INTRO TO SQLI
| Content |
|---|
| 📚 What is SQLI ? |
| 🤔 Why SQLI happen ? |
| 🔎 Finding SQL Injection |
| 🌀 What are types of SQLI ? |
| 🌀 What is the impact of a successful SQL injection attack? |
| 🐍 SQLMAP |
| 🔬 Labs |
| 📕 Referance |
📚 What is SQLI ?
(SQLi) attack exploits the injection of SQL commands into the SQL queries of a web application.
A successful SQLi attack lets malicious hackers access and manipulate a web application’s backend database.
To interact with databases, entities such as systems operators, programmers, applications, and web applications use the Structured Query Language (SQL).
You Can Know More About SQL from HERE
SQL Like:
SQL is a powerful interpreted language used to extract and manipulate data from a database.
🤔 Why SQLI happen ?
A web developer trust in users and missing to put any input validation or output encoding to prevent user from interacting with database queries
Modern web frameworks now days solved this problem with predefined functions that defend against sqli like laravel framework based on php
Example:
$id Parameter is vulnerable to sqli
1
' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a
try to provide id paramter with values payload above to achieve your sqli attack
🔎 Finding SQL Injection
The most straightforward way to find SQL injections within a web application is to probe its inputs with characters that are known to cause the SQL query to be syntactically invalid and thus forcing the web application to return an error.
Input parameters are carried through GET and POST requests,HEADERS and COOKIES. So, we have to check all the channels where data is retrieved from the client.
🌀 What are types of SQLI ?
-In-band SQL injections
leverage the same channel used to inject the SQL code (i.e., the pages generated by the web application).
- Error-Based SQL injection attack:
The penetration tester tries to force the DMBS to output an error message and then uses that information to perform data exfiltration.
- Union-Based SQL injection attack:
The ability of user to add another sql query to origional query to make some sql operation to retrative data like this:
1
9999 UNION ALL SELECT cc_num FROM CreditCards WHERE user_id=1
- Blind SQL injection: Does not reflect the results of the injection on the output. In this case, the penetration tester must find an inference method to exploit the vulnerability
- Blind Boolean Based SQLI Currently, most production websites do not display such errors. This happens both because of the usability of the application; it is useless to display errors to end users who cannot understand or fix them, and a to achieve security through obscurity.
IF SQL Statement is TRUE ✅ Render page Well IF SQL Statement is FALSE ❌
Rencer page Bad
- Blind Time Based SQLI Time is used to infer a TRUE condition from a FALSE condition.
This SQL syntax is used:
1
2
%SQL condition% waitfor delay '0:0:5’
If condition true response will wait 5 seconds
🌀 What is the impact of a successful SQL injection attack?
A successful SQL injection attack can result in:
unauthorized access to sensitive data such as
- passwords
- credit card details
- personal user information.
Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period.
SQL injection examples
Retrieving hidden data, where you can modify an SQL query to return additional results.
Subverting application logic, where you can change a query to interfere with the application’s logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version and structure of the database.
Blind SQL injection, where the results of a query you control are not returned in the application’s responses.
🐍 SQLMAP
sqlmap is an open source penetration testing tool developed by Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, fetching data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
you can automate find many sqli with SQLMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
sqlmap commands:
root@kali$ sqlmap -h
___
__H__
___ ___[']_____ ___ ___ {1.6#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'
Automate using sqlmap
1
2
3
4
5
6
⭕️ Use Command Line Tools Like a Pro
1. sublist3r -d target | tee -a domains
2. cat domains | httpx | tee -a alive
3. cat alive | waybackurls | tee -a urls
4. gf sqli urls >> sqli
5. sqlmap -m sqli.txt --dbs --batch
🔬 Labs
OWASP Broken Web Applications Project Install this Machine and will have a lot of Labs like DVWA, BWAPP and Webgoat etc
You can find my solution for portswigger HERE