What is sql?¶

SQL stands for Structured Query Language and refers to a domain-specific programming language used to manipulate data stored in a RDBMS.

What is rdms and how data is organized in the back-end?

A relational database management system (RDBMS) is a collection of programs and capabilities that enable IT teams and others to create, update, administer and otherwise interact with a relational database. Most commercial RDBMSs use Structured Query Language (SQL) to access the database, although SQL was invented after the initial development of the relational model and is not necessary for its use. Some top RDMS include Mysql, Microsoft sql server,Oracle database etc.These RDMS helps a lot in managing the data.

SQL vulnerability¶

SQL Injection vulnerability is one of the most basic, common and oldest vulnerabilities that enables us to get access to the website backend. The backend data may include credit card details, usernames, passwords and any such sensitive data.

SQL injection¶

SQL injection is a kind of web application attack where attacker can execute malicious scripts that run in the back-end and can steal the data from the back-end.

Types of SQL injection¶

SQL injection is broadly classified into two kinds.

• Error based injection
• Blind injection

Error based injections¶

Error based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database.

Blind injections¶

Blind based SQL injection is a where no data is actually transfered via the web application and the attacked would not be able to see the result of an attack. The attacker is instead able to reconstruct the database structure by sending payloads, observing the web app’s response and the resulting behaviour of the database server.. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

Basic database query¶

The basic database query(SQL syntax) in the most cases be like:

Select attribute1,attribute2 from TABLE_NAME where attribute1 = ‘string1’ and attribute2 = ‘string2’

The above shown is the solid format for a basic database query. It could be

• Single quoted ''
• Double quoted ""
• Single quoted with brackets ('')
• Double quoted with brackets ("")

Injecting using error based¶

First step involves finding what kind or more precisely, we must be able to guess the syntax that is used in the backend. For this we must be able to produce errors in the website , so it shows out the whole syntax along with the error.

Breaking single quoted query¶

When the query is of single quoted type we shall break using the injection below.

 1  Select attribute1,attribute2 from TABLE_NAME where attribute1 = ‘string1’ and attribute2 = ‘string2’ 

Suppose we have two input slots whether it be in POST method or GET method we shall input the following to break the query.

String1 = ‘ OR 1 --

Here you are breaking the left quote using ‘ and making the statement true using OR 1 (Any statement with OR 1 becomes true)and commenting out the rest of the query using -- -

Similarly you can break the rest of the queries.

Breaking double quoted query¶

 1  String1 = “ OR 1-- - 

Breaking single quote with brackets¶

 1  String1 = ‘) OR 1 -- - 

Double quotes with brackets¶

 1  String1 = “) OR 1 -- - 

Dumping data using injections¶

In most of the cases backend uses mysql and let us see how to dump data if the backend uses mysql. Every server using mysql as RDBMS has a common database called information_schema.So one can use this database information_schema to dump the data required.You can see the information_schema database as shown below.

Now we need to use this information_schema database to dump the data.

Use of union select statement¶

The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements. It removes duplicate rows between the various SELECT statements.

 1 SELECT STATEMENT_1 UNION SELECT STATEMENT_2. 

NOTE: The select statements used before and after union must have the same number of columns!!!

Now let's start data dumping¶

 1  The below shown is an example of typical web application that triggers error! 

When we inject ?id = ‘ the query breaks and gives the following error.

Now let us see what conclusions we could draw from this.

Let’s manipulate the error notice.

'''' LIMIT 0,1'

The first most ‘ and the last most ‘ indicates the error statement so let us remove them.

“‘ LIMIT 0,1 Now the input we give i.e ‘ goes between the two quotations.

So we get “‘!!

By this we can conclude it is single quoted query!!;)

Now let’s dump the data!

We shall first make the statement false someway and add an union select statement that dumps data.

If we put id=-1 the statement turns false as id would never be negative(This is a mere guess and you need to try random guesses to break the query ) As we came to know that it is of single quoted type we shall break it as below.First let’s guess the statement1.!

First we need to find out the number of attributes in statement1.For this we shall use union select.Let’s see how it is done!! For suppose we give ?id=-1’ union select 1,2 -- (Commenting is to make the query meaningful)

We get an error as SELECT statements have a different number of queries.

So we shall guess another random number as the number of columns. Let’s give query as ?id = -1’ union select 1,2,3-- - and see what happens.

We did not get any error and 2,3 are shown.We could actually say the things we give at second and third position gets reflected in the page.And we also conclude that there exists three columns in the first query.

So statement1 could be something like SELECT id,Loginname,Password from SPECIFIC TABLE where id = ‘OUR input’ So we need to frame statement2 accordingly and dump the data using information_schema.

First we shall find what database has all the data of usernames and passwords.We shall give the query as ?id=-1’ union select 1,database(),version()-- -

Reminder:All these follows sql syntax which shows the database name and version when we input database() and version(). Let’s see what happens.

By this we can figure out that database name is “security”.Now sequentially we shall find out table names ,column names and dump the usernames and passwords.

Lets see the tables in information_schema database. We can see a table named TABLES which contains data of all the tables in the backend. TABLES table contains a attribute named TABLE_SCHEMA which contains the database names and other attribute TABLE_NAME that contains names of the entire TABLE_NAMES.

So the query goes as follows. ?id=-1’ union select 1,group_concat(TABLE_NAME) FROM information_schema.TABLES where TABLE_SCHEMA = database()-- - The above query will give the list of all tables in the database the web server is using in the web application.

How about finding attributes in a specific table?? The query goes as follows:

?id=-1 union select 1,group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME = “Your required table name”!

Using these two we can dump the data. Tables in the above example are shown below:

Columns in the users table can be extracted as shown below.

And the final query that dumps the data:

Blind injections¶

Blind injections are similar to that of error based injections but the website does not respond with errors instead it shows a special kind of response for a legal query.

It is of two kinds

• Boolean based
• Time based

Boolean based¶

You shall do the all above said information_schema, union select thing using boolean “AND” and “OR”

Time based¶

You shall try dumping using sleep() function in mysql.

Filters

Not all sites shall allow everything that is given as a input.There will be sites that shall filter white-spaces ,commenting,Union,select ,quotations etc .Try exploiting out them!!;)