SQL Injection



Description

SQL injection attack involves malicious SQL statements injected into a SQL database. You may inspect the page or capture the request using burp suite to understand what inputs are taken in and how they react to different SQL injections. Try find the syntax of the SQL command.


Examples/Methods/Results

Basic Example

Here we assume the SQL is Select * from Users Where email= ‘inputvaule’. We try the word test, then test’ Or 1=1;--. The left side of the example shows how the SQL command will change. The – is used to comment anything after that we don’t know such as password.

No image found

SQLMap

This is a tool that automates SQL injections. Further use can be shown in first link of the further reading. The below example shows capturing a request using burpsuite. Saved in a file named bricks(can be anyname).

No image found

On the terminal the tables are then dumped using the command smqlmap -r brick -p username –dump

No image found

After a few a while it will dump the found tables.

No image found

Burp suite

A request is first capture on Burp suite using the intercept tool under Proxy.

No image found

It is then sent to the repeater for further tries. Initially we had ‘ss’ as the user name and password. We can now try make the request be as the following - SELECT * FROM users WHERE name= ‘‘ OR ‘1’=’1’ and password=’ ‘ OR ‘1’=’1’ . We insert the modified values in place of the ss then send the request. If this takes too much time the Intruder tool can help automate inputting the SQL attacks by using a list of attacks. Check the second further readings.

No image found

Burp suite 2 (Union statement)

Here we try a search bar to see if the requests can accept SQL injections.

No image found

We capture the request.

No image found

Then we send to repeater and send the request with trying out test on the search parameter q:

No image found

the empty request we see raw Json or use beautifier tab to see the Json better. At q, if nothing is inserted, everything is returned.

No image found

When we try search ; to close the SQL we get an error but the error response may help us better inject. Below the error gives away that we haven’t included the brackets for the sql name search. It also shows deletedAt is Null, we may use this to find deleted items later. Hence, we now search for ‘));

No image found

Then we get a successful response

No image found

Now to test the union addition ‘)) UNION SELECT ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’, ‘8’FROM Users-- . we add this in the parameter tab so that it can change it into %% format

No image found

Then we send it to view users

No image found

Checklist

Things to consider:

No image found

Further Readings

SQLMap youtube tutorial
SQL injection Burp suite
SQL Injection Owasp
Write up examples
PostSwigger
Swisskeyrepo