Advanced SQL Injection
The course is part of this learning path
This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques. We're going to see what a blind injection is and look at the alternative tests that we can use to find SQL vulnerabilities. We're going to talk about hex representations, reading and writing files and we're also going to see how to hack into a server using a SQL Injection type of vulnerability.
Hi, within this lecture, we're going to cover how hackers can hack into the websites or actually display some files or write some files that are not authorized, of course for the hackers and they're going to do that using the SQL injections. So, it's going to get very serious. So, make sure you change your security level to low before we go into that, so that we can understand the fundamentals of this. And I'm going to go back to our SQL injection. There is no need to do this under blind but it would work the same, but you won't get the error messages and stuff. And I'm going to come back here and just try to see how we can read the file first of all. So, we have covered a lot during SQL injection sections and what we covered over here with knowing or without even realizing it, is actually there are some sort of special functions. We have seen some special functions like database(), user(), version. So, these are special functions that we might use in our SQL commands. Now, we're going to see a couple of more of those so that we can understand how to read files and how to write to files if you are authorized to do so. So, we're going to need a new brand new information for that. So, the files or the functions that I'm talking about first of which is load_file. So, if you write something like that load_file('/etc/passwd') then it's going to load the file /etc/passwd and show the result back to you. So, this is very good. So, rather than doing this, rather than writing database for example, we can write the same thing. We can write union select load_file in the first column or second column, whatever wherever you want. Just make it in the valid columns. Not like the third column, if third empty or null.
So, I'm going to do it on the second column and I'm going to write /etc/passwd, but make sure you write the same thing as well. So, load_file('/etc/ passwd')#, let's see if this works or not. And by the way, we know what happens in medium security blocks, there is ' '. That's why I have lowered it so. As you can see now we got the results back, we managed to see the /etc/passwd. Of course, this doesn't mean that we get to see every file that we want. For example, if we try this with the /etc/shadow rather than the /etc/passwd, then maybe we wouldn't get the result. Maybe we would, let's see. Here we go. We cannot see the /etc/shadow thing but we can see the /etc/passwd. So, try to find your way over here. And you know the ' ' are blocked in the medium so maybe you can try something to bypass that filter as well. But we have already done that, so I'm not going to be bothering with all of those.
We are here to learn about reading files and writing files right now. So, we managed to retrieve a file and you can always try to see the other files inside of a Linux system as well. So, I'm going to copy this stuff and paste over there because we're going to learn something new. So, I'm going to say null over here rather than 1. So, it may work in some scenarios, maybe rather than 1, you're going to have to write null and you're going to get back the result anyhow. So, maybe 1 doesn't work but null will work. So, choose your side to find your way and try both of them in scenarios like this. So, that's how we retrieve or read files. How we write files is much more important. It's not much more important actually but it may lead to something much more serious because if we can write files we can try to execute some stuff or we can try to inject some evil codes, malware things so that it can lead like a shell back to us and we can hack into that website.
So, we're going to use into outfile thing, into outfile function for that. Let me show you how it works. I'm going to say 1 and in the second column, I'm just going to open something over here and write test. So, this will be the content of my file. So, that's what I'm writing over here and after the #, not after the #. You don't have to actually close this statement over there, you're going to have to write into file and select your file and file location as well. So, I'm going to be writing this under opt or not opt tmp. Maybe tmp will be much more suitable because most of the time if you have an access then it will be a definite on the tmp folder, temporary folder but you cannot write directly to the root folder most of the time. So, it's always a good idea to start with the tmp folder and see if that works or not. So, what I'm going to do, I'm going to write tmp over there and just select my file to just create my file. Of course, reaching tmp folder afterwards will become much more difficult for us rather than any other website files like under our www.html. But this will clearly work, so let's try this and let's submit this and here you go.
It says that Undeclared variable: file, so I believe we made a mistake in our case. So, let's go back and see if we made one and it says that Undeclared variable: file. I believe we made a spelling mistake. Let me come over here. It says that 'test' into file. It should be not into file but into outfile as I have said before. So, this is our content and this is the command into outfile and this is where we save it. So, I'm going to try this one more time and come over here, come back and try this and here you go. I believe now that has been placed for us. So, the thing is we can actually create files in this case. So, I don't know, maybe it didn't get created or something like that. Maybe we can try to read that file and see if it got created.
So, I'm going to change this to /tmp/test.txt rather than /etc/passwd. I know where my file has been saved because I saved it. So, rather than reading the /etc/passwd itself, I'm going to just read the /tmp/test.txt and see if we get the test content back, and if it's working then we can write whatever we want. Here we go. Now, we can read the test. It means that writing also works perfectly. So far so good. Now, we're going to find a way to exploit the situation and hack ourselves into hack our way into this DVWA and get a reverse shell back from the website. Now, we're going to do that in the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.