SQL Injection Attacks | Shahul Hameed

Lab 1: SQL injection UNION attack, determining the number of columns returned by the query

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.

    To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values.

Solutions:

1. Use Burp Suite to intercept and modify the request that sets the product category filter.
2. Modify the category parameter, giving it the value '+UNION+SELECT+NULL--. Observe that an error occurs.
3. Modify the category parameter to add an additional column containing a null value: '+UNION+SELECT+NULL,NULL--
4. Continue adding null values until the error disappears and the response includes additional content containing the null values.

Step 1: UI view

Step 2: Check whether the application is vulnerable or not before executing any payload into an application.

    Inject: ' or " end of the query in URL

Step 3: Type 1: Attack method through by UNION method

    Iterative add the NULL at the end of the query until getting status OK 200

    

        Note: CTRL + U to encode URL in burp suite

    Payload: query?category=Gifts'+UNION+select+NULL,+NULL,+NULL--

Step 4: Intercept application URL into Burp Suite.

Type 2: Attack through by ORDER BY method

Step 1: Iterative order by the value at the end of the query until getting status OK 200

      Note: CTRL + U to encode URL in burp suite

    Payload: query?category=Gifts'+ORDER+BY+3--     

    Note: If exceed the order value shown error hence we can understand exact columns in the table.

Lab 2: SQL injection UNION attack, finding a column containing text

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

    The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

Solution:

1. Use Burp Suite to intercept and modify the request that sets the product category filter.
2. Determine the number of columns that are being returned by the query. Verify that the query is returning three columns, using the following payload in the category parameter: '+UNION+SELECT+NULL,NULL,NULL--
3. Try replacing each null with the random value provided by the lab, for example: '+UNION+SELECT+'abcdef',NULL,NULL--
4. If an error occurs, move on to the next null and try that instead.

Step 1: UI View

Step 2: Intercept application URL into Burp Suite.

    

    Note: Find the exact columns in the table using the iterative UNION NULL technique.

Payload: '+UNION+SELECT+NULL,NULL,NULL--

Step 3: Inject the given text in the lab into query.

    Payload: query? category=Gifts'+UNION+select+NULL,'XpoIxr',+NULL--

Lab 3: SQL injection UNION attack, retrieving data from other tables

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

    The database contains a different table called users, with columns called username and password.

    To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user. 

Solution

1. Use Burp Suite to intercept and modify the request that sets the product category filter.
2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'--.
3. Use the following payload to retrieve the contents of the users table: '+UNION+SELECT+username,+password+FROM+users--
4. Verify that the application's response contains usernames and passwords. 

Step 1: UI view

Step 2: Intercept application URL into Burp Suite.

    

    Note: Find the exact columns in the table using the iterative UNION NULL technique.

Step 3: Now replace the NULL value with correspondent users table column value and retrieve the user's table data.

Payload: '+UNION+SELECT+username,+password+FROM+users--

Step 4: Enter the exposed credentials into the application.

Lab 4: SQL injection UNION attack, retrieving multiple values in a single column 

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.

    The database contains a different table called users, with columns called username and password. 

    To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and password, and use the information to log in as the administrator user.

Solutions

1. Use Burp Suite to intercept and modify the request that sets the product category filter.
2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, only one of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+NULL,'abc'--
3. Use the following payload to retrieve the contents of the users table: '+UNION+SELECT+NULL,username||'~'||password+FROM+users--
4. Verify that the application's response contains usernames and passwords.

Step 1: UI view

Step 2: Intercept application URL into Burp Suite.

    

    Note: Find the exact columns in the table using the iterative UNION NULL technique.

Payload: 

GET /filter?category=Accessories'+UNION+select+NULL,+username+||+'*'+||password+from+users--

Step 3:Enter the exposed credentials into the application.

Lab 5: SQL injection attack, querying the database type and version on Oracle

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

    To solve the lab, display the database version string.

Solution

1. Use Burp Suite to intercept and modify the request that sets the product category filter.
2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'+FROM+dual--
3. Use the following payload to display the database version: '+UNION+SELECT+BANNER,+NULL+FROM+v$versio--

Reference URL : 

https://portswigger.net/web-security/sql-injection/cheat-sheet

Step 1: Intercept the UI in the burp suite application.

            Find the number of columns using the ORDER BY statement.

    Payload: GET /filter?category=Accessories'+ORDER+BY+2+-- HTTP/1.1

Step 2: Find the datatype of columns in the table.

    Oracle database: SELECT Statement

    Payload: GET /filter?category=Accessories'+UNION+SELECT+'a',+'a'+FROM+DUAL--

Step 3: Get the version of the database.

    Oracle database: SELECT Version statement

    Payload: 

    GET /filter?category=Accessories'+UNION+SELECT+banner,+NULL+FROM+v$version--

Lab 6: SQL injection attack, querying the database type and version on MySQL and Microsoft

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

    To solve the lab, display the database version string.

Solution

1. Use Burp Suite to intercept and modify the request that sets the product category filter.
2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'#
3. Use the following payload to display the database version: '+UNION+SELECT+@@version,+NULL#

Step 1: Intercept the UI in the burp suite application.

            Find the number of columns using the ORDER BY statement.

            Note: Here comment using (#) instead of (--)

    Payload: GET /filter?category=Accessories'+ORDER+BY+2# HTTP/1.1  => OK Status 200

Step 2: Find the version of the database.

    Note: Check all the types versions of databases in cheatsheet Portswigger.

    Payload: GET /filter?category=Accessories'UNION+SELECT+@@version,+NULL# 

1. 
   
2. 
   
3.