the results of two SELECT statements and return the password hashes of all users, including the admin user.

Subquery:

An attacker can use a subquery to escalate privileges by bypassing authentication checks. For example, if the application checks the username and password as follows:

				
					SELECT * FROM users WHERE username = 'user_input' AND password = 'user_input';

				
			

 

An attacker can use a subquery to bypass the authentication check and authenticate as a user with higher privileges:

				
					SELECT * FROM users WHERE username = 'admin' AND password = (SELECT password FROM users WHERE username = 'admin');

				
			

 

This query will return the data for the ‘admin’ user, even if the attacker does not know the password for that user.

Time-based attacks:

An attacker can use time-based attacks to escalate privileges by delaying the response of the SQL query. For example, an attacker can use the following query to delay the response by 10 seconds:

				
					SELECT * FROM products WHERE name LIKE 'user_input%' AND sleep(10);

				
			

 

This query will delay the response by 10 seconds, which can be used to determine if the SQL query is vulnerable to time-based attacks. An attacker can then use this technique to escalate privileges by executing long-running queries that consume a lot of server resources and disrupt the normal operation of the application.

General methodology and checklist for SQL wildcard injection

Methodology:

  1. Identify all user inputs that are used in SQL queries, such as search fields, login forms, and other user input fields.

  2. Check if the user inputs are directly concatenated into the SQL query without proper validation and sanitization. Look for wildcard characters such as % and _ that can be used for SQL wildcard injection.

  3. Test each input field with various input values to check if the SQL query returns unexpected results. Use wildcard characters such as % and _ to test for SQL wildcard injection. Look for errors, unexpected results, or slow response times that may indicate a vulnerability.

  4. Use automated tools such as SQLmap or other vulnerability scanners to test for SQL wildcard injection. These tools can automatically detect and exploit vulnerabilities, saving time and effort.

  5. Review the application code to identify vulnerable code segments that may be susceptible to SQL wildcard injection. Look for concatenation of user input with SQL queries, unvalidated inputs, and other common vulnerabilities.

  6. Validate and sanitize user inputs before using them in SQL queries. Use parameterized queries or stored procedures to prevent SQL injection attacks.

  7. Limit the privileges of database users to the minimum necessary to prevent privilege escalation attacks.

  8. Regularly review and update security controls to prevent vulnerabilities and stay up-to-date with the latest threats and attack techniques.

Checklist:

  1. Identify all input fields that accept user input, such as search fields, login forms, and other input fields.

  2. Verify that input validation is performed on the input fields, such as checking for expected data types, length, and format.

  3. Check if the input fields are used directly in SQL queries without proper validation and sanitization. Look for wildcard characters such as % and _ that can be used for SQL wildcard injection.

  4. Test each input field with various input values to check if the SQL query returns unexpected results. Use wildcard characters such as % and _ to test for SQL wildcard injection. Look for errors, unexpected results, or slow response times that may indicate a vulnerability.

  5. Test search fields by inputting a wildcard character such as % in the search field to see if the SQL query returns all records.

  6. Test login forms by inputting a wildcard character such as % in the username and password fields to see if the SQL query returns any records.

  7. Use automated tools such as SQLmap or other vulnerability scanners to test for SQL wildcard injection. These tools can automatically detect and exploit vulnerabilities, saving time and effort.

  8. Review the application code to identify vulnerable code segments that may be susceptible to SQL wildcard injection. Look for concatenation of user input with SQL queries, unvalidated inputs, and other common vulnerabilities.

  9. Validate and sanitize user inputs before using them in SQL queries. Use parameterized queries or stored procedures to prevent SQL injection attacks.

  10. Limit the privileges of database users to the minimum necessary to prevent privilege escalation attacks.

  11. Regularly review and update security controls to prevent vulnerabilities and stay up-to-date with the latest threats and attack techniques.

