Advanced SQL Injection
The course is part of this learning path
This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques. We're going to see what a blind injection is and look at the alternative tests that we can use to find SQL vulnerabilities. We're going to talk about hex representations, reading and writing files and we're also going to see how to hack into a server using a SQL Injection type of vulnerability.
Hi, within this lecture, we're going to take one more step in the SQL Injection blind thing and we're going to see what else we can do inside of a scenario like this. So, as you can see we have already covered the table names from here, okay? We have already retrieved those table names and we know we can use these functions as well like database, user, version. So, let's try one of these and see if we can make it work. So, I'm going to copy and paste this one more time, okay? But let me just put one over here as an ID placeholder and we're going to have to delete this because we know there are two columns here to retrieve the information. So, first of all I'm going to say database over there and let's do user over there as well. So, I'm going to just try this and see if we can get the database name and the user that it is running on. So, here we go. So, the first name which is the database name and second one is the user that this system is running on. So, we know that the database name is dvwa, okay? So, I'm going to take a note for that. So, this is our database name and user is root. So, I'm going to take this one step further. I'm going to copy and paste over here and we're going to just filter the results, okay? Like here I'm going to save our table schema, our table schema is actually dvwa, we don't need a dot over there. So, let's do this and see the table names but this time it's only going to be for the current database that we are in, and as you can see we have two over there, so guestbook and users. So, we know that this table contains, this database actually contains two tables. So, we know the table names right now which is guestbook and users. It doesn't matter if we do this in SQL Injection and SQL Injection Blind. Now let me take the security to medium and see what happens. So, let's go to SQL Injection so that we can learn about this. Again, it doesn't matter if we do it over there or other where. So, for example if we do a single quotation right now, we can see there is an error in the SQL Injection site. So, it's good to see these error messages because we need to understand what's going on at the scenario but we are learning, okay? So, there's no need to go for the SQL Injection Blind right now. So, I'm going to try this, okay? I'm going to give 1 over here and just paste it and see if it works or not. It worked before but now we increase the security. As you can see we cannot do that. It says that "you have an error in your SQL syntax," and as you can see there's something there, there's something wrong with AND 1=1# at line 1. So, there is some sort of filtering going on over there and we're getting this error message and it doesn't work anymore. So, what do we do? We have to understand how to bypass this kind of thing. So, I'm going to go over to Google and search for SQL Injection cheat-sheet or SQL Injection itself, okay? It will give you a lot of results. So, let me go for cheat-sheet GitHub and just see a couple of options over there. So, you will understand why I am doing this in a minute, okay? I'm going to open all of this stuff and let's see the first one. Here we go. There are some sort of instructions over here but I believe that's not what we're looking for, okay? So, it's saying that try this or 1=1, 1=0, something like this. It's good but it's not giving the payload to us directly but it's giving some sort of hints to us, as you can see there're plus signs rather than spaces. So, let me just find one of these that works well. No, that's not what we're looking for let me find this. Here we go. There are some sort of examples but again this is not ready to use as you can see it actually tells us to try for this stuff but we need some sort of a variation like in here. For example, in this case rather than using spaces it used plus signs. So, it actually may enable us to bypass the filters or bypass the firewalls in the web pentesting page, okay? So, rather than this for example, rather than # and all of this stuff maybe we can do something like a plus sign rather than spaces, maybe we can do some URL encoding and maybe we can just tweak the characters and write them in lowercase and uppercase as well. So, I'm going to write it manually. I couldn't find a good GitHub page on this one so let me come over here and see what I mean. So, rather than saying, let me just write Advanced SQLi, okay? So, rather than saying a regular union select or regular AND operator, I'm going to tweak it a little bit. So, let me copy this and paste it over there, okay? So, rather than just writing AND on OR we can just make it a little bit different than what we see. For example, we can do 40=40 rather than 1=1, why? Because most of the times developers will try to actually filter the 1=1 thing because most of the hackers try SQL Injection in that way, okay? But we can do 40=40 or maybe one million equals to one million, okay? So, that it would make much more sense so that we can bypass all the filtering or bypass the firewalls, right? Or rather than spaces I can use plus signs, it will be the same in the URL encoding but it may lead us to bypass these filters. So, over here we can do a lot of variations actually. We can write them in uppercases, lowercases, whatever we want. So, let me just show you an example over there rather than union, we can write the union like this, okay? So, UnIoN, so it's exactly the same but it has some different characters, it has some random things going on like that. So, maybe union select won't make it because it got filtered out but this will make it, okay? So, try this rather than regular union select like that. So, here we go. This may all work. We don't know what's going to work in a specific case but it may work, so don't just keep the thing and don't just say, 'Yeah, there is no a SQL Injection vulnerability in here" without trying all of this stuff. Of course, opening the Burp Suite and testing this with encoding and decoding will also help here as well. So, let me open the Burp Suite and see what I mean. Let me open this. We have already covered the decoder, right, so I'm going to go straight to the decoder and for example rather than just giving a single quotation mark like that, I'm going to encode it as URL encoding and I'm going to give %27. So, we can just give %20 or rather than # we can just give %23. They will all work fine. So, maybe you may want to change this a little bit as well like %23 or something like that, okay? So, make sure you try everything over here to bypass the actual firewall or the filtering rather than plus or rather than spaces you can just write it like this and maybe this can be actually bypassing the filter. So, again in the space over here we have to write %20. So, that's good, right? So, as you can see there is no single rule to bypass all of those things but there are certain things that you can actually try and see. So, let's try one of those in the SQL Injection. As you can see in the regular way, we get an error but it converts them in the same way. So, let me paste this thing after the ID. It doesn't work, okay? So, it converted them back. So, actually I'm using one of these things but it doesn't work as you can see, maybe we can make it work with something like that. Maybe we can change it a little bit, so let's go back and see what we can do. Let me just copy this, okay? And try this if this works or not. I'm going to just select everything over here and just paste it over there, but it doesn't work as you can see. Maybe we have to take it one further step and make it a much more advanced SQL Injection. I don't know yet, we're going to try it as well. For example, sometimes you may come across in a situation where you need to omit the single quotation mark like forever, okay? Like try something like this, maybe they filtered out the single quotation mark somehow and it may work without a single quotation at all. So, let me just delete this and see if that's the problem over there. Yes, here we go, it works. So, it's stupid but it works. We just deleted one single quotation mark and we managed to inject a SQL code, right? So, it doesn't make sense because it happens because of the filtering stuff. So, it has to be without a single quotation mark in this case. So, let's try this for example, let's try to gather the table names, okay? But we're going to do it without the single quotation mark. So, let me just copy this and paste it over there without a single quotation mark and here we go. Now we have all the table names. Even though we increase the security, we managed to inject a SQL code over there. Right, so this is one of the cases that you might come across or not. So, we don't know what kind of filtering firewalls use or what kind of filtering that website uses in order to protect themselves against SQL Injections. So, we're going to have to try and see. So, that is how you work your way up. That is how you build the things that you have learned upon. So, we're going to stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.