SQL Injection is the most devastating vulnerability on web platform.In this article, I will be telling how costly and severe this vulnerability is, if exploited. SQL is a database language. Everything related to person’s identification is stored in the database, such as Emails,Usernames,Passwords, and credit card numbers!In SQL injection part 1, we will be talking about simple injections which are error based and can be attacked without any difficulty.
Now, what is SQL Injection? SQL Injection is an attack in which the SQL commands are injected in user input parameter which passed to the database at the Back-end and executed. Any vulnerable platform can let us concatenate self made queries with already existing queries and executed. It happens when a web application fails to filter out the parameter provided by the attacker and that dynamic SQL query is then passed to Back-end for execution.Example:
www.target.com/file.php?id=1
can be tested for vulnerability like
www.target.com/file.php?id=1′
The “id” parameter is passed as a dynamic SQL query in the php file existed on the server.The value for this parameter in the above example is 1. So this URL will be passed to file.php file existed on the server and query the Back-end database to show the output related to 1 value.The SQL injection can be done by both GET and POST request. We can POST SQL injection using tamper/interception tools like Burpsuite, Webscarab etc.
The “Apostrophe” or ” ‘ ” or “tick” or “single quote” is a SQL based command which terminates the statement. So the tick,we have used in “www.target.com/file.php?id=1’ ” is terminating the entire id parameter statement and hence will launch another query that the attacker will concatenate after the or command.
One of the most important and difficult task is finding out the database while behind blind SQL injection. One way to know is the error type in non-blind SQL injections. Once we put the single quote at the end of the query it will give us some error and then we can know the type of database present. The another way is assumption. Though, it doesn’t work all the time but worth a try while doing Blind SQL injection.
- ASP and .NET uses Microsoft SQL server.
- A PHP application uses MYSQL
- JAVA application probably uses Oracle or MYSQL
- IIS uses Microsoft infrastructure database, so it is SQL server.
- Linux server running Apache often uses open source database which is MYSQL.
So If I write www.target.com/file.php?id=1’OR’1=1
This query will return all the id’s or products regardless of their value.
I found these links below telling about the further tutorial, Since they tell a lot about sqli you can have a look at them
https://evilzone.org/tutorials/full-sql-tutorial/
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
https://www.latesthackingnews.com/sql-injection-tutorial-bumperpack/
LOGIN PAGES
Every website have a login page. That login page takes credential from users and compute it with the one stored in database, If it matches, the user is authorized, if not then it will give out an error like “Username/Password is incorrect”. If the login forum is vulnerable to SQLi then we can make a universal true statement like ‘or’1’=’1 which can give us the admin access of the page.