SQLI: The good, the bad, the basics
In my last blog post, I discussed the basics of Cross-Site Scripting (XSS). For this post, we will be discussing the basics of SQL Injections (SQLI). This post will cover what SQL is, what SQLI is, identify it, and exploit it. First, let's discuss what SQL is.
SQL stands for Structured Query Language and is used to store, manipulate, and retrieve databases. The SQL language can perform actions such as executing queries, retrieving data, inserting and deleting records, and so much more. Database system software such as MySQL, SQL Server, MS Access, Oracle, Sybase, Informix, and Postgres utilize SQL to store data for web sites. If an attacker can exploit a web sites SQL database, they will gain a plethora of information. This information can range from email addresses and phone numbers to passwords and social security numbers.
Now that we know what SQL is, what is SQL Injection? A SQL Injection (SQLI) is a vulnerability that gives an attacker the ability to view or alter data they couldn't typically interact with. Additionally, SQLI attacks can result in an attacker gaining shell access to a victim's machine. This vulnerability occurs when either a user's input is incorrectly filtered for string literal escape characters in SQL statements or the user's input is not strongly typed and unexpectedly executed. The vulnerability caused by incorrect filtering is so prevalent OWASP has made it one of the top 10 web vulnerabilities.
SQLI can primarily be broken into two types of attacks: classic injection and blind injection. A classic SQLI utilizes error-based and UNION based injections to gather information. An error based injection returns results to an attacker, which they can use to determine the database structure. A union based injection utilizes multiple select statements from the database to get an HTTP response.
A blind SQLI utilizes boolean and time-based injections to gather information. A boolean based injection relies on sending a SQL query to a database, which will result in the database returning a TRUE or FALSE result. A time-based injection relies on sending a SQL query, which forces the database to wait before responding.
How would you identify if an SQLI vulnerability exists? There are a few tools and a few manual methods for accomplishing this task. In this post, we discuss how to utilize sqlmap, an open-source tool that automates exploiting and detecting SQL injection flaws. The sqlmap tool is available by default on Kali and is also available on the sqlmap website http://sqlmap.org/.
The syntax for using sqlmap is "sqlmap -u $url options." For example, if you have found the URL "example.com/page.php?id=3" and wanted to perform a basic scan, the syntax "sqlmap –u 'example.com/page.php?id=3'" can be utilized. sqlmap will attempt to perform injections against the id field, and if successful, you will receive the message "heuristic (basic) test shows the GET parameter 'id' might be injectable."
If you have identified an injectible parameter, the next step is identifying available databases. The syntax "sqlmap –u 'example.com/page.php?id=number' –-dbs" will provide an attacker will a list of databases available on the target machine.
If you want to view what tables are in a database, you will need to use the options -D with the database name and --tables. For example, "sqlmap –u 'example.com/page.php?id=number' –D superblog –-tables" would be the proper syntax for viewing the tables.
Finally, to view a table's contents, you would need to use the options -D combined with the database name, -T combined with the table name, and --columns. For example, "sqlmap –u 'example.com/page.php?id=number' –D databasename –T tablename –-columns" would be the proper syntax for viewing the table's contents. Now that you have the contents of the table, you can do with them as you wish. If you came across a table with passwords that need a crack, sqlmap could help you with this. Using the options –-dump, and –-batch sql map will crack hashes for you. An example of this syntax would be "sqlmap –u 'example.com/page.php?id=number' –D superblog –T users –-dump –-batch."
This post was just a basic introduction to SQLI and how to exploit it with an automated tool. In the future, I will write a post about more advanced features of sqlmap and how to exploit SQLI manually. Get out there and HACK THE PLANET!!!!!