Friday, October 4, 2024
HomeWebapp PentestingWeb Application Pentesting - Manual SQL Injection With Error Based String Method

Web Application Pentesting – Manual SQL Injection With Error Based String Method

Published on

SQL injection is the code injection technique to gain access to the database(MySQL, MSSQL, Oracle etc). Owasp 2018 Release still describes this injection as an A1 or Level 1 injection which is the most dangerous attack of all time.

SANS Top 25(Most Dangerous Software Errors) describes SQL injection as Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) as Rank 1 of Injection.

The automation of this injection can be performed with a large number of tools available on the internet. Better than tools Humans have creative thinking and decision-making to understand the target, so I preferred to go with manual penetration.

- Advertisement - EHA

Also Read SQLMAP-Detecting and Exploiting SQL injection- A Detailed Explanation

NOTE: Scope of this SQL injection only for backend MySQL database. If you test the same with Oracle or some other databases it never works.

SQL Injection ONLINE LAB:

  • Beginners can use this website to practice skills for SQL injection
  • To Access the LAB Click Here
SQL Injection
  • Above Screenshot will be your successful welcome screen.

STEP 1: Breaking the Query

  • Visiting the website http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
  • Let us add & check single quote to existing URL to check whether the website is vulnerable to SQL Injection by adding http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′
  • After adding single quote If the website shows error statement  “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
SQL Injection
  • That’s Great !!! It is Vulnerable to SQL Injection
  • This Illustrates you have successfully Broken the query & Backend Database is interacting to Hacker with error messages.

STEP 2: Copying the Error Statement

  • Copy and Paste the SQL Error statement into Notepad.
  • After copying Perform actions to error statements as mentioned in the below screenshot
  • Above figure Illlustes that Highlighted single quote is breaking the backend database
  • Now Imagine yourself as DEVELOPER and Guess the SQL statement in Database.
  • Hope everyone has Guessed the backend query looks like this Select username, Password from table where id =’1′
  • When we add single quote which is mismatching the query like this Select username, Password from table where id =’1”
  • This is called as Single quote error based string injection.

STEP 3: Joining the Query

  • Let us add  –+  to join the query http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′ –+
SQL Injection
  • The above figure illustrates SQL errors are fixed with –+
  • Whatever malicious code is placed will talk with the database and as of now you have successfully broken the query, joined the query, and finally found out it is a Single quote error-based string injection.

STEP 4: Finding the Backend Columns

  • It is time to have a conversation with the database to find the number of columns. To enumerate columns we can use order by command.
SQL Injection

So above figure illustrates no SQL errors, meaning there is 1 column in the database.

  • Let me check with the rest of the columns with an order by 2, order by 3, etc.
SQL Injection

So the above figure illustrates no SQL errors, this shows still 3 columns are present in the database.

  • Let me check with one more column with an order by 4
SQL Injection

Above Figure shows the Database with the error statement Unknown column ‘4’ in ‘the order clause and this error statement says as “There are only 3 columns in the database”.Hope you understand how to talk with a database with errors.

STEP 5: Finding the Backend Tables

  • SQL backend may contain more Tables names with empty data also. Therefore You should first be able to find out which table names are present in these 3 columns.
  • Now we can select all 3 columns with union all select to existing URL http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1′ union all select 1,2,3 –+
SQL Injection
  • The above Illustrated Figure shows Username is: 2 as the value which represents table names is present in the 2nd column of the database. Now we have successfully found the table location in Database.

STEP 6: Finding the Backend Table Names

  • We already knew the location of the table path, so will directly ask database name, version, etc
SQL Injection
SQL Injection
  • Above Illustrated Figure shows Backend Database reveals its database name:leettime_761wHole
  • Let us do the same to check out database version details with version()
SQL Injection
  • The above Illustrated Figure shows the Backend Database version: 5.6.36-cll-lve

STEP 7: Dumping Database Tables

  • Group_concat() is the function that returns a string with the concatenated non-NULL value from a group.
  • So we can use this Function to list all Tables from the database.
  • In Addition, we can use Information_Schema to view metadata about the objects within a database.
SQL Injection
  • The Above Figure shows the dump of all tables as testtable1, user logs, users.

STEP 8: Dumping all Data in Columns of Tables

  • Here I will dump for users in the table.
  • The Above Figure shows the dump of all columns of tables containing id, username, password,user_type,sec_code
  • Here Usernames and Passwords are the most confidential ones. so let us dump  !!!

STEP 9: Dumping all Usernames

  • Here we can dump all usernames in the database.
SQL Injection
  • The Above Figure shows the dump of all usernames injector, decompiler, devil hunter, Zen, Zenodermus, grayhat, khan, admin
  • If I get the credential for an admin account that will be great!

STEP 10: Dumping all Passwords

  • Now we can use the group_concat function to call passwords from users.
SQL Injection
  • The Above Figure shows the dump of all passwords for users: Khan,hacktract,dante,sec-idiots,security-i, hacker, haxor, sadmin
  • We got the admin accounts password as sadmin ! Happy Hacking !!!

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Web Server Penetration Testing Checklist – 2024

Web server pentesting is performed under three significant categories: identity, analysis, and reporting vulnerabilities such as...

ReconAIzer: OpenAI-based Extension for Burp Suite

Burp Suite, the renowned Bug Bounty Hunting and Web Application Penetration Testing tool, has...

HackerOne Lays off 12% of Its Employees as a One-Time Event 

HackerOne is a renowned cybersecurity company that offers bounty and penetration testing platforms to...