Introduction
Lets get started at an apparently unrelated point. Lets assume we create a table in SQL. Now there are three main parts of a database management system, like SQL. They are -- Creating structure of table
- Entering data
- Making queries (and getting meaningful results from data)
Now,
when SQL is used to display data on a web page, it is common to let web
users input their own queries. For example, if you go to a shopping
website to buy a smartphone, you might want to specify what kind of
smartphone you want. The site would probably be storing data about
phones in table with columns like Name, Price, Company, Screen Size, OS,
etc.
Now they allow you to create a query using some
sort of user friendly drop down based form which lets you select your
budget, preferred company, etc. So basically, you, the user, can create
queries and request data from their SQL servers.
Now this
automated method of creating queries for you is relatively safe, there
is another method of creating queries which can be exploited by us. A
url ending in .php is a direct indication that the website/blog uses sql
to deliver a lot of it's data, and that you can execute queries
directly by changing the url. Now basically the data in the SQL tables
is protected. However, when we send some rogue commands to the SQL
server, it doesn't understand what to do, and returns an error. This is a
clear indication that with proper coding, we can send queries that will
make the database 'go berserk' and malfunction, and give us all the
otherwise private data of its tables. This attack can be used to obtain
confidential data like a list of username and passwords of all users on a
website.
Steps
- We have to find a website which is vulnerable to SQL injection (SQLi) attacks. Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly, it should show an error for some kind of query or the other. An error is an indication of a SQL vulnerability.
- After we know that a site is vulnerable, we need to execute a few queries to know what all makes it act in an unexpected manner. Then we should obtain information about SQL version and the number of tables in database and columns in the tables.
- Finally we have to extract the information from the tables.
Vulnerabilities are found using your own creativity along with famous dorks (more on this in a later tutorial)
For the 2nd and 3rd step, there are 2 ways to do them-
- Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). For example, you can instruct the database to give you all the data from a table by executing the command-
SELECT * FROM Users WHERE UserId = 105 or 1=1Now, while the first part of the query "UserID=105" may not be true for all user, the condition 1=1 will always be true. So basically the query will be prompted to return all the data about the user for all the users for whom 1=1. Effectively, you have the username and passwords and all other information about all the users of the website.
The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts. |
- Using some tool - Some tools help in making the process easier. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. I don't recommend all the GUI Windows tools which are found on malware filled websites, and never work. All throughout this blog we have used Kali Linux, and if you really are serious about hacking, there is no reason not to have Kali linux installed. In Kali linux, there is a great tool called SQLMap that we'll be using.