SQL Injection
Welcome to the SQL Injection module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.
Last updated
Welcome to the SQL Injection module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.
Last updated
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details.
What is SQL?
SQL stands for Structured Query Language, which is a computer language for storing, manipulating, and retrieving data stored in a relational database. SQL is the standard language for Relational Database System. MS SQL Server uses T-SQL, Oracle uses PL/SQL, the MS Access version of SQL is called JET SQL (native format), etc.
You can learn SQL Injection basics from the given link below.
sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches, from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.
Stick ' in a parameter and see if it throws a database error (and note what kind).
Another simple test:
Other tests:
You can also attempt to inject parameters passed using POST requests, but you'll need Burp or Firefox tamper to view and edit them. For example, you can test a parameter by adding a ' at the end, like lang=en'.
If you find a poorly-sanitized login page, you can attempt to log in without credentials by injecting the username parameter:
The exact syntax for injection will vary by database type. In most lab scenarios, the database will be MySQL.
Get version:
You can get the number of columns through trial and error using order by. For each query, increase the column number until the database throws an unknown column error:
Get the current user:
See all tables:
Get column names for a specified table:
Get usernames and passwords (0x3a means :):
You might be able to write to system files depending on permission levels using MySQL's INTO OUTFILE function to create a php shell in the web root:
I suspect you could inject a full reverse shell in there too...
Assuming you've tested a parameter with ' and it is injectable, run SQL map against the URL:
It may not run unless you specify the database type.
Get the databases:
Get the tables in a database:
Get the columns in a table:
Dump a table:
If the URL isn't accessible, you can pass cookie data or authentication credentials to SQLmap by pasting the post request in a file and using the -r option:
If you just need to pass a cookie:
If your URLs have no parameters, you can still test them:
