What's new
  • Welcome to PHCorner Forums. Take a moment to Sign up and gain unlimited access and extra privileges that guests are not entitled to, such as: All that and more! Registration is quick, simple and absolutely free. Join our community today!

Tutorial SQL injection to test your web application security and how to prevent it

mtcddppi

Honorary Poster
Joined
Jan 28, 2017
Messages
590
Reaction score
405
Good day! Today, I'm going to share to you about SQL injection to test the security of your web application. Take note that this is for educational purposes only. First, let us know what really is SQL injection. SQL injection is a code injection technique in which malicious SQL statement is inserted to manipulate data from your database. This will allow attackers to get the sensitive information from your database. Now let's start.

REQUIREMENTS:
  • brain.exe
  • knowledge in SQL
  • your web project (as a test)

STEPS:


As an example, I'm going to use the site that I just created in my localhost.

1. visit your project or the website that I created.
2. Once you're on the website, we will search for some links that ends with an id number or newsid or userid, etc...
let's say for example that you found a URL like: You must register or login to view this.
3. Notice that in the end of the URL, there is a view.php?userid=1.
4. That is what we need to find a vulnerability. To check if the website is vulnerable in SQL injection, we will use a single quote( ' ) and then hit enter.
1563503808101.png

5. If you will receive a message about SQL error, that means that the website is vulnerable in SQL injection.
1563503837878.png

6. Now, let's remove the single quote that we added to the URL and then do this:
1563503887743.png

This will check if how many columns do we have in a table. If you didn't receive any SQL error, increase the number of ORDER BY until you will see an SQL error message.
You must register or login to view this.
You must register or login to view this.
You must register or login to view this.
You must register or login to view this.
You must register or login to view this. and so on... and so fort.

If you received a SQL error message, that means, the number that you entered does not exist. let's say for example, you encountered a SQL error message in ORDER+BY+5, this means that there is only 4 columns in the table. but what table? we will find that out later.
1563503977184.png

7. Now let's try to check the vulnerable columns. Do this: You must register or login to view this.
1563504183433.png

This will show multiple vulnerable columns. notice that I added a minus sign ( - ) to bypass the SQL error when searching a vulnerable columns.
You will see that there is 2 AND 3 as our vulnerable columns. we will use one of these to get a sensitive information. Choose any of the numbers. In my case, I will choose 3.

8. Now let's find the version of the MySQL of the website. To do that:You must register or login to view this.
1563504263533.png

9. Since we already know the Mysql version, let's check the database name. To do that: You must register or login to view this.
1563504302831.png

10. Now we also have the database. Let's get the username of the mysql host. To do that: You must register or login to view this.
1563504357245.png

11. Now that we have some of the database information, let's get the tables from the database. To do that: You must register or login to view this.
1563505261727.png
we have here members and news table. Now.. what we need is the most sensitive information and that is the user's accounts. I'm going to members table since I'm pretty sure that the username, password, etc, etc.... is here. Now, before we proceed, we will first go to google and search for text to hex and then hit enter. there are a lot of search results but in my case, I'm going to use You must register or login to view this. to convert the word members into hex. Now just paste the table name that you just selected (members table) to the text to hex converter and then click the convert button. The result for members table should be like this:
1563505559001.png
Now let's remove the spaces of the hex. It should look like this: 6d656d62657273

12. With that, we can fetch the columns of the table members. so let's proceed in fetching the columns. To do that: You must register or login to view this.
1563505740811.png
Note that after the TABLE_NAME=, I added a 0x (zero and x) before our hex value 6d656d62657273. This is to bypass the SQL queries that we just sent because it won't work if we will use the plain table name members. 0x will be reading our hex values and will convert it to a plain text. After this, you should see a list of columns.

13. Now that we have the columns from the members table, we will get the value of the columns. Before that, we will first select what columns that we need to uncensored. In my case, I'm going to choose email and password. To do that: You must register or login to view this.
1563506058329.png
Note that I selected 2 columns namely email and password. I also added a 0x3a which is a hex value. 0x will read the hex value and the value that we passed is the 3a. 3a means : (or colon) in plain text. This is because we want to separate the results of our SQL queries. Notice that I have the columns:

lightiskira07@gmail.com:153624123,
asdf@gmail.com:123456789


we have successfully fetched two data from the table named members. notice that there is a comma (,) after the password of 153624123 this is because we have another data. So that's how SQL injection works. But how can we prevent it? There are a lot of ways to prevent SQL injection. Sanitizing our data that we are going to pass is one of the prevention. In this tutorial we have view.php?userid=1 the userid which is 1 is a GET data and is not sanitized. In PHP script, there are a lot of ways to sanitize the data. If you want to sanitize the GET data which has an INT value, we can sanitize it by:

<?php

$userid = mysqli_real_escape_string($connection, $row['userid']);

?>


Before we pass the value of the userid, we should use mysqli_real_escape_string() to escape unwanted strings like special characters. We can also sanitize the INT value by converting it to int:

<?php
(int)$_GET['userid'];
?>


if you are using a POST data, you can use mysqli_real_escape_string() or addslashes(). addslashes() will sanitize your data by adding a slash in your string data. for example, you entered a string value myusername'. With addslashes(), it will become myusername\'. This is to sanitize the single quote that you entered. You can also use the addcslashes() if you want to sanitize your data in C style. So, I have that you learned something in this thread that I posted. If you have any questions or you have more ideas in preventing the SQL injection, you can comment below so that those who has no knowledge about it will have more ideas.

NOTE: This is for educational purposes only.
 

