TID-320: SQL Injection

Threat Description

The device does not property restrict, filter, or validate the content of web-based requests, especially content used to construct SQL commands or HTTP pages. A threat actor can add malicious content to these messages to cause unwanted code to execute on the device. SQL injection can be used to execute unauthorized commands (e.g., xp_cmdshell), or to manipulate or extract sensitive data within the database.

Threat Maturity and Evidence

Known Exploitable Weakness
ATT&CK Technique: Server Software Component: SQL Stored Procedures (T1505.001)
Procedure Example: Stuxnet (S0603)
“Stuxnet used xp_cmdshell to store and execute SQL code.”

ATT&CK Technique: Exploit Public-Facing Application (T1190)
Various threat actors have leveraged SQL injection to gain initial access to publicly facing web applications, including APT28, APT 39, and DragonFly.

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
“The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.”

CVE

CSWorks Software SQL Injection Vulnerability, CISA - CVE-2014-2351
“The CSWorks software does not properly sanitize or validate the data used to construct read and write paths, which may make applications built with the affected product to be susceptible to an SQL injection attack. Depending on the intended use of the application, an attacker may be able to exploit this vulnerability to achieve remote code execution.”

Navis WebAccess SQL Injection Vulnerability, CISA
“The WebAccess application does not properly sanitize input that may allow a remote attacker to read, modify, and affect availability of data in the SQL database.”