PHP Lab: Exploiting SQL Injection
Identifying SQL Injection vulnerabilities
The first step in exploiting a SQL injection is to identify the vulnerability.
This first section of this lab walks you through the basics of how we can identify SQL Injection vulnerabilities in Web Applications.
Learn Secure Coding
Open up the following URL in Kali Linux.
It shows the following web page.
Users can view the products from the database by entering the ID values into the text box.
Upon entering an ID, we will be given with the details of the entered ID, product name, and price that are already registered in the database.
It will look like this screenshot.
If the id is not found in the database, it displays the message "0 results."
If we observe the URL when id value 1 is entered, it sends the value 1 to the database with the parameter name "id" as shown below.
If we change this parameter value to 2, we should see different output.
Now, our goal is to see if there is any SQL Injection vulnerability in this parameter.
As an attacker, we can modify the request being sent to the server by adding a single quote at the end of the parameter value and observe the response
Most of the developers give detailed error messages as shown below. In that case, it is easy to confirm that the parameter is vulnerable.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
In our case, no detailed error message is shown. You can see this in the figure below.
Even though errors are properly handled, we do not give up. Let us see if we can find another way to confirm the vulnerability.
Let us inject the following payload: 1 or 1=1
Nice, it worked. Even though we did not specify id 2 anywhere to give the results associated with it, we got all the records in the table due to the payload we passed as input.
We can provide a false condition and confirm the vulnerability.
Payload: 1 or 1=2
Obviously, 1=2 returns false and thus the application returned only the row where id=1.
If our analogy is correct, 0 or 1=1 should return all the rows since 1=1 returns true.
Nice. It confirms that the parameter id is vulnerable to SQL Injection.
SQLMAP for the win
We have seen how to identify if an application is vulnerable to SQL injection.
In this section, we will discuss how to use a tool called SQLmap to exploit SQL Injection.
What is SQLmap?
It is an open source tool, which is used for automating the task of detection and exploitation of SQL injection flaws in web applications.
SQLmap uses various techniques to detect and exploit SQL Injection vulnerabilities in web applications. It covers Union Query, Error based Injection, Boolean based blind SQL Injection, and Time-based blind SQL Injection, Stacked queries and out-of-band.
It supports many different databases that include MySQL, MSSQL, Microsoft Access, SQLite, IBM db2, PostgreSQL, Oracle, and Sybase.
SQLmap comes preinstalled with Kali Linux.
Now, we are going to use SQLmap to exploit the following URL.
Finding out the database names:
In this step, we are going to use SQLmap to find out the vulnerable parameters and then extract all the database names.
Let us use the following command.
sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " --dbs
The command above checks if any of the parameters in the URL are vulnerable to SQL Injection.
As we can see in the above figure, SQLmap says the application is using MySQL database and asking us if we want to skip payloads for other databases. We can say YES by entering Y.
Once after finding at least one vulnerable parameter, SQLmap prompts the user to check if he wants to continue to find additional vulnerable parameters as shown in the figure below.
If our job is to find a vulnerability in only one parameter and then exploit it, we can simply enter NO and continue with the process.
As we can see in the following figure, we got 5 databases from the application.
Finding out the table names:
We are interested in the database "infosec."
So, we are going to extract all the table names from this database.
Let us use the following command
sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " –D infosec --tables
The above command will fetch all the table names from the database "infosec."
As we can see in the above figure, we got two tables.
Finding out the column names:
From the previous step, we can see that we got two tables. We will extract the column names from the table "users."
Let us run the following command.
sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " –D infosec –T users –columns
The above command will fetch all the column names from the table "users."
As we can see in the figure above, we got three different columns.
Finally, we need to dump all the data from the table "users." We can do it using the following command.
sqlmap –u "http://192.168.56.101/webapps/sqli/sqli.php?id=1 " –D webservice –T users --dump
The above command dumps all the data from the table "users." We can explicitly mention the column names if we want to extract data only from some specific columns.
As we can see in the above figure, we can dump all the data from the table "users."
Similarly, we can dump data from other databases obtained from --dbs command.
Learn Secure Coding
SQLmap is known to be one of the most powerful tools available for exploiting SQL Injection.