> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/vulnerability-exploitation/trick-0070.md).

# SQL Injection on gRPC Service

***

SQL injection can occur in gRPC services which communicate over HTTP/2. Interact with the service, for example using `grpcui` (found on port 50051 in this case), and intercept the resulting HTTP/2 traffic with a web proxy like Burp Suite. Identify a method that takes user input, such as `getInfo` requiring an `id`, and save the intercepted request for this method to a file. After capturing the gRPC request (which is an HTTP/2 POST request), you can save it to a file. Ensure the file contains the full request, including headers and the binary body (which contains the protobuf data).

Then, use sqlmap pointing to this file to test the request for SQL injection vulnerabilities and exploit them. The `-r` option is used to load the HTTP request from a file.

```bash
sqlmap -r captured_grpc_request.txt
```

To automate interaction, the `--batch` flag can be used, which tells sqlmap to never ask for user input and use default behavior. The `--level` and `--risk` parameters can be adjusted based on the desired depth and potential disruptiveness of testing. `--level` specifies the level of tests to perform (1-5, default 1), and `--risk` specifies the risk of tests to perform (1-3, default 1).

```bash
sqlmap -r captured_grpc_request.txt --batch --level 3 --risk 3
```

You can also specify SQL injection techniques to test for using `--technique=TECH`. Available techniques include 'B' (Boolean-based blind), 'E' (Error-based), 'U' (Union query-based), 'S' (Stacked queries), 'T' (Time-based blind), and 'Q' (Inline queries).

To extract data, options like `--dump` or `--dump-all` can be used. `--dump` dumps database table entries, while `--dump-all` dumps everything.

```bash
sqlmap -r /path/to/saved_grpc_request.req --batch --dump
```

This allows standard SQLi tools to be leveraged against the gRPC service's data inputs by analyzing the underlying HTTP/2 communication. However, it's important to note that sqlmap does not natively understand the Google Protobuf serialization format. When testing parameters embedded within the Protobuf body, you might need to write a tamper script to properly encode/decode or modify the data in a way sqlmap can interact with effectively.
