Web SQL Injection
One of the top risks to information and computers on the internet today is SQL injection. Hackers use this technique by exploiting a security vulnerability in the database layer of a web application, which can be found when the user input is not correctly filtered for string literal escape characters that are embedded in SQL statements.
Understanding how to detect and identify web SQL injection risks on a client web application early enough is very critical. In this hour, we will walk through the steps of identifying the database vulnerabilities and the SQL commands that are inserted into a website’s URL string or data structures to retrieve a response that will allow us to infiltrate a web application. Web SQL injection is often very effective on web pages that are developed using PHP and ASP.NET.
If successful, an SQL injection should allow you to dump an entire database of a system, modify the content of the database, or carry out various queries that the web application would otherwise not let you perform.
Understanding how to detect and identify web SQL injection risks on a client web application early enough is very critical. In this hour, we will walk through the steps of identifying the database vulnerabilities and the SQL commands that are inserted into a website’s URL string or data structures to retrieve a response that will allow us to infiltrate a web application. Web SQL injection is often very effective on web pages that are developed using PHP and ASP.NET.
If successful, an SQL injection should allow you to dump an entire database of a system, modify the content of the database, or carry out various queries that the web application would otherwise not let you perform.
11.1 Finding a Target Web Page
As we have learned in the previous hours of this book, the first and most important step of any hack attack is preparation. Preparation for an SQL injection attack primarily involves finding a vulnerable target. This can be quite time consuming process, sometimes even taking longer than the actual attack. More and more websites are now better protected from this kind of hack. Hence the reason finding a vulnerable target could take very long.
The easiest and most effective approach to finding out whether a web page is vulnerable is called Google Dorking. In this case, a dork is a specific search query that searches for and finds websites that meet the specified advanced query parameters that you input. Some of the dorks that you can use to find websites that are vulnerable to an SQL injection attack are:
inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id=
inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= inurl:index.php?id= inurl:declaration_more.php?decl_id= inurl:newsitem.php?num=
There are of course many other dorks you can use, simply search online and you will be bombarded with hundreds of these queries.
These search queries share a key component: that they all focus on websites that use PHP scripts to generate dynamic content based on entries in an SQL database stored on a server somewhere. While a good hacker could attack and infiltrate any website that uses an SQL database, almost anyone can hack PHP-based websites because most are set up by just about anyone. A good example is WordPress websites that are often installed by novices who are not keen to test their websites and ensure that they are injection-proof.
The easiest and most effective approach to finding out whether a web page is vulnerable is called Google Dorking. In this case, a dork is a specific search query that searches for and finds websites that meet the specified advanced query parameters that you input. Some of the dorks that you can use to find websites that are vulnerable to an SQL injection attack are:
inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id=
inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= inurl:index.php?id= inurl:declaration_more.php?decl_id= inurl:newsitem.php?num=
There are of course many other dorks you can use, simply search online and you will be bombarded with hundreds of these queries.
These search queries share a key component: that they all focus on websites that use PHP scripts to generate dynamic content based on entries in an SQL database stored on a server somewhere. While a good hacker could attack and infiltrate any website that uses an SQL database, almost anyone can hack PHP-based websites because most are set up by just about anyone. A good example is WordPress websites that are often installed by novices who are not keen to test their websites and ensure that they are injection-proof.
11.2 Testing a Web Page for Vulnerability
Google will return millions of results of web pages meeting any of the criteria you use to find a target. However, this does not mean that all the dorks are vulnerable to SQL injection attacks. You must then test each site until you find one that is vulnerable to attack. An excellent way to do this is to use the " ‘ " character (apostrophe) in a string on the page’s URL to see if it returns an error.
If the web application does not properly validate the input that contains the apostrophe correctly before it is passed to an SQL statement, then it is possible to hack the SQL database.
Assuming that one of the web pages in our results is website.com when we enter, enter an apostrophe at then do the target page URL like below and press enter: http://www.website.com/index.php?id=1’
What does the page return? If you see a SQL error, it means that the website is vulnerable and you could try an SQL injection attack. If the page loads normally with no errors, it is not the candidate you are looking to hack, and you can move on to the next page on your URL list.
It does not matter what error you get, as long as you get an error, the page is a good candidate for an SQL injection attack. From here, it is important that you understand SQL to be able to manipulate the database directly right from the vulnerable page.
