Though there are many vulnerabilities, SQL injection (SQLi) has it’s own significance. This is the most prevalent and most dangerous of web application vulnerabilities. Having this SQLi vulnerability in the application, an attacker may cause severe damage such as bypassing logins, retrieving sensitive information, modifying, deleting data. Sometimes this costs life when it comes to Healthcare, Banking domains. Okay introduction apart, the objective of this article is to exploit and read some sensitive data from the database. If you don’t know what exactly is this SQLi then read my other article which may throw some light. I am splitting the subject into two parts, having everything in one might throw you out of interest.
Now, lets get started. Launch your bee-box and login to bWAPP, select SQL injection GET/Search.
Now search for any movie and observe the URL. Since it’s a query string you should see the movie name in the URL. Let’s check the source code for better understanding of implementation.
The above SQL statement will retrieve a movie with given input as title. Since it is using ‘like’ operator in the statement, system will retrieve data which contains the user input. Search with a keyword ‘iron’ it retrieves iron man movie. Now let’s try to get some sensitive information by causing an error. Just search with a single quote (‘). You should see an error.
It’s most common attack vector to find the vulnerability when you don’t have access to the source code. I’ll post an SQLi cheat sheet later. For now we will do some manual analysis. To break the constructed SQL statement try searching with
test’ or 1=1– (space after double hyphen). This retrieved all the movies list
This is the query which was executed when you tried with a conditional statement
SELECT * FROM movies WHERE title LIKE ” or 1=1–
(condition returns true all the time)
There are types of SQLi, Error based, Blind, Union, Time based.
Blind SQL Injection Attack, in simple terms attacker never know what exactly happened when he exploited with SQLi. The page with vulnerability may not be displayed. This attack is usually time intensive since we need to craft many malicious requests until we find a vulnerable parameter. So instead of doing it manually we need to employ several tools like SQLmap, NMAP scripts, Burp, ZAP etc…
Error-Based SQL Injection, this is the quickest technique of SQL Injection
exploitation. Generally the valuable information of various DBMS will be stored into the error messages in case of receiving illegal SQL expression. This technique is used to check if any error of SQL expression processing occurred. So far, what we’ve done is an Error-Based SQL injection
Union Based SQL injection, this injection allows attacker to extract information with ease. The UNION operator will only be used if both queries have the exact same structure, mostly used for clubbing multiple Select statements. You can try with below examples in Search movies Page
examples: (space after the double hyphen)
test’ union select 1,1,1,1,1,1,1–
test’ union select 1,login,password,email,secret,1,1 from users–
You can also run an automated scan with SQLMAP or ZAP/Burp. Try to exploit SQL injection GET/Select, POST/Search functionalities is bWAPP.
Time Based SQL injection, this injection is related to time. You may say ‘Hey query get response after 15 seconds’. The query time is controllable using vulnerable parameter (ex: test’ / sleep(15) / ‘), which cause the request to take additional 15 seconds to return the response.
I hope you are now familiar with most dangerous injection SQLi.
I’ll post few more articles on SQL injection to understand much more better. If you think I missed anything, please post a comment below.
Check my next article SQL injections – Part 2.