Although there are thousands of potential exploits designed
to take advantage of improperly designed websites, SQL injection is by
far one of the most effective, easiest, and far-reaching attacks. SQL
injection attacks are reported on a daily basis as more and more
websites rely on data-driven designs to create dynamic content for
readers. These dynamic designs use MySQL or another database system
which probably relies on SQL; thus making them vulnerable to attack.
Since a SQL Injection attack works directly with databases,
you should have a basic understanding of SQL before getting started. SQL Database for Beginners is an excellent resource for those unfamiliar with Structured Query Language.
In this article, you will learn how to perform a SQL injection attack on a website. Please note that this article is for instructional purposes only.
If you successfully breach a website that does not belong to you, you
are in violation of federal law and could face incarceration and hefty
fines. That said, it is useful to understand how SQL injection works so
that you can prevent it from occurring on your own website.
What is a SQL Injection?
SQL injection is a code injection technique that exploits a
security vulnerability within the database layer of an application.
This vulnerability can be found when user input is incorrectly filtered
for string literal escape characters embedded in SQL statements.
Although SQL injection is most commonly used to attack
websites, it can also be used to attack any SQL database. Last year, a
security company reported that the average web application is attacked
at least four times per month by SQL injection techniques. Online
retailers receive more attacks than any other industry with an online
presence.
Picking a Target
The first step to performing a SQL injection attack is to
find a vulnerable website. This will probably be the most time-consuming
process in the entire attack. More and more websites are protecting
themselves from SQL injection meaning that finding a vulnerable target
could take quite some time.
One of the easiest ways to find vulnerable sites is known
as Google Dorking. In this context, a dork is a specific search query
that finds websites meeting the parameters of the advanced query you
input. Some examples of dorks you can use to find sites vulnerable to a
SQL injection attack include:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
Of course, there are many others as well. The key component
of these specialized search queries is that they all focus on websites
that rely on PHP scripts to generate dynamic content from a SQL database
somewhere on the backend of the server. You can learn more about
advanced Google search techniques in Unleash Google Search.
Remember that a SQL injection attack can work on any SQL
database, but PHP-based websites are usually your best targets because
they can be set up by just about anyone (i.e. WordPress) and often
contain lots of valuable information about customers within the database
you are attempting to hack.
However, just because Google pops up with a result using
these dorks does not mean it is vulnerable to attack. The next step is
to test each site until you find one that is vulnerable.
Navigate to one of the websites you found. For this
example, assume that one of the search results is
http://www.udemy.com/index.php?catid=1. To find out if this site is
vulnerable to SQL injection, simply add an apostrophe at the end of the
URL like this:
http://www.udemy.com/index.php?catid=1’
Press enter and see what the website does. If the page
returns a SQL error, the website is vulnerable to SQL injection. If the
page loads normally, it is not a candidate for SQL injection and you
should move on to the next URL in your list.
The errors you receive do not matter. As a general, if the
website returns any SQL errors, it should be vulnerable to SQL injection
techniques.
At this point, understanding SQL is even more important as
you will begin manipulating the database directly from the vulnerable
page. Practical SQL Skills is a solid resource for beginner and intermediate users.
Starting the Attack
After locating a vulnerable site, you need to figure out
how many columns are in the SQL database and how many of those columns
are able to accept queries from you. Append an “order by” statement to
the URL like this:
http://www.udemy.com/index.php?catid=1 order by 1
Continue to increase the number after “order by” until you
get an error. The number of columns in the SQL database is the highest
number before you receive an error. You also need to find out what
columns are accepting queries.
You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:
http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6
There are a couple of things to note in this example.
Before the number one (after catid), you need to add a hyphen (-). Also,
the number of columns you discovered in the previous step is the number
of digits you put after the union select statement. For instance, if
you discovered that the database had 12 columns, you would append:
catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12
The results of this query will be the column numbers that
are actually accepting queries from you. You can choose any one of these
columns to inject your SQL statements.
Exploiting the Database
At this point, you know what columns to direct your SQL
queries at and you can begin exploiting the database. You will be
relying on union select statements to perform most of the functions from
this point forward.
The tutorial ends here. You have learned how to select a
vulnerable website and detect which columns are responsive to your
queries. The only thing left to do is append SQL commands to the URL.
Some of the common functions you can perform at this point include
getting a list of the databases available, getting the current user,
getting the tables, and ultimately, the columns within these tables. The
columns are where all of the personal information is stored.
Using this information, you can search for vulnerabilities
within your own websites and perform penetration testing for others.
Remember that what you do with this information is solely your
responsibility. Hacking is a lot of fun – but it doesn’t mean you have
to break the law to have a good time.