If the web application does not properly validate the input that contains the apostrophe correctly before it is passed to an SQL statement, then it is possible to hack the SQL database.
Assuming that one of the web pages in our results is website.com when we enter, enter an apostrophe at then do the target page URL like below and press enter: http://www.website.com/index.php?id=1’
What does the page return? If you see a SQL error, it means that the website is vulnerable and you could try an SQL injection attack. If the page loads normally with no errors, it is not the candidate you are looking to hack, and you can move on to the next page on your URL list.
It does not matter what error you get, as long as you get an error, the page is a good candidate for an SQL injection attack. From here, it is important that you understand SQL to be able to manipulate the database directly right from the vulnerable page.
11.3 Carrying Out an SQL Attack
Let us assume that our target, website.com/index.php?id=1. The next step is to find out how many columns the SQL database has and how many of them can accept queries you will use. Append the statement “order by” to the URL such that it appears like below:
http://www.website.com/index.php?id=1 order by 1
Start with 1 after “order by” and keep increasing the number until the page returns an error. When you see an error, it means that you will have exceeded the maximum number of columns the database has. For instance, if you get an error when you get to “order by 8”, it means that the database has 7 columns.
The next step is to find out which columns can accept queries, hence open to exploitation. You can do this by adding a hyphen (-) before the 1 after id= and then append the statement “union select” to the URL, much like the “order by” statement in the previous step, except with a list of columns to make this process faster. Your new URL should look like this:
http://www.website.com/index.php?id=-1 union select 1,2,3,4,5,6,7
This query will return the list of column numbers that can accept database queries from you. Note these columns to inject the SQL statements.
http://www.website.com/index.php?id=1 order by 1
Start with 1 after “order by” and keep increasing the number until the page returns an error. When you see an error, it means that you will have exceeded the maximum number of columns the database has. For instance, if you get an error when you get to “order by 8”, it means that the database has 7 columns.
The next step is to find out which columns can accept queries, hence open to exploitation. You can do this by adding a hyphen (-) before the 1 after id= and then append the statement “union select” to the URL, much like the “order by” statement in the previous step, except with a list of columns to make this process faster. Your new URL should look like this:
http://www.website.com/index.php?id=-1 union select 1,2,3,4,5,6,7
This query will return the list of column numbers that can accept database queries from you. Note these columns to inject the SQL statements.
11.4 Exploiting the SQL Database
Once you determine which columns to direct your SQL queries at, you can then begin the actual hack of the database. From this point on, you will rely on union select statements to carry out the attack. If you are not familiar with manipulating SQL databases, perhaps this is the time to get a crash course to be able to exploit the vulnerable SQL database.
Some of the most common functions you can query including listing all the databases available, finding out the ID and username of the current user, finding out the names of all or vulnerable columns, and which data types they accept. Note that the columns are where the web pages store all website information including customer names, email addresses, last login times, etc.
Some of the most common functions you can query including listing all the databases available, finding out the ID and username of the current user, finding out the names of all or vulnerable columns, and which data types they accept. Note that the columns are where the web pages store all website information including customer names, email addresses, last login times, etc.
11.5 Conclusion
This demonstration of SQL injection hack that you carried out on a web page you have permission to hack is a clear demonstration that you need no special knowledge or tools to infiltrate information on an insecure web page on the internet. But that is not all; it can get even easier.
The SQLMAP tool that comes bundled with your Kali Linux (assuming you did not download the light version) is built to find such vulnerabilities with even greater ease and speed. You can download it for free from sqlmap.org if your version of Kali Linux does not have it or if you use a different operating system.
SQLMAP can scan web pages and send header requests to determine which ones are vulnerable to SQL injection then present you the list in a silver platter. It is fun to use it, especially if you plan on being a more proactive white hat hacker who does this more often.
The SQLMAP tool that comes bundled with your Kali Linux (assuming you did not download the light version) is built to find such vulnerabilities with even greater ease and speed. You can download it for free from sqlmap.org if your version of Kali Linux does not have it or if you use a different operating system.
SQLMAP can scan web pages and send header requests to determine which ones are vulnerable to SQL injection then present you the list in a silver platter. It is fun to use it, especially if you plan on being a more proactive white hat hacker who does this more often.
Comments
Post a Comment