To exploit SQL Injection, the initial step is to identify the injection point and then craft a payload to gain control over the dynamic query of the target. The most direct method to discover SQL injections within a web application involves probing inputs with characters known to cause SQL query syntax errors, prompting the application to return an error.
Note: Not all inputs of a web application contribute to constructing SQL queries. In the Information Gathering module, it was recommended to categorize different input parameters, focusing on those used for database data retrieval and manipulation.
In the following sections, we will explore how to utilize gathered information to recognize and exploit SQL Injection vulnerabilities.
Input parameters are conveyed through GET and POST requests, HEADERS, and COOKIES. It is essential to examine all channels where data is retrieved from the client. The examples provided here, for simplicity, will focus on scenarios where inputs come directly from the URL (using the GET method), but similar techniques apply to other channels.
For explanatory purposes, consider a small, vulnerable e-commerce web application displaying cell phones for sale. In this example, ecommerce.php
takes an input parameter named id
to retrieve product features from the database and display them on the page.
- The
id
parameter is expected to be an integer. - Sending the
id=1
GET parameter makes the application behave correctly. - Sending
id=,
makes the application throw an error.
Testing for SQL injection involves injecting:
- String terminators: ' and "
- SQL commands: SELECT, UNION, and others
- SQL comments: # or -- Checking for abnormal behavior in the web application.
The web application in question prints internal errors on its input pages, aiding developers and penetration testers in understanding the application's internal processes. Different Database Management Systems (DBMS) respond to incorrect SQL queries with varying error messages. Recognizing these errors is crucial for identifying vulnerabilities.
Example:
- MS-SQL error: "Incorrect syntax near [query snippet]"
- MySQL error: "You have an error in your SQL syntax."
Similar errors during an engagement suggest vulnerability to an SQL injection attack, though educated guesses may be necessary.
Many production websites do not display errors for usability and security reasons. In such cases, Boolean-based detection can be employed to test for SQL injection. This technique involves crafting payloads that transform web application queries into True/False conditions, allowing the penetration tester to infer query results based on changes in the application's behavior.
Example:
- Crafting payloads like
id=1444'
to detect Boolean-based SQLi in an image gallery.
It is possible to test both always true and always false conditions:
id=1444' or '1'='1
id=1444' or '1'='2
After identifying a potential injection point, further testing and exploitation techniques are explored in subsequent chapters.
A great way to find out if a SQLi vulnerability is present is to use a web proxy such as BurpSuite, capture the traffic, and save the captured file locally (.xml).
We will then open that file with SQLMap and check for vulnerabilities or not.
sqlmap -r sql_request_captured.xml