VII. Unprepared SQL Queries
Nearly all of a WordPress site's data, including but not limited to site options, user
passwords, post and page content, and plugin settings, are stored in a database, most
commonly a MySQL database. All of the data stored in the database can be accessed
using Structured Query Language, also known as SQL. In order to retrieve and update
data from the database, SQL queries must be used. Therefore, it’s common for
developers to use SQL queries in plugins and themes to select, insert, update or delete
data from the database as part of plugin or theme functionality.
SQL queries can be chained together using the UNION operator, and additional data can
be retrieved from databases by using boolean statements, sleep functions, and even
error-inducing statements. If user-supplied input to a SQL query is not properly sanitized,
escaped, or prepared, then it can allow an attacker to either obtain additional data from
the database beyond the originally anticipated data, or even manipulate the data stored
within the database. This is referred to as a SQL Injection vulnerability. There are 4 core
types of SQL injection vulnerabilities that are frequently found: boolean/blind-based SQLi,
error-based SQLi, time-based SQLi, and UNION-based SQLi.
Boolean-Based SQLi, also commonly referred to as blind-based SQLi, vulnerabilities
occur when an immediate observable response of data cannot be obtained while
injecting additional SQL commands or queries, however, a response indicating that the
results are true or false occurs. This type of SQLi vulnerability requires diligence and time
as the injected SQL query will pull data from the database on character at a time based
on whether or not the injected query/statement returns true or false.
Error-Based SQLi vulnerabilities occur again when there is no immediate observable
response of data from an injected SQL query, however, an error message is returned that
can allow a user to determine if information is present in a database. This is very similar
to Boolean-based SQLi vulnerabilities, however, it relies on error messages instead of true
or false type responses.
Time-Based SQLi vulnerabilities occur when there is no observable difference in the
response of a SQL query, however, injected queries or statements can return a response
within a specified delayed response that allows the user to obtain data from the
database. As with blind SQLi vulnerabilities, this type of vulnerability requires patience and
can only retrieve values one character at a time, unless a value is easily guessed.