1. Home
  2. Training Library
  3. Introduction to SQL Injection

Confirming SQLi Vulnerabilities

The course is part of this learning path

Confirming SQLi Vulnerabilities

Now that you know about SQL fundamentals, we're going to deep dive into SQL Injection in this course. We're going to see how to find vulnerabilities, how to inject comments using said vulnerabilities, and other techniques that allow you to penetrate SQL databases.


Hi, within this lecture, we're going to finally start learning about SQL injections. So, we have already seen how to work with Sequel comments, like Sequel 101 in the previous section. Now, we're going to deep dive into the Sequel comments because we're going to find vulnerabilities, and see how hackers can actually damage the systems, using those vulnerabilities. Steal some data or even actually cause a damage or delete data base on something like that. And we're going to use Metasploitable too for that as well, because it has a very good database that we can a discover and try to understand the sequel injections. So, I'm going to go into 10.0.25 which is the IP Address for my Metasploitable2 machine. If you don't know yours, please watch the previous sections, in order to understand how to install Metasploitable and learn about the IP Address. Okay, my Kali Linux is working, Metasploitable is working, so I can reach those websites. So, I'm gonna start with Mutillidae, and don't worry we're going to see the SQL injections in different kinds of platforms later on. So, this is what we're going to work with, okay? And we're going to deep dive into the SQL injections because it's one of the most important and most popular injections, actually one of the most popular attacks, that we come across our vulnerabilities, that we come across in the weapon testing. As you can see, in the A1 injection we have a SQL injections over here. We have bypass authentication like extract data. We have the other kind of injections like Html injections, PHP injections, but we have already covered those, but we are interested in this SQL, Sequel or SQL injections. Okay. And I'm going to start with this Bypass authentication. Okay? And, as you can see it brings us a Name and a Password so it will ask us to sign-in. So, we have already created an account over here I believe in the previous sections we can just log in if we want, but we're not going to do that. Okay, I'm just going to write atil for my name and for the password, I believe I have chosen 123456. And here we go, we can log in, but that's not what we're after. If we don't have any kind of Username, if we don't have any kind of registry, we're going to see how we can actually log in and bypass this authentication thing. So, if you don't have a username yet, you can just create one from here even though, you don't need it. Okay? So, I'm gonna come back here and just give atil or if you don't have a username actually you're going to have to work with admin or other administrator accounts, so, I believe it will be good for you to create a username so that you can test all this stuff. So, this time rather than password, I'm just going to give a single quotation mark like this. You're going to see why in a minute. Okay, so give a single quotation mark in the passwords section and in the name input, just write your username. So, you're going to see why I have chosen to do so because it will cause an error most of the time, and as you can see if you just click login you will see this error. So again, most of the time this cause an error. But in real life we don't get that kind of detailed information. Okay? You would be so lucky to get that information. So, even though, we don't need that kind of specific information, to understand if there is any sequel injection vulnerabilities, this would be a very good practice for us to learn and test the stuff. So, this is why, we are doing this with Mutillidae. As you can see in the diagnostic information. We have select everything from accounts where username's atil and password is something like this. So, again in real life, we won't see this most of the time but we don't have to see this. We are just doing this in order to understand what's going on. Okay? So, by the way, if you don't see this, you may come across this in the response in the Burp suite as well. But in this case, we already see it in here. So as you can see, I put a single quotation mark in the password sign, in the password field actually, and it caused an error. So why did cause an error? As you can see, the reason this error is the single quotation mark, because it didn't understand what to do. It just tried to end the query but it failed. So, let me copy this and show you what I mean. I'm going to open my terminal and I'm going to create a new file, okay? And I'm going to call this SQL light 101 or SQL 101. Something like that. I'm going to use Gedit for this. So, if you have Genie or if you have Leaf pad or if you have Gedit, you're more than welcome to use whatever you want. You can just use the thing that we have used in the Html 101 section as well. Just we need a text editor. Okay? So I'm going to call this SQL, sequelinjection.txt. Okay? I'm going to take so much notes in here. So, the reason why this has caused a crash, let's see. It's selecting everything FROM accounts, and it's doing a filtering with WHERE clause, and it's filtering the username and the password. So, as you can see, it ends with a voucher, like two the single quotations. And, we managed to put a third one and it caused a problem. Because, it should have something like 123456 over here. Okay? It would check for that without any hesitation, without any error. But since, we put a single quotation, it just tried to understand what's going on and it thought that password ended over here. There is no password field and we put another one and it just crashed. So, if we can do this, we can do this as well. So, it's asking for username is atil and password is 1. And so, it will check for the username and password, and I can just inject another thing like another check, another statement in here. And I will make sure, that this statement holds. So, this Statement is true. And I'm going to say 1=1. So, what does this mean? It means that it will be true. It will be true every time, okay? So, 1 is actually 1=1. So, if I say 1=2, it will be false every time. But if I say, 1=1, it will be true every time. So, what is the point of doing that? If we can check for that, If we say AND 1=1. If we can add this parameter, if we can add this statement to our sequel comment, then we can add anything we want. So, we are trying to see if this command will get executed. So, if I add this, how can I add this actually? Rather than giving a regular password like 1 or 123456, something like that. I can just write whatever I want to inject. And it will just take that into consideration. So, how do we know that? How do we do that? Actually, let's try and do that. So, I'm going to copy this stuff or cut this stuff and paste it in here. So, whenever I type, in the password field, like if I type this '1' AND 1=1. So, it will add this over here, but it will add another single quotation mark in there as well. Because, it's adding that after we type whatever in the input field. So, it will break the code one more time if I do this. So, rather than doing this I should nullify or I should make the last single quotation invalid. And in order to do that I can just hit like a # in here. So, # means don't execute what's coming after this symbol. So, everything after the symbol, will be a comment, and we will be executing only this. So, I know, this is a little bit complicated, but you will understand when we do much more examples in this case. So, if I do something like this, if I tie 123456 and 1=1. If it logs me in, then trust me there is a injection possibility, there is SQL injection vulnerability, because this is exactly what we are executing on the server and we are adding an additional parameter, additional statement over here, and saying AND 1=1. And by the way, in some of the cases, maybe # won't work, then you can do it like this with - - . Two dashes also nullify the last single quotation mark that is automatically added by the system. So you can try this, or you can try the thing below, in the password area. So, I'm going to try this. I'm going to come over here and say atil, and just paste the thing that I have copied and try to log in. So this is the thing that I have copied. You can try to copy this as well and I believe this will work in this case, so I'm going to go for this one. So, if it logs us in, as you can see it logs us in, if it logs us in it, means that we can inject SQL command over here. So, we did not do any hacking in this case. We didn't do anything malicious right now, but we understood, that there is SQL vulnerability, because we added this AND 1=1 thing and it worked. Otherwise, it wouldn't work. It would give us some error. It will give some kind of warning to us, and say that you are trying to do SQL injections or it wouldn't display anything back. But in this case, it worked and we are logged in. And again, if this confused you a little bit then don't worry, we're going to do a lot more examples on this in the upcoming lectures. So let's stop here, and continue within the next one.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.