Though there are many vulnerabilities, SQL injection (SQLi) has its own significance. This is the most prevalent and most dangerous of web application vulnerabilities. Having this SQLi vulnerability in the application, an attacker may cause severe damage such as bypassing logins, retrieving sensitive information, modifying, and deleting data. Sometimes this costs life when it comes to Healthcare or Banking domains. Okay introduction aside, the objective of this article is to exploit and read some sensitive data from the database. If you don’t know what exactly SQLi is, then read my personal blog article which may shed some light. I am splitting the subject into two parts, having everything in one might throw you out of interest.
Now, let's get started. Launch your bee-box and login to bWAPP, select SQL injection GET/Search.
SQLi GET/SearchNow search for any movie and observe the URL. Since it’s a query string you should see the movie name in the URL. Let’s check the source code for better understanding of implementation.
The above SQL statement will retrieve a movie with given input as the title. Since it is using ‘like’ operator in the statement, the system will retrieve data which contains the user input. Search with a keyword ‘iron’ it retrieves iron man movie. Now let’s try to get some sensitive information by causing an error. Just search for a single quote (‘). You should see an error.
It’s most common attack vector to find the vulnerability when you don’t have access to the source code. I’ll post an SQLi cheat sheet later. For now, we will do some manual analysis. To break the constructed SQL statement try searching withtest’ or 1=1– (space after the double hyphen). This retrieved all the movies list
This is the query which was executed when you tried with a conditional statementSELECT * FROM movies WHERE title LIKE ” or 1=1–(condition returns true all the time)
There are types of SQLi, Error based, Blind, Union, Time based.
Blind SQL Injection Attack, in simple terms attacker never know what exactly happened when he exploited with SQLi. The page with vulnerability may not be displayed. This attack is usually time intensive since we need to craft many malicious requests until we find a vulnerable parameter. So instead of doing it manually, we need to employ several tools like SQLmap, NMAP scripts, Burp, ZAP etc…
Error-Based SQL Injection, this is the quickest technique of SQL Injectionexploitation. Generally, the valuable information of various DBMS will be stored into the error messages in case of receiving illegal SQL expression. This technique is used to check if any error of SQL expression processing occurred. So far, what we’ve done is an Error-Based SQL injection
Union Based SQL injection, this injection allows an attacker to extract information with ease. The UNION operator will only be used if both queries have the exact same structure, mostly used for clubbing multiple Select statements. You can try with below examples in Search movies Pageexamples: (space after the double hyphen)test’ union select 1,1,1,1,1,1,1–test’ union select 1,login,password,email,secret,1,1 from users–
You can also run an automated scan with SQLMAP or ZAP/Burp. Try to exploit SQL injection GET/Select, POST/Search functionalities is bWAPP.
Time-Based SQL injection, this injection is related to time. You may say ‘Hey query get a response after 15 seconds’. The query time is controllable using vulnerable parameter (ex: test’ / sleep(15) / ‘), which cause the request to take additional 15 seconds to return the response.
I hope you are now familiar with most dangerous injection SQLi.I’ll post few more articles on SQL injection to understand much better. If you think I missed anything, please post a comment below.Check my next article SQL injections – Part 2.