I am pentesting an application using GraphDB and I found a lot of injections in SPARQL requests. There is very little information about SPARQL injections and I don't really know this DB language. Does anyone know if it is possible to include files or execute commands in SPARQL (like one would do with SQL)?
Thank you.
SPARQL Query and SPARQL Update are different languages.
A SPARQL Update is invalid as SPARQL Query syntax.
The kind of operation (query or update) is clear from either the endpoint URL called or the HTTP request content-type.
In the W3C Standard SPARQL, there are no "call out" execution operator.
SPARQL does allow extensions function - that's implementation dependent. They should be functions (no side effects) but of course it depends on the implementation.
A SPARQL Query implementation may read external data with FROM/FROM NAMED. Most implementations don't; they take the graphs from the local dataset.