Finding SQL Injections

→ with target website, go to Burpe and put item in scope:

Test:
→ single quote in input field or “id” value;
→ see what error is and if it gives any useful info; may then use useful info by going to Burpe and
manipulating it: e.g. intercept request of logging in and then right click and send to “repeater” in
Burpe;

→ you can see we've added a single quote to the password parameter, which in the response shows
the error.
→ most modern web applications don't show errors in output which forces us to find other injection
techniques;

Spider hosts by going to “victim2.site” → right click → spider this host;

little gears on the responses show parts of the site that accepts user input;

→ forward the request and see what the search results return:
→ a different result when we try SQL injection than under the highlighted heading above will
indicate if our sql injection is working or not;

test this: append a single quote to id request and see how everything changes:

nothing is returned. Now test an “always true” and “always false” condition:

always “true” [note, we always have to encode the spaces]:

always false condition a=b:

can see the differences in responses!

To conduct a proper pen test have to test all the GET, POST, and cookie HEADER values, looking
for vulns;

Now test the cookie header parameter (color=2):

– e.g. color=1 [background shows it is white]

– e.g. color=2 [background shows it is yellow]

Anyway with the cookie header, we do the same true / false tests. If single quote doesn't work, try
double quotes; if that doesn't work, try something else like the below (which returns a color, so
seem to be on the right path):
→ press “go”on the repeater tab to send the original request to the site to study the response;

→ autoscroll rule so response automatically goes to part of html that we want to see if our sql
injection is working:
As you can see on the login page, we're trying different combinations but nothing seems to be
working:

So, we try something else such as adding a closing parathenses:

we can see success in confirming sql injection! [this was an always true condition];

Now have to try an always false condition, which is different;

Exploiting In-band SQL Injections:

test a single quote on an id that exists in the database:

→ no errors detected, so...

→ and now we can see the always true condition returns the id value data, so, this is vulnerable to
sql injection:

→ inject a “union select” statement to see how many fields the original query has:

→ doesn't reveal anything;

→ keep increasing number of “null” fields until we correctly balance queries and a result is
returned:
Find field types for each of the null values:
so for field one, let's try a string (which works):

let's try a string in field 2: (which doesn't work, so we have to try a different data type):

we try an integer which works:

to display the UNION SELECT results on output, have to set a non-existent id like 9999
Exploit this to get info about dbms and more (@@version):

knowing name of dbms allows us to customise sql injection:

→ retrieve username:

find first user of database:

to find second user, have to filter out the first with a WHERE clause:

etc, etc.

Find database name with db_name function:

Exploiting error based sql injections

e.g. with single quote sql injection:

the original query is probably something like:

okay, we added a bracket, comment thingies and removed the quote:

and now the query works;

so, the query probbly looks like this in database: note the parathenses at the end:
the error in the following case prints the version of the server and so on in error message:

we need to use the closing bracket and comment box since the input will be expecting closing
bracket and comment will comment out the other closing bracket;

^ prints database name;

add integer values inside db_name to find all the databases hosted on the server: db_name(0)
doesn't work, but:

→ reveals “master” database; add 2, 3, 4, etc.

→ now let's reveal usernames on database:

reveals username “public” and so on...

Now using CAST technique to extract data:

• Use wget to print and show on standard output:

now replace @@version with whatever value we need:

e.g. db_name() reveals usrmanagement, so we can then extract tables of usrmanagement:
first table name is “clients”. To extract other tables, have to filter clients out by query:

continue until we extract all the table names. When no more errors are printed and just normal
output, we've found all the table names.

Let's find out the columns of the table – like the “accounts” table:

First column is password. Let's filter it out & continue:

Now data dumping phase: e.g. dump usernames:

or concatenate the username and password together:

Now filter username out, and extract the rest of the data values: