Although there are thousands of potential exploits designed to take advantage of improperly designed websites, SQL injection is by far one of the most effective, easiest, and far-reaching attacks. SQL injection attacks are reported on a daily basis as more and more websites rely on data-driven designs to create dynamic content for readers. These dynamic designs use MySQL or another database system which probably relies on SQL; thus making them vulnerable to attack.
Since a SQL Injection attack works directly with databases, you should have a basic understanding of SQL before getting started. SQL Database for Beginners is an excellent resource for those unfamiliar with Structured Query Language.
In this article, you will learn how to perform a SQL injection attack on a website. Please note that this article is for instructional purposes only. If you successfully breach a website that does not belong to you, you are in violation of federal law and could face incarceration and hefty fines. That said, it is useful to understand how SQL injection works so that you can prevent it from occurring on your own website.
What is a SQL Injection?
SQL injection is a code injection technique that exploits a security vulnerability within the database layer of an application. This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements.
Although SQL injection is most commonly used to attack websites, it can also be used to attack any SQL database. Last year, a security company reported that the average web application is attacked at least four times per month by SQL injection techniques. Online retailers receive more attacks than any other industry with an online presence.
Picking a Target
The first step to performing a SQL injection attack is to find a vulnerable website. This will probably be the most time-consuming process in the entire attack. More and more websites are protecting themselves from SQL injection meaning that finding a vulnerable target could take quite some time.
One of the easiest ways to find vulnerable sites is known as Google Dorking. In this context, a dork is a specific search query that finds websites meeting the parameters of the advanced query you input. Some examples of dorks you can use to find sites vulnerable to a SQL injection attack include:
- inurl:index.php?id=
- inurl:trainers.php?id=
- inurl:buy.php?category=
- inurl:article.php?ID=
- inurl:play_old.php?id=
- inurl:declaration_more.php?decl_id=
- inurl:pageid=
- inurl:games.php?id=
- inurl:page.php?file=
- inurl:newsDetail.php?id=
- inurl:gallery.php?id=
- inurl:article.php?id=
- inurl:show.php?id=
- inurl:staff_id=
- inurl:newsitem.php?num= andinurl:index.php?id=
- inurl:trainers.php?id=
- inurl:buy.php?category=
- inurl:article.php?ID=
- inurl:play_old.php?id=
- inurl:declaration_more.php?decl_id=
- inurl:pageid=
- inurl:games.php?id=
- inurl:page.php?file=
- inurl:newsDetail.php?id=
- inurl:gallery.php?id=
- inurl:article.php?id=
- inurl:show.php?id=
- inurl:staff_id=
- inurl:newsitem.php?num=
Of course, there are many others as well. The key component of these specialized search queries is that they all focus on websites that rely on PHP scripts to generate dynamic content from a SQL database somewhere on the backend of the server. You can learn more about advanced Google search techniques in Unleash Google Search.
Remember that a SQL injection attack can work on any SQL database, but PHP-based websites are usually your best targets because they can be set up by just about anyone (i.e. WordPress) and often contain lots of valuable information about customers within the database you are attempting to hack.
However, just because Google pops up with a result using these dorks does not mean it is vulnerable to attack. The next step is to test each site until you find one that is vulnerable.
Navigate to one of the websites you found. For this example, assume that one of the search results is http://www.udemy.com/index.php?catid=1. To find out if this site is vulnerable to SQL injection, simply add an apostrophe at the end of the URL like this:
http://www.udemy.com/index.php?catid=1’
Press enter and see what the website does. If the page returns a SQL error, the website is vulnerable to SQL injection. If the page loads normally, it is not a candidate for SQL injection and you should move on to the next URL in your list.
The errors you receive do not matter. As a general, if the website returns any SQL errors, it should be vulnerable to SQL injection techniques.
At this point, understanding SQL is even more important as you will begin manipulating the database directly from the vulnerable page. Practical SQL Skills is a solid resource for beginner and intermediate users.
Starting the Attack
After locating a vulnerable site, you need to figure out how many columns are in the SQL database and how many of those columns are able to accept queries from you. Append an “order by” statement to the URL like this:
http://www.udemy.com/index.php?catid=1 order by 1
Continue to increase the number after “order by” until you get an error. The number of columns in the SQL database is the highest number before you receive an error. You also need to find out what columns are accepting queries.
You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:
http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6
There are a couple of things to note in this example. Before the number one (after catid), you need to add a hyphen (-). Also, the number of columns you discovered in the previous step is the number of digits you put after the union select statement. For instance, if you discovered that the database had 12 columns, you would append:
catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12
Exploiting the Database
At this point, you know what columns to direct your SQL queries at and you can begin exploiting the database. You will be relying on union select statements to perform most of the functions from this point forward.
The tutorial ends here. You have learned how to select a vulnerable website and detect which columns are responsive to your queries. The only thing left to do is append SQL commands to the URL. Some of the common functions you can perform at this point include getting a list of the databases available, getting the current user, getting the tables, and ultimately, the columns within these tables. The columns are where all of the personal information is stored.
If you are unfamiliar with using SQL commands to finish the exploit, you should study various commands before attempting a SQL injection attack. You can also check out Website Hacking in Practice for additional tips and tricks.
Using this information, you can search for vulnerabilities within your own websites and perform penetration testing for others. Remember that what you do with this information is solely your responsibility. Hacking is a lot of fun – but it doesn’t mean you have to break the law to have a good time.