Menu
Home Penetration_Testing SQL injection

HOW TO PERFORM SQL Injection

TSA
Facebook Twitter Whatsapp





introduction

                                SQL injection, it is one of the most popular web attacks and it is considered to be one one of the most severe web attack because with SQL injection one can see the whole database of the website. In this blog, we will have a brief look at how you can exploit SQL injection most simply.


 I am assuming that you are a beginner to SQL injection so we will assume that the website is not using any kind of firewall and is not blocking any kind of characters for the sake of simplicity.


But, in real life, you will encounter such website where filtering would be made and they would be blocking all of the bad characters you are entering.

How It Works?


Suppose there is a login portal that asks for your username and password and if you entered correctly your information is shown. Likewise, there would be informed of many people stored in the database.

Suppose, you entered


Username = admin

Password = 1234


after clicking on sent above request would be sent to a database server like


select * from <table> where user='admin' and pass='1234';


And if the above query would be correct then the data requested by the user would be shown.

We Will Simply Abuse This To Take data from the database.


Steps:
1. Generate Error
2. Fix Error
3. Find the number of columns
4. Find database name
5. Find Table Name
6. Find Column Name
7. Extract data 


@@I am Assuming That My Target Database is PostgreSQL


1. Now let's suppose that instead of entering username you entered a quotation mark(').

Now query would be select * from <table> where user=''' and pass='1234';

Now you would see there are 3 quotation mark and this would violate the syntax of the query and if no WAF is used an error message would be generated and seen on the web application.


2. Now we have to fix the query so that we can enter the query to view inside the database.

Now suppose on the username field you entered admin' %23 this would comment the whole query after the %23 sign as it is the sign for comment and after executing it you will see nothing on webpage nor the error.

The sign for comment varies from database to database. Some of them are #,%23,-- -, --.


3. Now our username field is like

admin' <space> %23 

In the space, we have to enter our query. To see the number of columns we use order by command.


#Now all the commands I will type is to be placed in the blank space.

order by 10 = if the websites will have 10 columns or more than that then no error would be shown and if less than that then error would be shown. So we have to change the number till we find the correct number of the column.

Suppose I see an error on an order by 5 and the error is not shown in order by 4 then there are 4 columns in the database.

Final Query: admin' order by 4 %23


4. Now we will use union select to see which number reflect and then we will enter our query there.

 union select 1,2,3,4 = I have discovered 4 columns in my database so I have placed counting till 4 in union select.

 Now we would observe which number reflect on the web page.

 Suppose 2 reflected so we can enter the query to see the database name, version.

union select 1,database(),3,4 = show database name

union select 1,version(),3,4 = show database version


5. Now it is time to find the table name in the database. The query is table_name.

The default database is information_schema so we will query the table name from the database.


admin' union select 1,table_name ,3,4 from information_schema.tables %23


#Suppose I find tables user_data, info, other_info

This will show us all the table name in the database.


6. Now we will find the column in the table of our choice.


admin' union select 1,column_name ,3,4 from information_schema.columns where table_name = "user_data" %23


This will give us all the column in the table user_data . Now suppose I got the column username and password


7. Now this is the final step of the SQL injection and now we will extract the data.


admin' union select 1,username,3,4 from user_data %23


Now this will dump the username of all the registered users on the website


Congratulations !! We have successfully attacked the web application and forced it to dump its database.


conclusion


The different web application is coded differently so the way of exploiting them will be different.

 Also, SQL injection is a very vast topic and it is impossible to cover all its detail in one article. This article just gives you an overview of how you can exploit SQL Injection.


                                                                                                                                - Dipanshu Pandey
Tags
Facebook Twitter Whatsapp

You may also like

Comments

Subscribe for our Newsletter

RE-IMAGINING THE WAY
© Copyright 2020 Talent Skill Academy. Designed by Bloggertheme9 | ThemeWide.
Back to top