Tools set for exploiting SQL wildcard injection

Manual Tools:

  • SQLmap – A popular open-source tool for automating SQL injection detection and exploitation. It can detect a wide range of injection techniques and can also identify vulnerabilities such as SQL wildcard injection.

  • Havij – A commercial tool for automated SQL injection and SQL wildcard injection exploitation. It can automatically detect and exploit SQL injection vulnerabilities, making it popular among penetration testers.

  • Sqlninja – A tool designed for exploiting SQL injection vulnerabilities in MySQL databases. It can be used for both automated and manual testing of SQL injection vulnerabilities.

  • SQLMate – A lightweight tool for manual detection and exploitation of SQL injection vulnerabilities. It supports various techniques including SQL wildcard injection.

  • DotDotPwn – A tool for automated testing of directory traversal and file inclusion vulnerabilities, which can be used to detect SQL injection and SQL wildcard injection vulnerabilities.

  • Absinthe – A powerful SQL injection and SQL wildcard injection exploitation tool with a wide range of features, including the ability to automate detection and exploitation of vulnerabilities.

  • SQL Power Injector – A tool for manual SQL injection and SQL wildcard injection exploitation, with features such as multithreading and the ability to bypass web application firewalls.

  • SQLsus – A lightweight SQL injection and SQL wildcard injection exploitation tool that can be used for manual testing and analysis of SQL injection vulnerabilities.

  • Blind SQL Injector – A tool for manual testing and exploitation of blind SQL injection vulnerabilities, which can be used to detect SQL wildcard injection vulnerabilities.

  • Burp Suite – A popular web application security testing tool that can be used for manual detection and exploitation of SQL injection and SQL wildcard injection vulnerabilities.

Automated Tools:

  • AppScan – An automated web application security testing tool that can detect SQL injection vulnerabilities, including SQL wildcard injection.

  • Acunetix – A web application security testing tool that can detect and exploit SQL injection vulnerabilities, including SQL wildcard injection.

  • Netsparker – An automated web application security testing tool that can detect and exploit SQL injection vulnerabilities, including SQL wildcard injection.

  • Vega – An open-source web application security testing tool that can detect SQL injection vulnerabilities, including SQL wildcard injection.

  • Qualys – A cloud-based vulnerability management tool that can detect and exploit SQL injection vulnerabilities, including SQL wildcard injection.

  • WebInspect – An automated web application security testing tool that can detect and exploit SQL injection vulnerabilities, including SQL wildcard injection.

  • Arachni – A web application security scanner that can detect various vulnerabilities, including SQL injection and SQL wildcard injection.

  • Nikto – A popular open-source web server scanner that can detect vulnerabilities such as SQL injection and SQL wildcard injection.

  • OWASP ZAP – An open-source web application security scanner that can detect and exploit vulnerabilities, including SQL injection and SQL wildcard injection.

  • W3af – An open-source web application security scanner that can detect various vulnerabilities, including SQL injection and SQL wildcard injection.

Average CVSS score of stack SQL wildcard injection

The Common Vulnerability Scoring System (CVSS) is a standardized system used to assess the severity of security vulnerabilities. The score ranges from 0 to 10, with a higher score indicating a more severe vulnerability.

The CVSS score for SQL wildcard injection vulnerabilities can vary depending on the specific circumstances of the vulnerability and the impact it has on the system. However, in general, SQL wildcard injection vulnerabilities are considered to be high-severity vulnerabilities that can have a significant impact on the security of a system.

The average CVSS score for SQL wildcard injection vulnerabilities is typically between 7 and 9, indicating a high-severity vulnerability. However, this score can vary depending on factors such as the complexity of the attack, the level of access gained by the attacker, and the potential impact on the system.

The Common Weakness Enumeration (CWE)

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – This is the most common CWE related to SQL injection, including SQL wildcard injection.

• CWE-20: Improper Input Validation – This CWE is related to improper validation of user input, which can lead to SQL injection attacks.

• CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) – This CWE is related to command injection attacks, which can be used to execute arbitrary commands on a system.

• CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – This CWE is similar to CWE-77, but specifically refers to attacks on operating system commands.

• CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) – This CWE is related to URL redirection attacks, which can be used to redirect users to a malicious website that can perform SQL injection attacks.

• CWE-918: Server-Side Request Forgery (SSRF) – This CWE is related to SSRF attacks, which can be used to bypass access controls and perform SQL injection attacks.

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic – This CWE is related to SQL injection attacks that specifically involve data query logic.

• CWE-1145: SQL Injection: Hibernate – This CWE is related to SQL injection attacks that target Hibernate, a popular Java-based ORM framework.

• CWE-1157: SQL Injection: Node.js – This CWE is related to SQL injection attacks that target Node.js, a popular JavaScript runtime environment.

• CWE-1254: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) – This CWE is related to LDAP injection attacks, which can be used to execute arbitrary LDAP queries and potentially perform SQL injection attacks.

CVES related to SQL wildcard injection

• CVE-2020-13921 – **Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.

SQL wildcard injection exploits

  • Retrieving all data from a table: An attacker can inject a wildcard character (*) into a SQL query to retrieve all data from a table, even if the application was only designed to retrieve a subset of the data. For example, if the original query was “SELECT name FROM users WHERE age > 18”, an attacker could inject a wildcard character to make the query “SELECT * FROM users WHERE age > 18”, which would retrieve all data from the “users” table.

  • Modifying data in a table: An attacker can inject a wildcard character into an UPDATE statement to modify multiple rows of data in a table, even if the application was only designed to modify one row at a time. For example, if the original query was “UPDATE users SET status = ‘inactive’ WHERE user_id = 123”, an attacker could inject a wildcard character to make the query “UPDATE users SET status = ‘inactive’ WHERE user_id LIKE ‘1%'”, which would modify the status of all users whose user_id starts with the number 1.

  • Retrieving data from multiple tables: An attacker can inject a wildcard character into a JOIN statement to retrieve data from multiple tables, even if the application was only designed to retrieve data from one table. For example, if the original query was “SELECT name, address FROM users JOIN addresses ON users.user_id = addresses.user_id WHERE users.age > 18”, an attacker could inject a wildcard character to make the query “SELECT * FROM users JOIN addresses ON users.user_id = addresses.user_id WHERE users.age > 18”, which would retrieve all data from both the “users” and “addresses” tables.

  • Escaping the application’s filtering mechanism: An attacker can inject a wildcard character to escape an application’s filtering mechanism and retrieve data that was not intended to be accessible. For example, if an application filters out the character “a” from user input to prevent SQL injection attacks, an attacker could inject a wildcard character to bypass the filter and retrieve data containing the character “a”.

Practicing in test for SQL wildcard injection

Set up a test environment: create a test environment that mimics the production environment, but is separate from it. This can include setting up a database server and web server on a separate machine or virtual machine.

Identify injection points: identify the input fields in the application that can be used for SQL injection, such as search boxes, login forms, and registration forms.

Craft injection payloads: create injection payloads that include wildcard characters such as % and _. These payloads can be used to retrieve all data from a table, modify data in a table, or perform other SQL injection attacks.

Test the application: use the injection payloads to test the application and see how it responds. Look for error messages, changes in the application’s behavior, and unexpected results.

Analyze the results: of the injection tests to determine if the application is vulnerable to SQL wildcard injection. Look for instances where the application returns more data than expected, modifies data in unintended ways, or produces errors.

Fix vulnerabilities: if vulnerabilities are found, work with the development team to fix them. This can include implementing input validation and sanitization, using parameterized queries, and limiting user access to the database.

Retest the application: once the vulnerabilities have been fixed, retest the application to ensure that the SQL wildcard injection attacks are no longer possible.

For study SQL wildcard injection

The OWASP (Open Web Application Security Project) website has a comprehensive guide to SQL injection, including information on SQL wildcard injection and how to test for it.

