Web Application Pentesting – Manual SQL Injection With Error Based String Method
SQL injection is the code injection technique to gain access to the database(MySQL, MSSQL, Oracle etc). Owasp 2018 Release still describes this injection as an A1 or Level 1 injection which is the most dangerous attack of all time.
SANS Top 25(Most Dangerous Software Errors) describes SQL injection as Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) as Rank 1 of Injection.
The automation of this injection can be performed with a large number of tools available on the internet. Better than tools Humans have creative thinking and decision-making to understand the target, so I preferred to go with manual penetration.
Above Screenshot will be your successful welcome screen.
STEP 1: Breaking the Query
Visiting the website http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
Let us add & check single quote to existing URL to check whether the website is vulnerable to SQL Injection by adding http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′
After adding single quote If the website shows error statement “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
That’s Great !!! It is Vulnerable to SQL Injection
This Illustrates you have successfully Broken the query & Backend Database is interacting to Hacker with error messages.
STEP 2: Copying the Error Statement
Copy and Paste the SQL Error statement into Notepad.
After copying Perform actions to error statements as mentioned in the below screenshot
Above figure Illlustes that Highlighted single quote is breaking the backend database
Now Imagine yourself as DEVELOPER and Guess the SQL statement in Database.
Hope everyone has Guessed the backend query looks like this Select username, Password from table where id =’1′
When we add single quote which is mismatching the query like this Select username, Password from table where id =’1”
This is called as Single quote error based string injection.
STEP 3: Joining the Query
Let us add –+ to join the query http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′ –+
The above figure illustrates SQL errors are fixed with –+
Whatever malicious code is placed will talk with the database and as of now you have successfully broken the query, joined the query, and finally found out it is a Single quote error-based string injection.
STEP 4: Finding the Backend Columns
It is time to have a conversation with the database to find the number of columns. To enumerate columns we can use order by command.
So above figure illustrates no SQL errors, meaning there is 1 column in the database.
Let me check with the rest of the columns with an order by 2, order by 3, etc.
So the above figure illustrates no SQL errors, this shows still 3 columns are present in the database.
Let me check with one more column with an order by 4
Above Figure shows the Database with the error statement Unknown column ‘4’ in ‘the order clause and this error statement says as “There are only 3 columns in the database”.Hope you understand how to talk with a database with errors.
STEP 5: Finding the Backend Tables
SQL backend may contain more Tables names with empty data also. Therefore You should first be able to find out which table names are present in these 3 columns.
Now we can select all 3 columns with union all select to existing URL http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1′ union all select 1,2,3 –+
The above Illustrated Figure shows Username is: 2 as the value which represents table names is present in the 2nd column of the database. Now we have successfully found the table location in Database.
STEP 6: Finding the Backend Table Names
We already knew the location of the table path, so will directly ask database name, version, etc
Above Illustrated Figure shows Backend Database reveals its database name:leettime_761wHole
Let us do the same to check out database version details with version()
The above Illustrated Figure shows the Backend Database version: 5.6.36-cll-lve
STEP 7: Dumping Database Tables
Group_concat() is the function that returns a string with the concatenated non-NULL value from a group.
So we can use this Function to list all Tables from the database.
In Addition, we can use Information_Schema to view metadata about the objects within a database.
The Above Figure shows the dump of all tables as testtable1, user logs, users.
STEP 8: Dumping all Data in Columns of Tables
Here I will dump for users in the table.
The Above Figure shows the dump of all columns of tables containing id, username, password,user_type,sec_code
Here Usernames and Passwords are the most confidential ones. so let us dump !!!
STEP 9: Dumping all Usernames
Here we can dump all usernames in the database.
The Above Figure shows the dump of all usernames injector, decompiler, devil hunter, Zen, Zenodermus, grayhat, khan, admin
If I get the credential for an admin account that will be great!
STEP 10: Dumping all Passwords
Now we can use the group_concat function to call passwords from users.
The Above Figure shows the dump of all passwords for users: Khan,hacktract,dante,sec-idiots,security-i, hacker, haxor, sadmin
We got the admin accounts password as sadmin ! Happy Hacking !!!