Advanced SQL Injection
The course is part of this learning path
This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques. We're going to see what a blind injection is and look at the alternative tests that we can use to find SQL vulnerabilities. We're going to talk about hex representations, reading and writing files and we're also going to see how to hack into a server using a SQL Injection type of vulnerability.
Hi, within this section, we're going to focus on SQL Injections and some kind of advanced implementations this time because as I said before in real web testing, in real web pentesting and bug bounty hunting, SQL Injection is one of the most popular things, one of the most faced vulnerabilities that we're going to see. However, they may be a little bit concealed or they may be behind the firewall so they may have some kind of filtering going on. In order to see all of those things, were going to go into DVWA and login with the admin and password as indicated in here, okay?
So, if you don't know how to open Metasploitable and go into DVWA please go back to previous sections and see the Metasploitable installation. So, let me open my terminal and go to the documents because I'm going to open this sqlinjection.txt, this is the file that we have been working on so far, remember? So, I'm going to open this, okay? We have our notes from the previous section so that we know what to do when to do it, okay? Now we have completed this union select and we have seen GET method, POST method and every detail that we need to do, but of course we can actually take this a little bit further in this case. So, as you can see there is a SQL injection in here in the DVWA as well, this is a user ID retrieval kind of thing, so if we give an ID it will give us the name and the surname like you can just try 1, 2, 3, okay? So, this is a very simple scenario as you can see and we can inject some SQL codes over here to retrieve much more information. But also we have a SQL Injection Blind over here which is pretty much more common in a real web pentesting. So, it works in the same way, okay? So, there is nothing different over here. But 'Blind' means that you don't get to see so many error, detailed error messages. You don't get to see the things that are not working, okay? So, it is a little bit harder to execute before we knew when we made an error, right? When we misspelled something or when we just understood that column names or column numbers are wrong, we fixed it.
So, what do I mean by blind? Let's go to command execution for a second, okay? So, this is a ping for free. If you just write google.com, it should have pinged it so let me open this and try it in terminal ping google.com, let's see if there's any connectivity issue in here. 'Yeah, no it's pinging so there's nothing wrong with my Internet connection, okay? This should have worked. So, if I type an IP address rather than a domain, let's see if that works. Let's copy this IP address of Google and try to ping it, okay? And see if that's the case. No, it says. 'Yeah, it's working right now, okay? We should have given some IP address. So, if I do something like this with semicolon. No, it doesn't work. Let's do it with OR or something like an AND operator like piping operator as we have seen before piping sign, okay? It doesn't display, let's go back to security, yes, because it's secure right now. We have to take this to low, okay? And come back here and come over here and try ls one more time. So, if you try ls as you can see we see the ls result over here. So, even if we didn't see this, maybe still there is a command execution vulnerability, right? So, what do I mean?
Maybe if I just put a net cat over here, I can hack into this website, right? But maybe it doesn't display results back to me. So, if you don't see the results or if you don't see the error messages or if you don't see anything, it doesn't mean that it doesn't have that vulnerability specifically, right? So, even if you don't get an error message, even if you're not on track, if you feel like there is nothing wrong here, you shouldn't quit. You should try the other ways of retrieving information as well. So, in this case we are pretty certain there's a command execution but in the SQL Injection Blind thing, maybe we don't see, we won't see any kind of errors. If we do something like a simple injection like that over here, okay? Maybe we won't see any result as well but it's still worth a shot to continue and test for other things. So, let's try one of these over here, okay? So, remember we use that to confirm this is injectable. So, I'm going to just say 1 or single quotation mark and 1=1. And if I submit as you can see I get the admin but we don't get anything else because that's the way it's supposed to work actually. And if we do the same thing over here we're going to have the same result as back. So, as you can see sometimes you get the same result but sometimes you don't get it. Because why? Because for example rather than that I'm just going to just give a simple quotation mark, like a single quotation mark over here, okay? So, rather than just doing this I'm just going to give it this and see what happens. Not giving an ID but a single quotation mark. So, if I do this over here, now I won't get any result back. So, it's not giving me any result, it doesn't seem injectable, it seems it's perfectly working. But if I do this in the SQL Injection as you can see, I get the result back. I get an error message. So, in here I get an error message but in Blind I don't even get an error message. So, it seems it isn't injectable, okay? But it is, it is injectable and the fact that we are not seeing an error message is a good thing for security purposes. However, we can still further try to get the results or get the things as we have done in the previous section and we will see that it's going to work. So, let's see what we can do over here. I'm going to do a union select one more time and try to find out about the table names, okay? So, I'm basically going to do the same thing that we have done over here. Of course, except the var clause because we're not even in the OWASP 10 anymore, we are in a complete different database right now. So, I'm just going to paste the thing over there, okay? So, I'm selecting the table name from the information schema.tables as we have done in the previous section. So, I don't even know if there are five columns over here, right? So, we haven't tried it yet. I'm just going to try it like that and see if this works or not. If it doesn't work, I'm just going to try something else. Of course, we have to put # over here. I'm going to submit this and as you can see we don't get anything back. So, we don't know if it's injectable or not. So, this is a case where you might go into despair and think that nothing will ever going to work in here so it's not injectable, but you have to try further. So, I'm going to copy this over here, paste the thing over there and of course with a #. So, maybe there is something wrong with the column numbers, okay? Let me take this not Blind SQL Injection. So, we're doing this currently for five columns, maybe there are four columns, we don't know it, right? So, I'm going to try for every scenario. So, I'm going to say four columns right now and I'm going to submit and it doesn't work. So, rather than four, I'm going to delete this and I'm going to have three columns. And I'm going to take this and try it, and here we go, it doesn't work, and I'm not getting any error messages but I'm going to try this as well, two columns, okay? One and table name from information schema.tables. And if I submit this, here we go. Finally, I found the thing. So, there were two columns on the left hand side, so we have to adjust this to the right hand side and here we have all the table names from the information schema. So, that's it. Even though we didn't see any progress, even though we didn't see any error messages like we used to see, we still find our way, we still found our way into the database, okay? So, that's the Blind SQL Injection. We're going to stop here and continue with the SQL Injection in the next lecture as well.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.