The SQL Injection Cheat Sheet on the PentestMonkey website includes information on SQL wildcard injection, as well as other injection techniques.

The SQL Injection Attack Walkthrough on the PortSwigger website includes a step-by-step guide to testing for SQL injection, including SQL wildcard injection.

The Web Security Academy on the PortSwigger website includes interactive labs and exercises to help you practice testing for SQL injection, including SQL wildcard injection.

There are several books available on SQL injection, such as “SQL Injection Attacks and Defense” by Justin Clarke and “SQL Injection: Attacks and Defense” by Sumit Siddharth. These books provide in-depth information on SQL injection, including SQL wildcard injection.

Online courses such as those offered by Udemy, Coursera, and Pluralsight can provide structured learning opportunities to study SQL injection and SQL wildcard injection.

Books with review of SQL wildcard injection

SQL Injection Attacks and Defense by Justin Clarke: This book provides a comprehensive guide to SQL injection attacks and defenses, including information on SQL wildcard injection.

SQL Injection: Attacks and Defense by Sumit Siddharth: This book covers SQL injection attacks in detail, including SQL wildcard injection and how to protect against it.

Hacking Exposed Web Applications: Web Application Security Secrets and Solutions by Joel Scambray, Vincent Liu, and Caleb Sima: This book includes information on SQL injection, including SQL wildcard injection and other injection techniques.

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto: This book covers a wide range of web application security issues, including SQL injection, including SQL wildcard injection.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz: This book includes information on how to use Python to test for SQL injection, including SQL wildcard injection.

Mastering Metasploit: Build and test advanced exploits by Nipun Jaswal: This book covers the Metasploit Framework, including how to use it to test for SQL injection and other vulnerabilities.

Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson: This book covers advanced hacking techniques, including SQL injection, including SQL wildcard injection.

The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy by Patrick Engebretson: This book provides an introduction to ethical hacking and penetration testing, including information on SQL injection, including SQL wildcard injection.

Metasploit: The Penetration Tester’s Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni: This book covers the Metasploit Framework, including how to use it to test for SQL injection and other vulnerabilities.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness: This book covers a wide range of ethical hacking topics, including SQL injection, including SQL wildcard injection.

List of payloads SQL wildcard injection

  • %’ or 1=1 —
  • %’ or ‘1’=’1′ —
  • %’ or 1=1#
  • %’ or ‘1’=’1’#
  • %’ or 1=1/*
  • %’ or ‘1’=’1’/*
  • %’ or 1=1;%00
  • %’ or ‘1’=’1′;%00
  • %’ or 1=1;%00;#
  • %’ or ‘1’=’1′;%00;#

How to be protected from SQL wildcard injection

  1. Parameterized queries are an effective way to prevent SQL wildcard injection attacks. Instead of concatenating user input into a SQL query, use placeholders in the query and bind user input to those placeholders.

  2. Validate all user input on the server-side to ensure that it conforms to expected patterns and does not contain any unexpected characters.

  3. A web application firewall can help protect against SQL wildcard injection attacks by monitoring incoming requests and blocking any that appear to be malicious.

  4. Limit the privileges of the user account used by the application to access the database. This will limit the damage that an attacker can do if they manage to execute a SQL wildcard injection attack.

  5. Keep your web application software and database management system up to date with the latest security patches and updates to ensure that any known vulnerabilities are addressed.

  6. Regular vulnerability assessments can help identify any weaknesses in your web application’s security and provide recommendations for addressing them.

Conclusion

SQL wildcard injection is a type of SQL injection attack that occurs when a user-supplied value containing one or more wildcard characters is inserted into a SQL query without proper sanitization or validation. This can allow attackers to manipulate the query to retrieve sensitive information, modify or delete data, or even take control of the underlying database server.

To prevent SQL wildcard injection attacks, web application developers should use parameterized queries or stored procedures, validate user input, limit user privileges, use a web application firewall, and keep software up to date with the latest security patches and updates.

Other Services

Ready to secure?

Let's get in touch