In this article, I’m going to use the burp suite community edition tool to exploit some SQL Injection vulnerabilities. I’m using Port Swigger academy labs for this demonstration
The first one is a simple retrieval of hidden data. Following
is a webpage that retrieves data from a SQL database. In the URL we can see the Gifts parameter is assigned to “category”. But there’s a hidden variable called
“released” as well.
The query that runs on the server-side looks something like
this,
SELECT * FROM products WHERE category = 'Lifestyle' AND
released = 1
The hidden variable is assigned 1 to indicate only released
items should be retrieved from the database. Our task is to retrieve all the
products regardless of whether they are released or not.
I have set up my browser and started burp suite to intercept
the traffic coming from this website. The intercepted request has details shown
as below,
Here we can change the values of the get method to set a SQL injection attack.
The ‘ after Lifestyle is used to end the string. Using or
1=1 denotes requesting the database to send data either if category=Lifestyle
or 1=1. Since 1=1 is always right the database will accept the query. The “- -“
is used the comment out the rest of the query which includes the “release”
variable.
By using the above modifications this SQL injection can receive
all the products.
SELECT * FROM products WHERE category = 'Lifestyle' or 1=1 --
AND released = 1
Union Based SQLI
Union command is used to collect data from another database
table as well. It allows us to execute another SELECT statement and merge it
with the results of the original query.
SELECT col1, col2 FROM table1 UNION select cola, colb FROM
table2
For this to work,
1. The
two separate queries should return the same number of columns.
2. The
columns data types should be compatible in the separate queries.
In this example, I will demonstrate retrieving usernames and
passwords using the UNION command.
Prior to this step, you have to determine how many columns
are returns by the query and what columns can hold string values.
One method to check the number of columns is to use “NULL”.
It can be converted to any commonly used data type. Submit a series of UNION
SELECT payloads as following,
‘UNION SELECT NULL,
NULL --
‘UNION SELECT NULL,
NULL, NULL--
Once u have determined the number of columns proceed to
check the columns which hold string type data.
‘UNION SELECT ‘a’,
NULL, NULL--
‘UNION SELECT NULL, ‘a’, NULL--
‘UNION SELECT NULL, NULL, ‘a’--
The letter a will check the column is compatible with a
string. If not it will return an error.
In the following example first, we will check for the number
of columns in the query.
This returned an error. So I checked for 2 columns.
As seen above entering 2 null values was successful and I can conclude now the first SELECT statement has 2 or more columns. So I check with 3 null values to confirm whether there are more columns. It turns out to be this query retrieves only 2 columns. So now I have to check for String inputs.
Both columns return string data. SO the lab has provided us
the information about the tables called users and it’s columns called username
and password. So now I have constructed a query to retrieve user names and passwords
from that table.
The overall query would probably look like this,
SELECT category, column2 FROM products WHERE category = pets
UNION SELECT username, password FROM user --
The final results were obtained as follows. Here we have
found the admins username and password so now we can log in to the website with
administrator privileges to further conduct attacks.
This is only one of the few ways to use the UNION command for SQL injections. Please let me know if there is any falt in the above information. For further information please check out the Portswigger academy. Have a nice day!!!
No comments:
Post a Comment