SQLi Basic only for newbs

5 replies [Last post]
Joined: 2018/05/30

Hello fellas,

According to Wikipedia:
SQL injection is a code injection technique, used to attack data-driven applications,
in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability in an application's software.
SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

There are three parts of a database management system, like SQL.

1 Creating structure of table
2 Entering data
3 Making queries

When SQL is used to display data on a web page, it is common to allow web users input their own queries.
Basically, the users, can create queries and request data from their SQL servers without typing any code.
There is a method of creating queries which can be exploited by an attacker.
An url ending in .php is a direct indication that the website uses sql to deliver a lot of its data and that you can execute queries directly by changing the url.
Usually the data in the SQL tables is protected and can be viewed directly only by an admin.
However, if we send some commands to the SQL server, it doesn't understand what to do, and returns an error.
Sometimes this error means something like that "I'll give private data for you babe".
This attack can be used to obtain confidential data like a list of username and passwords of all users on a website.

We have to find a website which is vulnerable to SQL injection (SQLi) attacks.
Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly,
it should show an error for some kind of query. An error is an indication of a SQL vulnerability.
Then we should obtain information about SQL version and the number of tables in database and columns in the tables.
Finally we have to extract the information from the tables.

You can find vulnerabilities using google dorks.

Manually using some standard codes available online.
For example, you can instruct the database to give you all the data from a table by executing the command:

SELECT * FROM Users WHERE UserId = 105 or 1=1

Now, while the first part of the query "UserID=105" may not be true for all users, the condition 1=1 will always be true.
Basically the query asks the table to return all details of users for whom either user id = 105 or 1=1 (1 is always equal to 1,
irrespective of the userId and all other factors).
Effectively, you have the username and passwords and all other information about all the users of the website.

Using some tools - Some tools will make it easier.
You still have to use commands but using tools is much more practical after you have an idea what is actually happening.
In Kali Linux, there is a great tool called SQLMap.

Suppose you're developing a web app...
Here, the credentials for login-
Username : abcd
Password : xyz

Now, for login, you have the following condition:

if ("abcd" == Username and "xyz" == Password)

Now if someone else use a different username... he/she won't be able to login.

Hold on, if a person enter username as "pqr" or 1==1 and password as "wxy" or 1==1, your code would check credentials in the following way -
("abcd"=="pqr" or 1==1) and ("xyz" == "wxy" or 1==1)
Let's translate that into boolean. 1==1 is true obviously, abcd==pqr is not true, nor is xyz==wxy.
So, we get, (false or true) and (false or true)
which becomes
true and true
which becomes
Then, the person will login into your web app without knowing the username or password.