Penetration-SQL Injection (SQLi)

GET-Based-SQL-Injection-Exploitation:

To find an SQLi on target you need to first find a vulnerable parameter to break out of the existing SQL Query. You can inject a malicious value through a URL that is known GET-Based-SQL-Injection, Also You can Inject a malicious Value through the form that is known as POST-Based-SQL-Injection, And you can also inject a malicious value on headers that can be used in some cases by the server to store user log Like User-agent, Referrer headers to store a piece of user information on a database or also you can inject malicious value on Cookie that is known as Header or Cookie-Based-SQL-Injection. First, we’ll talk about how we’ll find SQLi and then how we’ll exploit GET-Based-SQL-Injection, The first step is to find a parameter through URL let’s take the example of GET-Based-SQL-Injection.

https://albussecurity.com/students.php?id=1

Whenever you send a request you will get the data of students that have userid 1 but in the backend, the server will send a query to the database to retrieve a user data like this:

SELECT * FROM students WHERE userid='1';

Now, to identify whether the server is vulnerable to SQLi or not, for this, You’ll first need to break out this query by giving an odd value like this:-

https://albussecurity.com/students.php?id=1'

Whenever you’ll inject this value, the Server gets an unexpected result from the database. Because the SQL query looks like this:

SELECT * FROM students WHERE userid='1 ' ';

Whenever the query like this is sent the Database will not understand this query because it has an odd value therefore database can’t handle this type of request because it contains two same values, therefore you’ll be getting an error by sending an odd value, then jump to the next second step is to make this query fix by using comment on all the things after your value. For SQL/ Postgresql /Oracle, We’ll use a double-dash sequence ( — ) as a comment indicator in SQL, and this means that the rest of the query is treated as a comment therefore whenever you’ll enter your value with a double-dash sequence like this

https://albussecurity.com/students.php?id=1' --+

Then you’ll not get any error because whenever the server will send a SQL query to the database, the comment effectively removes the remainder of the query.

SELECT * FROM students WHERE userid='1' --+ ';

Note:- If the Server uses HQL(Hibernate Query Language (HQL) is an object-oriented query language), Similar to SQL, therefore HOL doesn’t support comments

However, Something Server will not use single quotes on SQL Query, It will also use double quotes, or In Some cases, the server will use nothing on SQL Query like this:

‘ ------> SELECT * FROM students where id='1'

“ ------> SELECT * FROM students where id="1"

` ------> SELECT * FROM students where id=`1`

‘) ------> SELECT * FROM students where id='1')

‘)) ------> SELECT * FROM students where id='1'))

[Nothing] ------> SELECT * FROM students where id= 1

“)) ------> SELECT * FROM students where id="1"))

“)) ------> SELECT * FROM students where id="1"))

You’ll enter these values to generate an error then whenever you’ll got an error then you try to fix the query by using Comment. But Is there any need to fix the query! Yes, Whenever We’ll fixing a query after generating the error then it gives us confirmation that the server doesn’t sanitize our input, And the Server immediately sends an SQL query with injected value to the database, this makes a vulnerable point because an attacker will control the SQL query just putting SQL function through parameters, therefore this will arise SQL-Injection. Jump to the third step is to Analysis the number of columns returned from the query. For this, We’ll use ORDER BY like this:

https://albussecurity.com/students.php?id=1' ORDER BY 1 -- +

If Database has 1 column on it then it reflects nothing on the response, So simply increase numbers whenever you got an error from the server like this

https://albussecurity.com/students.php?id=1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12 --+

Whenever you enter 12 then the Server gives you an error response, which means the database will use only 11columns in their query, therefore the total number of columns used in the query is 11, In some cases, the Server will use a different language to interact with the Database. therefore, the Oracle database will only accept string values, therefore you can use NULL or nullinstead of numbers that will be valid for the database. So, the query for 11 columns will be like this:

https://albussecurity.com/students.php?id=1' ORDER BY null,null,null,null,null,null,null,null,null,null,null --+

The fourth step, Is to determine what column exactly has a data string because we can’t randomly use columns to retrieve data from the database, therefore we need to check how many columns were used to retrieve data from the database. For this, We’ll use UNION ALL SELECTbasically a Union all select is an Operator to fetch one or more queries into one query