.png)
1 month ago
25 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello friends, this is my first post. Please excuse my mistakes.
What is SQL Injection?
# SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure. It can also enable them to perform denial-of-service attacks.
## How Find
Let’s call it target.com so as not to expose the program I work for. The program was an open source school program and the first thing that caught my attention was the admin login.
I tried some default usernames for the first account takeover. But it didn’t work, so I looked at the requests and responses in the burp suite. Then I noticed the login.php section in the url section. When I searched the code a bit, I realized that it could easily be found in the database.
The Code;
`if(isset($_POST["btnlogin"])){
$username = $_POST["email"];
$password = $_POST["password"];
$query = "SELECT * FROM login WHERE user_id='$username' AND Password='$password' ";
$result = mysqli_query($con, $query);
if (mysqli_num_rows($result) > 0) {
while ($row = mysqli_fetch_array($result)) {
if ($row["Role"] == "Admin") {
$_SESSION['LoginAdmin'] = $row["user_id"];
header('Location: ../admin/admin-index.php');
}
else if ($row["Role"] == "Teacher" && $row["account"] == "Activate") {
$_SESSION['LoginTeacher'] = $row["user_id"];
header('Location: ../teacher/teacher-index.php');
}
else if ($row["Role"] == "Student" && $row["account"] == "Activate") {
$_SESSION['LoginStudent'] = $row['user_id'];
header('Location: ../student/student-index.php');
}
}
}
else {
header("Location: login.php");
}
}
The code inserts the user input values $username and $password directly into the SQL query. This leaves it vulnerable to SQL injection attacks. With a specially crafted input value, an attacker can modify the SQL query and damage the database.
After that I got a sql error with single quotes (‘), after that I have to enter the sql completely.
After trying several time-base payloads on demand, one of them worked.
' OR IF(SUBSTRING(Password, 1, 1)='a', SLEEP(5), 0) -- -Thanks to this payload, the program responds 5 seconds late.
After that it is easier to go directly into the database with sqlmap.
# sqlmap -r login.txt — random-agent — level 5 — risk 3 — dbs — batch
We have enough evidence now.
Thank you for reading my article.
Bengali (Bangladesh) · 
English (United States) ·