4 min readJust now

–

Let’s begin…

Before discussing SQL injection, let me explain what it is.

SQL injection is a server-side vulnerability where an attacker tries to inject a malicious payload into a vulnerable input parameter to manipulate the database.

The Target site, which I have taken, is a vulnerable disclosure program, so due to confidentiality, I am supposed to hide sensitive information.

How does the SQL malicious payload work?

In the database, the structure of the query will be designed and structured by a backend developer using MYSQL, MSSQL, MongoDB, and so on. It depends on the use case and the client’s requirement. How some newbie developers write the backend table column, query like SELECT * FROM TABLE_NAME WHERE username= “username” AND password= “password” ;

By this, we can achieve SQL injection by injecting a malicious payload. So in SQL injection, there are four commonly classified are: Error-Based, Boolean-Based, Union-Based, and Time-Based injection.

The payload, which apparently escapes the user input by injecting error-based SQL injection ‘ OR 1=1- - How does this escape the backend query?

When attackers inject user input into the login page, the query eliminates the password query, which is written in the backend. Basically, this payload says 1=1, which is logically TRUE, so the server blindly trusts the user’s response and allows into into the dashboard without any authorization.

I don’t want to drag the entire theory in one blog before entering into practicals. We need to know some basics of SQL injection, how it works, and how attackers try to manipulate the database by using malicious payloads.

Let’s start, how I found and dumped the entire database.

Usually, I test SQL injection in the login page, but this time I did something different from the usual case, so I tried in the URL parameter with error-based SQL injection with a simple payload, as I mentioned before. It acts like something weird, it shows an error, but not a usual error, yeah, you got it, it is a SQL error. By this error, I got a big secret key hint, i.e, MYSQL, which is the database name.

Press enter or click to view image in full size

Error-Based SQL inejction

Next, to check what the tables are in the database, I checked for the information_schema database, where the core table names are located in this particular database.

Boom 💥got it buddy!!!

Source from 4GIFS.com

To dump the database, I use the SQLmap tool.

Press enter or click to view image in full size

Source from google.com

Before using SQLmap, copy the URL and paste it into the SQLmap tool. The command is

sqlmap -u 'https://www.example.com?id=1&pid=2'- -dump=<databasename> -dump.

So this is a database enumeration.

Press enter or click to view image in full size

injected points are shown

Press enter or click to view image in full size

retriving information_shema database and table names

In these tables, no other data is updated or modified, so a few tables contain some data that has company document details, and many more.

Press enter or click to view image in full size

Another table in same database with no data is been updated

Impact:

By using this approach, I can able to dump the entire database and table. This leads to manipulating the database structure through various CRUD operations.

Mitigation:

Use parameterized queries and input sanitization by not allowing special characters in the input field. Avoid detailed errors and handle exceptions that should not be triggered, especially for SQL injection.

As this is not a native application so I responsibly reported to the company’s security team and patched this issue.

Source from google.com

Thank you, Tech Buddies

Happy Hacking!

Eat, Hack, Gym, Sleep

This is Jaga, Signing off