Secure coding

PHP Lab: Exploiting SQL Injection

Srinivas
August 7, 2017 by
Srinivas

Identifying SQL Injection vulnerabilities

The first step in exploiting a SQL injection is to identify the vulnerability.

This first section of this lab walks you through the basics of how we can identify SQL Injection vulnerabilities in Web Applications.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

Open up the following URL in Kali Linux.

http://192.168.56.101/webapps/sqli/sqli.php

It shows the following web page.

Users can view the products from the database by entering the ID values into the text box.

Upon entering an ID, we will be given with the details of the entered ID, product name, and price that are already registered in the database.

It will look like this screenshot.

If the id is not found in the database, it displays the message "0 results."

If we observe the URL when id value 1 is entered, it sends the value 1 to the database with the parameter name "id" as shown below.

http://192.168.56.101/webapps/sqli/sqli.php?id=1

If we change this parameter value to 2, we should see different output.

http://192.168.56.101/webapps/sqli/sqli.php?id=2

Now, our goal is to see if there is any SQL Injection vulnerability in this parameter.

As an attacker, we can modify the request being sent to the server by adding a single quote at the end of the parameter value and observe the response

http://192.168.56.101/webapps/sqli/sqli.php?id=1'

Most of the developers give detailed error messages as shown below. In that case, it is easy to confirm that the parameter is vulnerable.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

In our case, no detailed error message is shown. You can see this in the figure below.

Even though errors are properly handled, we do not give up. Let us see if we can find another way to confirm the vulnerability.

Let us inject the following payload: 1 or 1=1

Nice, it worked. Even though we did not specify id 2 anywhere to give the results associated with it, we got all the records in the table due to the payload we passed as input.

We can provide a false condition and confirm the vulnerability.

Payload: 1 or 1=2

Obviously, 1=2 returns false and thus the application returned only the row where id=1.

If our analogy is correct, 0 or 1=1 should return all the rows since 1=1 returns true.

Nice. It confirms that the parameter id is vulnerable to SQL Injection.

SQLMAP for the win

We have seen how to identify if an application is vulnerable to SQL injection.

In this section, we will discuss how to use a tool called SQLmap to exploit SQL Injection.

What is SQLmap?

It is an open source tool, which is used for automating the task of detection and exploitation of SQL injection flaws in web applications.

SQLmap uses various techniques to detect and exploit SQL Injection vulnerabilities in web applications. It covers Union Query, Error based Injection, Boolean based blind SQL Injection, and Time-based blind SQL Injection, Stacked queries and out-of-band.

It supports many different databases that include MySQL, MSSQL, Microsoft Access, SQLite, IBM db2, PostgreSQL, Oracle, and Sybase.

SQLmap comes preinstalled with Kali Linux.

Now, we are going to use SQLmap to exploit the following URL.

http://192.168.56.101/webapps/sqli/sqli.php?id=1

Finding out the database names:

In this step, we are going to use SQLmap to find out the vulnerable parameters and then extract all the database names.

Let us use the following command.

sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " --dbs

The command above checks if any of the parameters in the URL are vulnerable to SQL Injection.


As we can see in the above figure, SQLmap says the application is using MySQL database and asking us if we want to skip payloads for other databases. We can say YES by entering Y.

Once after finding at least one vulnerable parameter, SQLmap prompts the user to check if he wants to continue to find additional vulnerable parameters as shown in the figure below.

If our job is to find a vulnerability in only one parameter and then exploit it, we can simply enter NO and continue with the process.

As we can see in the following figure, we got 5 databases from the application.

Finding out the table names:

We are interested in the database "infosec."

So, we are going to extract all the table names from this database.

Let us use the following command

sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " –D infosec --tables

The above command will fetch all the table names from the database "infosec."

As we can see in the above figure, we got two tables.

Finding out the column names:

From the previous step, we can see that we got two tables. We will extract the column names from the table "users."

Let us run the following command.

sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " –D infosec –T users –columns

The above command will fetch all the column names from the table "users."

As we can see in the figure above, we got three different columns.

Finally, we need to dump all the data from the table "users." We can do it using the following command.

sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " –D webservice –T users --dump

The above command dumps all the data from the table "users." We can explicitly mention the column names if we want to extract data only from some specific columns.

As we can see in the above figure, we can dump all the data from the table "users."

Similarly, we can dump data from other databases obtained from --dbs command.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

SQLmap is known to be one of the most powerful tools available for exploiting SQL Injection.

Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com