SQL Jeopardy Template

Injection

Getting Data

Injection types

Logs

Defence

100

What character is commonly used to start an SQL injection payload?

100

What is the point of a command like ' union select 1,@@version --

To get the type of database

100

What type of SQL injection relies on seeing errors

Error-based injection

100

True or false, SQL injection attempts can be seen in logs

True

100

How do web application firewalls (WAFs) help prevent SQLi?

Detect/block malicious SQL patterns

200

What characters are used to write a comment in SQL

200

How can attackers determine the number of columns needed in their injection

union select 1,2,3 etc

union select null,null,null etc.

200

The command SLEEP(5) would be used by which type of injection

Time-based injection

200

If logs show

What is potentially happening

Someone is testing for SQL injection vulnerabilities

200

What is input validation

Checking that the data is what we expect eg. numbers in phone number parameter

300

Which of the following will trigger an SQL error:

' --

300

What is this injection trying to do:
' UNION SELECT name FROM sqlite_master WHERE type='table' --

get table names

300

Which type of injection is best to use when sql output data is displayed on the screen

union-based

300

WAFs can generate logs. What is a WAF

Web Application Firewall

300

What is input sanitisation?

removing characters that could cause SQL injection e.g. '

400

You try to force a true statement with ' OR 1=1 -- but it fails. What could you try?

' OR 2=2 --

400

You inject the following into a vulnerable id parameter that needs 3 parameters and it doesnt work. Why?

id=5 UNION SELECT null, username, password FROM users --

There is no '

400

When would you use time based injection

When you dont get errors or any data displayed on the screen

400

The logs show someone searching for 'union select null,sqlite_version() --

What information will they likely ask for next

table names

400

How could we defend against an automated attack using sqlmap?

block users sending lots of requests

500

You use the payload ' OR 1=1 -- in a search bar for user names. What would you expect the results to show

ALL the users

500

You inject the following into a 2 column query and it errors. Why?

' union select a,b --

lack of quotes. it needs to be

' union select 'a','b' --

500

What type of injection uses a command like ' order by 10 --

error-based

500

Logs show a search for ' union select null,null --
What is the attacker doing?

Testing the number of columns or testing their injection works

500

How does a parameterised query prevent SQL injection

User input is understood ONLY as data (not an SQL command)