SQL Injection

MX ULTIMATE SQL INJECTION TUTORIAL

Finding out if your target is vulnerable.

The first thing we have to figure out is, ‘when is a site vulnerable to SQL injection or not?’ We can do this a few ways, depending on what kind of SQL injection types we know.

Some examples for how to figure out if it’s vulnerable or not to basic SQLi:

 Place an ‘ behind the last part of the URL.

If you get something similar to the following errors:

 You have an error in your SQL syntax

 Warning: mysql_fetch_array():

 Warning: mysql_fetch_assoc():

 Warning: mysql_numrows():

 Warning: mysql_num_rows():

 Warning: mysql_result():

 Warning: mysql_preg_match():

Or anything similar to this, it IS vulnerable to SQL Injection , about 95% of the time, you will face common errors as well.

 There are more ways to tell if it’s vulnerable. If it doesn’t throw out an error on simple SQL injection attacks: that’s by checking if images or other things are missing on the page, sometimes when the SQL error’s out it will be unable to call certain images and they won’t show, this is a great example to see if it’s vulnerable too, if your page is missing text / has less displayed than before.

So keep your eyes open to see if your target is SQL injectable.

Exploiting a simple SQL vulnerability.

As this covers the first part, you will always want to start off with the most absolute BASIC of SQLi.

Ways of exploiting common SQL injection points:

 Find out if it’s vulnerable (Check Chapter 1)

Next what we want to do is know how many columns we are working with on their current database to extract information that we want.

There are multiple ways to check how many columns there are for SIMPLE SQL injection.

1. Order by

2. Procedure analyze

3. Group by

 Example: If we use group by a certain number, and its wrong it will state: Unknown column “21” in group count – however if it’s the right amount of columns it will spit out: Can’t group on “count”

Order by will work as follows, let’s say we have a vulnerable site that has 20 columns.

www.site.com/view.php?id=25 order by 19—will show the page, still no errors. www.site.com/view.php?id=25 order by 20 – will show the page still… www.site.com/view.php?id=25 order by 21 – This can give multiple errors like:

 Unknown column “21” in ‘order’ clause

Now that we figured out how many columns our target has, we can start exploiting it. We want to explore which number(s) are showing up on the page. We will do that by the following query: www.site.com/view.php?id=25 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20-- With the query we just entered, numbers may or may not pop up on the page. If none pop up, first thing we will do is check out the source of the page, and search for numbers. If you’re not certain if that’s just a number from the website itself or our query, do the following:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,16,17,18,19,20—

We are telling the server that 1 equals 0, which in mathematical terms is not true, which forges our query to return false, which will then error out our request, in 90% of the occasions it will now show your columns.

Now that you found the column numbers on the page itself, pick a number which you find the easiest to see / find on the website (that pops out of the page at you).

Let’s say in the example I have chosen the version of the MySQL they are running on is 5.

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20—

This query will show us the exact version of MySQL they are running which is fairly important, since MySQL comes mostly in 2 flavours, either version 4 or 5 (yes there are lower versions, but finding those is like finding a needle in a haystack), A quick explanation on that, 4 has no information_schema table. Therefor you either have to guess table / column names, or you would have to brute force them with a wordlist or something similar.

Now to exploit our site:

We need to know what tables our target database has, for that query we can use information_schema 90% of the time (unless you’re on MySQL 4), to do so we use the following query:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables—

In this query we used concat which is a statement in SQL that “concatenates” the amount that’s in the table / columns.

We have the following functions to grab all the data from either a table or column:

1. Concat

2. Concat_ws

 Concat_ws stands for concat with separator, which is able to use as following:

Concat_ws(‘:’,username,password) This function will put our separator the : sign between every upcoming column / table we select.

3. Group_concat

 Group_concat will return all strings within a certain group.

As we do this query it may result in showing all of the table names from a certain database or it might just show you 1 out of all of them, or it might show a really big mess.

Therefore we will change the query to make sure we can view it as best as possible:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables—

Which results in showing the table names with a little separator sign, therefore

...