How Can You Tell If A SQL Injection Attack Is Successful
egrizzly
Member Posts: 533 ■■■■■□□□□□
Heh guys,
How can one tell if a SQL Injection Attack is successful? For all the searches I did on SQL Injection attacks they always describe how it works and how to prevent it but not how to tell if it was successful or not.
Does any of you experienced folks know how to tell whether a SQL Injection attack was successful or not? As always thanks for your feedback, tips, and comments.
How can one tell if a SQL Injection Attack is successful? For all the searches I did on SQL Injection attacks they always describe how it works and how to prevent it but not how to tell if it was successful or not.
Does any of you experienced folks know how to tell whether a SQL Injection attack was successful or not? As always thanks for your feedback, tips, and comments.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
Comments
-
si20 Member Posts: 543 ■■■■■□□□□□You might need to be a little bit more specific. Do you mean for a blue team looking at logs? Or for an attacker performing SQLi? If you're talking about an attacker, then a bad guy (or white hat) knows it was successful when he/she gets an error message. This usually indicates that it's vulnerable. When they've managed to extract data, even if it's something as seemingly small as a database version, then they'll know that it's vulnerable and needs patching.If you're talking about it from a blue team/analyst perspective - usually there are logs and logic/rulesets in place to look out for SQL being entered into applications.
-
egrizzly Member Posts: 533 ■■■■■□□□□□Thanks for the input si20. I'm talking about it from a blue team/analyst perspective. Yeah, I'm 100% up to speed with the part about identifying the SQL statements being entered into the applications however how do you know that such statements where successful in what they attempted to query? I say this because anybody can enter SELECT, WHERE, etc into an input field but that does not mean any of it will get through.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
-
si20 Member Posts: 543 ■■■■■□□□□□egrizzly said:Thanks for the input si20. I'm talking about it from a blue team/analyst perspective. Yeah, I'm 100% up to speed with the part about identifying the SQL statements being entered into the applications however how do you know that such statements where successful in what they attempted to query? I say this because anybody can enter SELECT, WHERE, etc into an input field but that does not mean any of it will get through.
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□DB log review2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□egrizzly said:iBrokeIT said:DB log review
Malformed SQL queries that are not consistent with the design of the webapp's input fields.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
JDMurray Admin Posts: 13,099 AdminWhen I see information displayed on the screen that came from me injecting a SELECT on a table in the database I consider that a success. If I perform an SQL injection and see database error messages on my screen that no user should see I consider that a success. If I perform an SQL injection and get no response back when I should see an "invalid input" error message that a user should see I consider that a success too.
-
egrizzly Member Posts: 533 ■■■■■□□□□□Hi JD. Yeah, but you're saying all this from a pen-testers point of view. I'm a SOC analyst. The furthest I can get with these attacks is being able to identify the SQL commands (e.g. SELECT, WHERE, etc). However after that their's no way to tell if the attack was successful (or if the system is vulnerable) just by looking at the logs.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
-
denisehilton Member Posts: 17 ■■■□□□□□□□The logs will tell you obviously. That's why Syslog servers and SIEM solutions are so useful. If there's any unauthorized access the SIEM will generate an alert.
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□denisehilton said:The logs will tell you obviously. That's why Syslog servers and SIEM solutions are so useful. If there's any unauthorized access the SIEM will generate an alert.
2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
JDMurray Admin Posts: 13,099 Adminegrizzly said:Hi JD. Yeah, but you're saying all this from a pen-testers point of view. I'm a SOC analyst. The furthest I can get with these attacks is being able to identify the SQL commands (e.g. SELECT, WHERE, etc). However after that their's no way to tell if the attack was successful (or if the system is vulnerable) just by looking at the logs.