SQL Injections – Part 1

April 25, 2017 | Views: 8001

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Though there are many vulnerabilities, SQL injection (SQLi) has its own significance. This is the most prevalent and most dangerous of web application vulnerabilities. Having this SQLi vulnerability in the application, an attacker may cause severe damage such as bypassing logins, retrieving sensitive information, modifying, and deleting data. Sometimes this costs life when it comes to Healthcare or Banking domains. Okay introduction aside, the objective of this article is to exploit and read some sensitive data from the database. If you don’t know what exactly SQLi is, then read my personal blog article which may shed some light. I am splitting the subject into two parts, having everything in one might throw you out of interest.

Now, let’s get started. Launch your bee-box and login to bWAPP, select SQL injection GET/Search.

ss1

SQLi GET/Search
Now search for any movie and observe the URL. Since it’s a query string you should see the movie name in the URL. Let’s check the source code for better understanding of implementation.

ss2.png

The above SQL statement will retrieve a movie with given input as the title. Since it is using ‘like’ operator in the statement, the system will retrieve data which contains the user input. Search with a keyword ‘iron’ it retrieves iron man movie. Now let’s try to get some sensitive information by causing an error. Just search for a single quote (‘). You should see an error.

ss3

It’s most common attack vector to find the vulnerability when you don’t have access to the source code. I’ll post an SQLi cheat sheet later. For now, we will do some manual analysis. To break the constructed SQL statement try searching with
test’ or 1=1– (space after the double hyphen). This retrieved all the movies list

ss4

This is the query which was executed when you tried with a conditional statement
SELECT * FROM movies WHERE title LIKE ” or 1=1–
(condition returns true all the time)

There are types of SQLi, Error based, Blind, Union, Time based.

Blind SQL Injection Attack, in simple terms attacker never know what exactly happened when he exploited with SQLi. The page with vulnerability may not be displayed. This attack is usually time intensive since we need to craft many malicious requests until we find a vulnerable parameter. So instead of doing it manually, we need to employ several tools like SQLmap, NMAP scripts, Burp, ZAP etc…

Error-Based SQL Injection, this is the quickest technique of SQL Injection
exploitation. Generally, the valuable information of various DBMS will be stored into the error messages in case of receiving illegal SQL expression. This technique is used to check if any error of SQL expression processing occurred. So far, what we’ve done is an Error-Based SQL injection

Union Based SQL injection, this injection allows an attacker to extract information with ease. The UNION operator will only be used if both queries have the exact same structure, mostly used for clubbing multiple Select statements. You can try with below examples in Search movies Page
examples: (space after the double hyphen)
test’ union select 1,1,1,1,1,1,1–
test’ union select 1,login,password,email,secret,1,1 from users–

ss5

You can also run an automated scan with SQLMAP or ZAP/Burp. Try to exploit SQL injection GET/Select, POST/Search functionalities is bWAPP.

Time-Based SQL injection, this injection is related to time. You may say ‘Hey query get a response after 15 seconds’. The query time is controllable using vulnerable parameter (ex: test’ / sleep(15) / ‘), which cause the request to take additional 15 seconds to return the response.

I hope you are now familiar with most dangerous injection SQLi.
I’ll post few more articles on SQL injection to understand much better. If you think I missed anything, please post a comment below.
Check my next article SQL injections – Part 2.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. great post thanks
    r u going to post about all the bwap tutorials

  2. great post thanks
    r u going to post about all the bwapp tutorials

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel