Web Application Pentesting – Manual SQL Injection With Error Based String Method

SQL injection is the code injection technique to gain access to the database(MySQL, MSSQL, Oracle etc). Owasp 2018 Release still describes this injection as an A1 or Level 1 injection which is the most dangerous attack of all time.

SANS Top 25(Most Dangerous Software Errors) describes SQL injection as Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) as Rank 1 of Injection.

The automation of this injection can be performed with a large number of tools available on the internet. Better than tools Humans have creative thinking and decision-making to understand the target, so I preferred to go with manual penetration.

Also Read SQLMAP-Detecting and Exploiting SQL injection- A Detailed Explanation

NOTE: Scope of this SQL injection only for backend MySQL database. If you test the same with Oracle or some other databases it never works.

SQL Injection ONLINE LAB:

• Beginners can use this website to practice skills for SQL injection
• To Access the LAB Click Here

• Above Screenshot will be your successful welcome screen.

STEP 1: Breaking the Query

• Visiting the website http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
• Let us add & check single quote to existing URL to check whether the website is vulnerable to SQL Injection by adding http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′
• After adding single quote If the website shows error statement “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1

• That’s Great !!! It is Vulnerable to SQL Injection
• This Illustrates you have successfully Broken the query & Backend Database is interacting to Hacker with error messages.

STEP 2: Copying the Error Statement

• Copy and Paste the SQL Error statement into Notepad.

• After copying Perform actions to error statements as mentioned in the below screenshot

• Above figure Illlustes that Highlighted single quote is breaking the backend database
• Now Imagine yourself as DEVELOPER and Guess the SQL statement in Database.
• Hope everyone has Guessed the backend query looks like this Select username, Password from table where id =’1′
• When we add single quote which is mismatching the query like this Select username, Password from table where id =’1”

• This is called as Single quote error based string injection.

STEP 3: Joining the Query

• Let us add  –+  to join the query http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1′ –+

• The above figure illustrates SQL errors are fixed with –+

• Whatever malicious code is placed will talk with the database and as of now you have successfully broken the query, joined the query, and finally found out it is a Single quote error-based string injection.

STEP 4: Finding the Backend Columns

• It is time to have a conversation with the database to find the number of columns. To enumerate columns we can use order by command.

So above figure illustrates no SQL errors, meaning there is 1 column in the database.

• Let me check with the rest of the columns with an order by 2, order by 3, etc.

So the above figure illustrates no SQL errors, this shows still 3 columns are present in the database.

• Let me check with one more column with an order by 4

Above Figure shows the Database with the error statement Unknown column ‘4’ in ‘the order clause and this error statement says as “There are only 3 columns in the database”.Hope you understand how to talk with a database with errors.

STEP 5: Finding the Backend Tables

• SQL backend may contain more Tables names with empty data also. Therefore You should first be able to find out which table names are present in these 3 columns.
• Now we can select all 3 columns with union all select to existing URL http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1′ union all select 1,2,3 –+

• The above Illustrated Figure shows Username is: 2 as the value which represents table names is present in the 2nd column of the database. Now we have successfully found the table location in Database.

STEP 6: Finding the Backend Table Names

• We already knew the location of the table path, so will directly ask database name, version, etc

• Above Illustrated Figure shows Backend Database reveals its database name:leettime_761wHole
• Let us do the same to check out database version details with version()

• The above Illustrated Figure shows the Backend Database version: 5.6.36-cll-lve

STEP 7: Dumping Database Tables

• Group_concat() is the function that returns a string with the concatenated non-NULL value from a group.
• So we can use this Function to list all Tables from the database.
• In Addition, we can use Information_Schema to view metadata about the objects within a database.

• The Above Figure shows the dump of all tables as testtable1, user logs, users.

STEP 8: Dumping all Data in Columns of Tables

• Here I will dump for users in the table.

• The Above Figure shows the dump of all columns of tables containing id, username, password,user_type,sec_code
• Here Usernames and Passwords are the most confidential ones. so let us dump  !!!

STEP 9: Dumping all Usernames

• Here we can dump all usernames in the database.

• The Above Figure shows the dump of all usernames injector, decompiler, devil hunter, Zen, Zenodermus, grayhat, khan, admin
• If I get the credential for an admin account that will be great!

STEP 10: Dumping all Passwords

• Now we can use the group_concat function to call passwords from users.

• The Above Figure shows the dump of all passwords for users: Khan,hacktract,dante,sec-idiots,security-i, hacker, haxor, sadmin
• We got the admin accounts password as sadmin ! Happy Hacking !!!