SQL injection
Definition and Examples
Your basic task in to interrupt a SQL query and force it to run your own code. Usually you can do this be adding an invalid character, like a single quote. You can attack GET and POST submissions using options.
Definition, Risk Factors and Examples from https://owasp.org/www-community/attacks/SQL_Injection :
In SQL:
select id, firstname, lastname from authors
Input from a web form:
Firstname: evil'ex Lastname: Newman
The query string becomes:
select id, firstname, lastname from authors where forename = 'evil'ex' and surname ='newman'
SQL Injection Examples
From https://portswigger.net/web-security/sql-injection :
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
-
-
- Retrieving hidden data, where you can modify an SQL query to return additional results.
- Subverting application logic, where you can change a query to interfere with the application’s logic.
- UNION attacks, where you can retrieve data from different database tables.
- Examining the database, where you can extract information about the version and structure of the database.
- Blind SQL injection, where the results of a query you control are not returned in the application’s responses.
-
Examples for SQL Server, MySQL, PostgreSQL and Oracle
Our old friends at PenTestMonkey provide LOTS of examples for:
MS SQL Server: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Oracle DB: http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
MySQL (MariaDB): http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
A cheat sheet and examples for MS SQL, MySQL, PostgreSQL and Oracle
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
Dumping a Complete Database
http://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/
OWASP Web Security Testing Guide
This is a rocking complete methodology for web app testing. I’ll link to the SQL Injection section, but check out the many other areas this guide covers.
Website Hacking: Dumping Database Using SQL Injection [DVWA SQL]
https://www.youtube.com/watch?v=6OONGIH5pdQ
Exercises
1. Log into your root-me.org account, click Challenges and click Web Server. This will get you here:
https://www.root-me.org/en/Challenges/Web-Server/.
Start with “SQL Injection – Authentication”. Note all the other SQL Injection challenges. Can you beat them all?
2. In either Metasploitable2 or your own installation, go to DVWA, find Vulnerability – SQL Injection, and dump all user names. See this guide if you need help:
https://pentestlab.blog/tag/metasploitable-2/page/6/