In
our previous article we had perform Form
Based SQL injection using sqlmap but today we are going to perform Form Based SQL
injection in DHAKKAN manually. There are
so many example related to login form like: Facebook login; Gmail login; other
online accounts which may ask you to submit your information as username and
password.
Let’s start!!
LESSON 11
This
lesson is much similar to lesson 1,2,3,4 if you not familiar to these lessons
then please go through it from here. You will come to know how to
perform SQL Injection manually step by step in order to retrieve the data from
inside the database system.
Lesson
11 is regarding POST error based single
quotes (‘) string so when you
will explore this lab on the browser you will observe that it contains text
field for username and password to login inside web server. As we are not true
user so we don’t know the correct username and password but being hacker we
always wish to get inside the database with help of SQL injection. Therefore
first we will test whether the database is vulnerable to SQL injection or not.
Since
lesson itself sound as error based single quotes (‘) string, thus I had used
single quotes (‘) to break the query
inside the text field of username then click on submit.
Username: ’
From
the given screenshot you can see we have got
error message (in blue color) which means the database is vulnerable to SQL
injection.
So
we when break the query we get error message, now let me explain what this
error message says.
The
right syntax to use near '''' and password='' LIMIT 0,1’
Now
we need to fix this query with help of #
(hash) comment; so after adding single quotes (‘) add a hash function (#)
to make it syntactically correct.
Username: ' #
From
screenshot you can see it has shown login attempted failed though we have
successfully fixed the blue color error message.
Now
whatever statement you will insert in between ‘and # the query will
execute successfully with certain result according it. Now to find out number
of columns used in the backend query we’ll use order by clause
Username: ' order by 1 #
Username: ' order by 2 #
Username: ' order by 3 #
From
screenshot you can see I received error at order by 3 which mean there are only
two columns used in the backend query
Similarly insert query for union select in between ‘and # to select both records.
Username: ' union select 1,2 #
From screenshot you can see it also shown successfully
logged in, now retrieve data from inside it.
Next query will fetch database name, it is as similar as
in lesson 1 and from screenshot you can read the database name “security”
Username: ' union select 1,database() #
Through given below query we will be able to fetch tables
name present inside database.
Username: ' union select 1,group_concat(table_name)
from information_schema.tables where table_schema=database() #
From screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users
Now we’ll try to find out column names of users table
using following query
Username: ' union select 1,group_concat(column_name)
from information_schema.columns where table_name='users' #
Their so many columns but we interested in username and password only.
At last execute following query to read all username and
password inside the table users.
Username: ' union select
group_concat(username),group_concat(password) from users #
Hence you can see we have not only retrieve single user
credential but entire users credential now use them for login.
This is all about single quotes string error based injection
in lesson 11.
Lesson 12
In
some scenario you will try to use single quotes string for test SQL
vulnerability or will go extend in order to break the query even after knowing
that database is vulnerable but you will be not able to get break the query and
receive error message because might the developer had blacklist the single
quotes (‘) at the backend query.
Lesson 12 is similar to previous lesson 11 but here you
will face failure if you used single quotes for breaking the query, since the
chapter sound closed to post Error based double
quotes string (“). Thus I had used double quotes (“) to break the query inside the text field of username then click
on submit.
username: "
From the given screenshot you can see we have got error message (in blue color) which
means the database is vulnerable to SQL injection.
So we when break the query we get error message, now let
me explain what this error message says.
The right syntax
to use near '""") and password=("") LIMIT 0,1'
Now
we need to fix this query with help of )
closing parenthesis and # (hash) comments; so after double quotes
(“) add ) closing parenthesis hash function (#) to make it
syntactically correct.
username: ") #
From
screenshot you can see it has shown login attempted failed though we have
successfully fixed the blue color error message.
Now
whatever statement you will insert in between ‘) and # the query will
execute successfully with certain result according it. Now to find out number
of columns used in the backend query we’ll use order by clause
username: ")
order by 3 #
From
screenshot you can see I received error at order by 3 which means there are
only two columns used in the backend query
Similarly insert query for union select in between ‘)and # to select both records.
Username: ") union select 1,2 #
From screenshot you can see it also shown successfully
logged in, let’s now retrieve data from inside it.
Next query will fetch database name, it is as similar as
in lesson 1 and from screenshot you can read the database name “security”
Username: ") union select 1,database() #
Through given below query we will be able to fetch tables
name present inside database.
Username: ") union select
1,group_concat(table_name) from information_schema.tables where
table_schema=database() #
From screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users
Now we’ll try to find out column names of users table
using following query
Username: ") union select
1,group_concat(column_name) from information_schema.columns where
table_name='users' #
Their so many columns but we interested in username and password only.
At last execute following query to read all username and
password inside the table users.
Username: ") union select
group_concat(username),group_concat(password) from users #
Hence you can see we have not only retrieve single user credential
but entire users credential now use them for login.
This is all about double quotes string error based injection
in lesson 12.
0 comments:
Post a Comment