Attachments

dak1la

Eternal Poster
Maganda rin chinecheck security ng coding lalo pa at nagiging pihikan na mga prof sa defense 😂 good thing nandyan ka ts para sa guide.
 

mtcddppi

Honorary Poster
Maganda rin chinecheck security ng coding lalo pa at nagiging pihikan na mga prof sa defense 😂 good thing nandyan ka ts para sa guide.
Mahaba haba pa Yan sir. Pinutol ko Lang para maipost na. Maybe I'll create another thread.
 
Good day! Today, I'm going to share to you about SQL injection to test the security of your web application. Take note that this is for educational purposes only. First, let us know what really is SQL injection. SQL injection is a code injection technique in which malicious SQL statement is inserted to manipulate data from your database. This will allow attackers to get the sensitive information from your database. Now let's start.

REQUIREMENTS:

    • brain.exe
    • knowledge in SQL
    • your web project (as a test)

STEPS:

As an example, I'm going to use the site that I just created in my localhost.

1. visit your project or the website that I created.
2. Once you're on the website, we will search for some links that ends with an id number or newsid or userid, etc...
let's say for example that you found a URL like: You must register or login to view this.
3. Notice that in the end of the URL, there is a view.php?userid=1.
4. That is what we need to find a vulnerability. To check if the website is vulnerable in SQL injection, we will use a single quote( ' ) and then hit enter.
View attachment 649878

5. If you will receive a message about SQL error, that means that the website is vulnerable in SQL injection.
View attachment 649879

6. Now, let's remove the single quote that we added to the URL and then do this:
View attachment 649880

This will check if how many columns do we have in a table. If you didn't receive any SQL error, increase the number of ORDER BY until you will see an SQL error message.
You must register or login to view this.
You must register or login to view this.
You must register or login to view this.
You must register or login to view this.
You must register or login to view this. and so on... and so fort.

If you received a SQL error message, that means, the number that you entered does not exist. let's say for example, you encountered a SQL error message in ORDER+BY+5, this means that there is only 4 columns in the table. but what table? we will find that out later.
View attachment 649883

7. Now let's try to check the vulnerable columns. Do this: You must register or login to view this.
View attachment 649887

This will show multiple vulnerable columns. notice that I added a minus sign ( - ) to bypass the SQL error when searching a vulnerable columns.
You will see that there is 2 AND 3 as our vulnerable columns. we will use one of these to get a sensitive information. Choose any of the numbers. In my case, I will choose 3.

8. Now let's find the version of the MySQL of the website. To do that:You must register or login to view this.
View attachment 649889

9. Since we already know the Mysql version, let's check the database name. To do that: You must register or login to view this.
View attachment 649891

10. Now we also have the database. Let's get the username of the mysql host. To do that: You must register or login to view this.
View attachment 649895

11. Now that we have some of the database information, let's get the tables from the database. To do that: You must register or login to view this.
View attachment 649904
we have here members and news table. Now.. what we need is the most sensitive information and that is the user's accounts. I'm going to members table since I'm pretty sure that the username, password, etc, etc.... is here. Now, before we proceed, we will first go to google and search for text to hex and then hit enter. there are a lot of search results but in my case, I'm going to use You must register or login to view this. to convert the word members into hex. Now just paste the table name that you just selected (members table) to the text to hex converter and then click the convert button. The result for members table should be like this:
View attachment 649905
Now let's remove the spaces of the hex. It should look like this: 6d656d62657273

12. With that, we can fetch the columns of the table members. so let's proceed in fetching the columns. To do that: You must register or login to view this.
View attachment 649907
Note that after the TABLE_NAME=, I added a 0x (zero and x) before our hex value 6d656d62657273. This is to bypass the SQL queries that we just sent because it won't work if we will use the plain table name members. 0x will be reading our hex values and will convert it to a plain text. After this, you should see a list of columns.

13. Now that we have the columns from the members table, we will get the value of the columns. Before that, we will first select what columns that we need to uncensored. In my case, I'm going to choose email and password. To do that: You must register or login to view this.
View attachment 649912
Note that I selected 2 columns namely email and password. I also added a 0x3a which is a hex value. 0x will read the hex value and the value that we passed is the 3a. 3a means : (or colon) in plain text. This is because we want to separate the results of our SQL queries. Notice that I have the columns:

lightiskira07@gmail.com:153624123,
asdf@gmail.com:123456789


we have successfully fetched two data from the table named members. notice that there is a comma (,) after the password of 153624123 this is because we have another data. So that's how SQL injection works. But how can we prevent it? There are a lot of ways to prevent SQL injection. Sanitizing our data that we are going to pass is one of the prevention. In this tutorial we have view.php?userid=1 the userid which is 1 is a GET data and is not sanitized. In PHP script, there are a lot of ways to sanitize the data. If you want to sanitize the GET data which has an INT value, we can sanitize it by:

<?php

$userid = mysqli_real_escape_string($connection, $row['userid']);

?>


Before we pass the value of the userid, we should use mysqli_real_escape_string() to escape unwanted strings like special characters. We can also sanitize the INT value by converting it to int:

<?php
(int)$_GET['userid'];
?>


if you are using a POST data, you can use mysqli_real_escape_string() or addslashes(). addslashes() will sanitize your data by adding a slash in your string data. for example, you entered a string value myusername'. With addslashes(), it will become myusername\'. This is to sanitize the single quote that you entered. You can also use the addcslashes() if you want to sanitize your data in C style. So, I have that you learned something in this thread that I posted. If you have any questions or you have more ideas in preventing the SQL injection, you can comment below so that those who has no knowledge about it will have more ideas.

NOTE: This is for educational purposes only.
will try this later. thanks!
 
Top