Press "Enter" to skip to content

Making a SQL injection attack

In this post we will explain the basics of an SQL injection attack.

To do this, instead of using a pentesting tool such as “sqlmap”, we will explain a step by step SQL attack by doing it manually.

SQL injection attacks can use different methods. In our case we will use the “UNION SELECT” method since it is the most basic, effective and the only one that can be done manually through the browser.

The first step will be to find a page vulnerable to an SQL injection attack. For this we can use search engines like Google, DuckDuck Go, etc and use any of the following dorks:

  • inurl:”?id=”
  • inurl:”?item=”
  • inurl:”?product=”
  • inurl:”?article=”
  • inurl:”?id=” intext:”add to cart”
  • inurl:”?id=” intext:”buy now”

With these dorks we will find lot of websites running PHP and MySQL/MariaDB.

The next step is to go to the different websites and try to modify the PHP parameter to provoke an SQL exception. Normally, putting the character (‘) is enough to provoke an SQL exception.

If the website shows an exception similar to the one in the image, it is likely to be vulnerable to some of the SQL injection techniques.

If in addition, the error is showed in the content of the website like this image, the website is a good candidate to be vulnerable to an attack of the UNION SELECT type.

The MySQL exception itself gives us information about the SQL statement. We know that the sentence is:

The next step is to check if the parameter is really injectable. For this we can try various tricks.

  • article=25-1

If the website shows the content of article=24 means that the SQL statement is doing the subtraction that we have put in the parameter.

  • article=24 AND 1=1

If the website shows the content of article=24 means that the SQL statement is executing the AND operator. So the parameter is clearly injectable 🙂

Our target is get this sentence executed on the server:

 

1 Extract the number of columns in the current SQL query

We must find out the number of columns in order to use the UNION statement that will allow us to execute another additional SELECT statement that we want.

NOTE: Remember that UNION statement in SQL, both SELECT statements must select the same number of columns.

To do this we are going to make a try and error mechanism with the ORDER BY statement:

We will increase the number until we get an error that the column we want to order does not exist. The parameter in the URL should look like this until we got the error:

NOTE: Comments in MySQL are preceded by  “–” so we put them at the end of the parameter to prevent the rest of the sentence from being executed:

2 See which columns are injectable

We got that the SQL query is retrieving 27 columns. Now we can perform the following UNION SELECT sentence where the second SELECT put a hardcoded number in each of the 27 columns.

With this sentence, we are requesting one more row to the query where returned values are: 1,2,3,4,5,6,etc.

After load this query on the URL, we must search visual elements of the website where we can identify the hardcoded numbers. In this case, we can appreciate the columns 15, 16 and 17 are being displayed:

Just to make sure, we can replace 15 with 555, 16 with 666 and 17 with 777 on the query and see if they change:

 

We got it! 🙂 Now we can execute SQL queries on those columns  and the website will display the result of that queries.

3 Inject the SQL code on vulnerable columns

Now, we can try to execute a simple SQL command like “database()” which returns the name of the current database. We can use for example column 15 that was vulnerable in order to inject there the code:

Now, we can replace “database()” with the following query in order to get the name of all tables of the database:

NOTE: We must use “group_concat” function in order to get all the results on the same line

We can see that table “user” is very likely to contain sensitive information. We can replace the last query with the following in order to get the name of all columns of table “user”:

Finally, we can extract information of table “user” since we got the name of the columns. Specifically we are interested in the columns “username” and “password”. We execute the following query:

NOTE: We must use the “concat_ws” function to use a separator to help us distinguish the different fields. We must use “limit” function to retrieve only one record of the table in each query.

 

We got it!! 🙂

User: leena  / Password (MD5) = 61cf252373c5acfa

Now we have the usernames and their passwords (in MD5 hash format). To crack password hashes, we can use online rainbow tables tools like:

Hashkiller

Crack Station

 

One Comment

  1. Nik
    Nik 6 March, 2018

    Good post

Leave a Reply to Nik Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.