SQL Injection (SQLi): Roadmap | Part 1

A scene from Money Heist

Let’s start with some basic questions :)

1. What is SQLi ?
   Structured Query Language injection or SQLi is basically a method to make use of SQL queries running in background to retrieve the data stored in database of Royal Mint(Company). Since data is the new oil so yes, if this vulnerability is found on any website it’s similar to getting access to their wealth.
2. Who should read this article?
   Anyone who is looking to learn about P1-P2 level attack vulnerability in websites or may be you are a money heist fan.
3. Prerequisite to at least understand the article?
   - SQL commands (learn now)
   - Knowledge about basic functioning of website
   - Understanding about types of HTTP requests (learn now)
   - At least heard about Burpsuit (learn now)

I have just completed exploring SQLi and one of the things I found in online blogs is that people tend to avoid manual enumeration which is not good for conceptual knowledge so try not to directly jump to tools like sqlmap or DSS Scanner and try to takedown your initial targets with manual enumeration instead. But before I begin laying out the path let me give you a hands on feel. Visit Link and complete the steps as it pops up.

I hope you have tried out the lab mentioned above and may be feeling like what actually happened I did not get it.

So the game is all about making use of SQL queries to do something which was never expected from a user. Let’s understand it with an example. We have a login page:

Login page of Bank of Spain

Now in the background let’s say after taking input from user it runs the following sql query:

SELECT * FROM users WHERE username='Governor' AND password='h0n3st'

here Governor and h0n3st are the user provided inputs. Let’s say Rio(you) hijacked the bank and now wanna login to the portal as Governor (this account got the admin powers) to find the location of safe room. You started with common passwords but no success then you thought of SQL injection and gave input

which runs the following query

SELECT *FROM users WHERE username='Governor'--'AND password='random'

so what actually happened 🤔. Let’s first break the command

• The first thing you should look is “- -”(without spaces) is treated as comment i.e. anything after that will be treated as comment. So the actual query that is running in background is

SELECT *FROM users WHERE username='Governor'--

• Now the reason to input that single quotation mark in Governor’ — is to balance the single quote in the query i.e. we using that quotation mark to end the username field. If we have not provide the single quote then the “- -” will be counted as string and will fail to login.

SELECT *FROM users WHERE username='Governor--'AND password='random'

I hope you understand the working till now but it’s not that easy and has various types with each type having some of it’s characteristics. Don’t worry we’ll discuss it all as we move in the article.

So the question arises how to identify sql injection vulnerability?

• Look for parameters passed in GET, POST, HEADER, COOKIES
• Submit ‘ in those parameters and look for errors or other anomalies
• Try to identify database type so that you can determine what syntax to use.
• If any success in previous try submitting boolean based parameters like OR 1=2 and OR 1=1 to look for change in behavior of application.
• Can also use time based sql queries to look for change in response time.

In this article we’ll be focusing on SQL injections in GET and POST parameters only. One of the examples you have seen above and also you can try it at here link just replace the number with ‘ and you’ll se the error.

So assuming now you know the steps to find SQLi api points now lets talk about Union based attack, if you know about the Union operation in SQL then you must be knowing about the requirements for UNION operation

• Every SELECT statement within UNION must have the same number of columns
• The columns must also have similar data types
• The columns in every SELECT statement must also be in the same order

So what we’ll do with UNION is to fetch the details from other tables in DB with the help of the SQLi endpoint. But before that we have to understand the number and data type of column that is fetched by the SQLi endpoint we dealing with.

Method to determine number of columns:

• ‘ ORDER BY 1 —
• ‘ ORDER BY 2 —

Keep the number going till we get an error. The point at which we get error the number of column is always one less then that.

Method to determine datatype of column. Let’s say we determined that their are 2 columns from the method mentioned above.

• ‘ UNION SELECT NULL,NULL —

here in last we added double underscores “- -” . Now this will result true lets put “abc” in place of NULL to determine what datatype matches. Try each and every permutation. The same could be guessed by looking up the output that is rendered on screen.

Now we know the number of column and also the type and we can now fetch the details say(user table) with input

• ‘ UNION SELECT username, password from user —

which will execute the following command

SELECT *FROM content WHERE category=''UNION SELECT username,password from user--' AND password='random'

Now this is the case where we took database type as granted but recon about type of database is most important. You can also use this cheat sheet to determine syntax for different database types. I’ll be covering Blind SQL in next blog till then you can visit the resources I have mentioned below.

Resources

1. To learn in depth : Portswigger Academy
2. To practice your skills SQL Injection room
3. Payload Cheat Sheet PayloadsAllTheThings

Also remember